DETAILED ACTION
This Office Action is in response to the Amendment filed on 12/20/2021.
In the instant Amendment, no claims were amended; claims 1 and 10 are independent claims; claims 1-15 have been examined and are pending. THIS ACTION IS MADE FINAL. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
The 35 U.S.C. 112(b) was withdrawn as being indefinite for lack of antecedent basis as per amendment filed 12/20/2021. 
Applicant’s arguments in the instant Amendment, filed on 12/20/2021 with respect to the other limitations below, have been fully considered but they are not persuasive. 
Applicant argues on (page 2) that the Smith fails to explicitly disclose or suggest an additional layer of authentication regardless of and in addition to any security measures provided by the service provider, while the service provider is fully unaware of the authorized device (cellular telephone) an fully unaware of the authentication platform. Smith is fully aware of the authorized device and there is not a separate authentication platform and does not involve communication with an authentication platform. The secondary device does not log onto the 
The Examiner respectfully disagrees with the applicant’s arguments because applicant is arguing that Smith in view of Oberheide fail to explicitly disclose or suggest “an additional layer of authentication regardless of and in addition to any security measures provided by the service provider, while the service provider is fully unaware of the authorized device (cellular telephone) an fully unaware of the authentication platform” which is cited in applicant’s specification and not in the claims. 
Applicant argues on (page 2) that the Smith fails to explicitly disclose or suggest claim 1. In particular, Smith in view of Oberheide fail to explicitly disclose “receiving on the authentication platform a request for login credentials from a secondary device.”
The Examiner respectfully disagrees with the applicant’s arguments because Smith discloses using a user desktop with an application that requests login credentials from a server maintained by the service provider which was interpreted as the authentication platform. The service provider [authentication platform] receives a request for login credentials from a user desktop [secondary device] by an application (See Smith, [0025], [0033]-[0040], FIG 2, steps 202, 210, 214, 218). Oberheide which was used in combination to provide a system and method of notifying mobile devices to complete transactions after additional agent verification in the digital security field. Obeheide’s system and method register’s a device and performs additional agent verification using a numerical (See Oberheide, FIG 7, steps S110, S130, S145, S150; [0040], [0028], [0012], [0018], [0015], [0034] and [0002]). 
Applicant's arguments (Pages 2-3): Additionally, as to the dependent
claims 2, 5, 8, 12 and 14 the Applicant argues that the claims are dependent
directly or indirectly from a respective one of claims of independent claims 1 and 10 are therefore distinguished from the cited art at least by virtue OR allowable at
least based on of their additionally recited patentable subject matter.
The Examiner disagrees with the Applicants. Applicant’s
specification states in The Examiner disagrees with the Applicants. The
Examiner respectfully submits that the dependent claims 2, 5, 8, 12 and 14 are
rejected at least based on the rationale and response presented to the argument
for their respective base claims, and the reference applied to the claims 2, 5, 8, 12 and 14. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1, 3-4, 6-7, 9-11, 13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al (“Smith,” US 20140157392) and further in view of Oberheide et al (“Oberheide,” US 20170068958)

Regarding claim 1, Smith discloses a method of authorizing transmission of confidential data between a secondary device and a service provider, comprising:
storing authentication credentials in the memory of the authorized device; (Smith, [0025] & [0033]-[0040] which describes the steps of FIG 2 and includes storing authentication credentials in the memory of the user smartphone [authorized device]; See 202, 214, and 218 FIG 2)
receiving on the authentication platform a request for login credentials from a secondary device; (Smith, 212, FIG 2 describes a user desktop with application that requests login credentials from 210, FIG 2 which is a server maintained by the service provider [authentication platform]; see [0033]-[0040] which describes the steps of FIG 2 including receiving on the server that is maintained by the service provider [authentication platform] a request for login credentials from a user desktop [secondary device] via an application)
Smith fails to explicitly disclose registering an authorized device having memory storage on an authentication platform; for at least one account; transmitting the request for credentials from the authentication platform to the authorized device;  prompting a user to respond via the authorized device to the request to authorize transmission of the credentials between the secondary device and the service provider; and transmitting the requested credentials from the authorized device to the secondary device when authorization is provided by the user via a user interface on the authorized device.
However, in an analogous art, Oberheide discloses registering an authorized device having memory storage on an authentication platform; (Oberheide, S110, FIG 7, register device, S145 perform additional agent verification; Confirm Tx, S150 then push TX message S130; [0040] describes agent verification uses a numerical password, biometric data, characteristic speech; [0028] describes credentials needed to perform additional agent verification)
for at least one account (Oberheide, [0012], registering an authority device for an account on an authentication platform)
transmitting the request for credentials from the authentication platform to the authorized device;  (Oberheide, FIG 7 describes transmitting from the authentication platform to the authentic user on his device; [0028] describes credentials needed to perform additional agent verification). 
prompting a user to respond via the authorized device to the request to authorize transmission of the credentials between the secondary device and the service provider; (Oberheide, [0018] describes a prompt; FIG 8 shows a prompt; [0015], after attempting to contact a primary authority device, the authentication platform may message a secondary authority device, the authentication platform may message a secondary authority device for authentication or authorization; [0028] & [0040] describes credentials needed to perform agent verification; [0034], an authentication platform (or service provider) may include an agent verification that mandates additional agent verification for security sensitive users (i.e. any user determined to need additional agent verification))
and transmitting the requested credentials from the authorized device to the secondary device when authorization is provided by the user via a user interface on the authorized device, (Oberheide, [0015], [0018], [0028] & [0040] describes sending the credentials from the authorized user’s device to the secondary device when authorization is provided by the user via SMS, email, instant message, in-app, QR code etc)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Oberheide with the method/system of Smith to include registering an authorized device having memory storage on an authentication platform; for at least one account; transmitting the request for credentials from the authentication platform to the authorized device;  prompting a 

Regarding claim 3, Smith and Oberheide disclose the method of claim 1. 
Oberheide further discloses wherein the request for credentials from the authentication platform to the authorized device is communicated via a push notification service, (Oberheide, [0013] & [0018] describes a request for remote access credentials from an authentication platform to a mobile device is communicated via a push alert). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Oberheide with the method/system of Smith to include [wherein the request for credentials from the authentication platform to the authorized device is communicated via a push notification service. One would have been motivated to provide a system and method of notifying mobile devices to complete transactions after additional agent verification in the digital security field (Oberheide, [0002]).

Regarding claim 4, Smith and Oberheide disclose the method of claim 1. 
see [0033]-[0040] which describes the steps of FIG 2 which includes wherein the request from the device is initiated by an application executed on the secondary device). 

Regarding claim 6, Smith and Oberheide disclose the method of claim 1. 
Oberheide further discloses wherein the authentication platform is a network accessible server (Oberheide, [0014] describes the authentication platform is an Internet accessible server where the Internet is a network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Oberheide with the method/system of Smith to include wherein the authentication platform is a network accessible server. One would have been motivated to provide a system and method of notifying mobile devices to complete transactions after additional agent verification in the digital security field (Oberheide, [0002]).

Regarding claim 7, Smith and Oberheide disclose the method of claim 1. 
Smith further discloses wherein the authorized device is a portable device capable of communicating with the authentication platform and/or the secondary device (Smith, 202 user smartphone [authorized device], 214 icon, FIG 2, see [0033]-[0040] which describes the steps of FIG 2 describes where the authorized device is a user smartphone as shown in 202, FIG 2 and is capable of communicating with 210, FIG 2 which is a server maintained by the service provider [authentication platform] and 204 which is the user desktop [secondary device] with application 212 as shown in FIG 2). 

Regarding claim 9, Smith and Oberheide disclose the method of claim 1. 
Smith further discloses transmissions of the requested credentials from the authorized device to the authentication platform and from the authentication platform to the secondary device are encrypted, (Smith, [0033]-[0040] describes transmissions and connections between the authorized device which is the smartphone 202 and the authentication platform which is the server maintained by the service provider in 210  and from the server maintained by the service provider [authentication platform] to the user desktop with application as shown in 204 and 212; [0033] describes transmissions of the requested credentials from the authorized device to the server and from the server to the secondary device and secure channels; [0025] describes communications between devices can be accomplished in whole or in part over an encrypted communications channel)

Regarding claim 10, Smith discloses a method of authorizing transmission of confidential data between a secondary device and a service provider, comprising:
storing login credentials for at least one account in the memory of the authorized device; (Smith, [0025] & [0033]-[0040] which describes the steps of FIG 2 and includes storing login credentials in the memory of the user smartphone [authorized device]; See 202, 214, and 218 FIG 2)
(Smith, 212, FIG 2 describes a user desktop with application that requests login credentials from 210, FIG 2 which is a server maintained by the service provider [authentication platform]; see [0033]-[0040] which describes the steps of FIG 2 including receiving on the server that is maintained by the service provider [authentication platform] a request for login credentials from a user desktop [secondary device] via an application)
Smith fails to explicitly disclose registering an authorized device having memory storage on an authentication platform; for at least one account; transmitting the request for credentials from the authentication platform to the authorized device; prompting a user to respond to the request to authorize transmission of the confidential data between the secondary device and the service provider; and transmitting the requested credentials from the memory on the authorized device to the secondary device when authorization is provided by the user via a user interface on the authorized device.
However, in an analogous art, Oberheide discloses registering an authorized device having memory storage on an authentication platform; (Oberheide, S110, FIG 7, register device, S145 perform additional agent verification; Confirm Tx, S150 then push TX message S130; [0040] describes agent verification uses a numerical password, biometric data, characteristic speech; [0028] describes credentials needed to perform additional agent verification)
for at least one account; (Oberheide, [0012], registering an authority device for an account on an authentication platform)
(Oberheide, FIG 7 describes transmitting from the authentication platform to the authentic user on his device; [0028] describes credentials needed to perform additional agent verification). 
prompting a user to respond to the request to authorize transmission of the confidential data between the secondary device and the service provider; (Oberheide, [0018] describes a prompt; FIG 8 shows a prompt; [0015], after attempting to contact a primary authority device, the authentication platform may message a secondary authority device, the authentication platform may message a secondary authority device for authentication or authorization; [0028] & [0040] describes credentials needed to perform agent verification; [0034], an authentication platform (or service provider) may include an agent verification that mandates additional agent verification for security sensitive users (i.e. any user determined to need additional agent verification))
and transmitting the requested credentials from the memory on the authorized device to the secondary device when authorization is provided by the user via a user interface on the authorized device (Oberheide, [0015], [0018], [0028] & [0040] describes sending the credentials from the authorized user’s device to the secondary device when authorization is provided by the user via SMS, email, instant message, in-app, QR code etc)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Oberheide with the method/system of Smith to include registering an authorized device having memory storage on an authentication platform; transmitting the request for credentials from the 

Regarding claim 11, Smith and Oberheide disclose the method of claim 10. 
Smith further discloses wherein communication of the requested credentials is facilitated by creating a direct connection token on the secondary device 
or receiving a direct connection token on the secondary device from the authentication platform, creating a direct connection token on the authorized device (Smith, [0031]-[0032] describes creating a token for direct connection on a server [authentication program and sending it to the secondary device)
or receiving a direct connection token on the authorized device from the authentication platform, 
and establishing a direct connection between the secondary device and the authorized device. (Smith, [0031]-[0032] describes establishing a direct connection between secondary device and the authorized device)



Regarding claim 13, Smith and Oberheide disclose the method of claim 10. 
Smith further discloses wherein the request for credentials from the authentication platform to the authorized device (Smith, [0033] describes the request for credentials from the service provider server [authentication platform] to the authorized device which is the user smartphone in 202, FIG 2)
Oberheide further discloses is communicated via a push notification service, (Oberheide, [0013], pushed based alert)
SMS, (Oberheide, [0018], SMS)
QR Code, (Oberheide, [0018], QR code)
audio communication, 
or direct connection.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Oberheide with the method/system of Smith to include is communicated via a push notification service, SMS, QR Code, audio communication, or direct connection. One would have been motivated to provide a system and method of notifying mobile devices to complete transactions after additional agent verification in the digital security field (Oberheide, [0002]).

Regarding claim 15, Smith and Oberheide disclose the method of claim 10. 
Smith further discloses wherein transmissions of the requested credentials from the authorized device to the authentication platform and from the authentication platform to the secondary device are encrypted, (Smith, [0033] describes transmissions of the requested credentials from the authorized device to the server and from the server to the secondary device; [0025] describes communications between devices can be accomplished in whole or in part over an encrypted communications channel; [0033], secure channels)

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al (“Smith,” US 20140157392) in view of Oberheide et al (“Oberheide,” US 20170068958) and further in view of Tunnell (“Tunnell,” US 20160379220)

Regarding claim 2, Smith and Oberheide disclose the method of claim 1. 
Smith and Oberheide fail to explicitly disclose wherein the authentication credentials comprise one or more unique identifiers.
However, in an analogous art, Tunnell discloses wherein the authentication credentials comprise one or more unique identifiers, (Tunnel, [0057] describes user authentication occurs within most human-to-computer interactions by user entry of identification characters, numbers and/or symbols followed by entry of a unique password comprising a second set of characters, numbers and/or symbols called authentication credentials herein)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tunnell with the method/system of Smith and Oberheide to include wherein the authentication credentials comprise one or more unique identifiers. One would have been motivated to provide improved authentication techniques prior to information transfer, storage, 

Regarding claim 12, Smith and Oberheide disclose the method of claim 10. 
Smith and Oberheide fail to explicitly disclose wherein the login credentials comprise a unique identifier associated with an account.
However, in an analogous art, Tunnel discloses wherein the login credentials comprise a unique identifier associated with an account (Tunnel, [0057] describes user authentication occurs within most human-to-computer interactions by user entry of identification characters, numbers and/or symbols followed by entry of a unique password comprising a second set of characters, numbers and/or symbols called authentication credentials herein; [0058] describes login credentials; [0098] describes an account)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tunnell with the method/system of Smith and Oberheide to include wherein the authentication credentials comprise one or more unique identifiers. One would have been motivated to provide improved authentication techniques prior to information transfer, storage, backup and retrieval using multiple instances of authentication shared across multiple devices (Tunnell, [0002]). 

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Smith et al (“Smith,” US 20140157392) in view of Oberheide et al (“Oberheide,” US 20170068958) and further in view of Streit et al (“Streit,” US 20200004939)

Regarding claim 8, Smith and Oberheide disclose the method of claim 1. 
Smith and Oberheide fail to explicitly disclose wherein the account is a service or website that requires authentication for access or elevated permissions.
However, in an analogous art, Streit discloses wherein the account is a service or website that requires authentication for access or elevated permissions, (Streit, [0032], remote computing device can be associated with an enterprise organization that maintains user accounts and requires authentication of account holders prior to granting access to secure networked environments (for example secure websites)). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Streit with the method/system of Oberheide and Oberheide to include wherein the account is a service or website that requires authentication for access or elevated permissions.. One would have been motivated to provide a method of authorizing access to access-controlled environments (Streit, [0003]). 



Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over (“Smith,” US 20140157392) in view of Oberheide et al (“Oberheide,” US 20170068958) and further in view of Reisgies et al (“Reisfies,” US 20120159612). 

Regarding claim 5, Smith and Oberheide disclose the method of claim 1. 
Smith and Oberhede fail to explicitly disclose wherein the development, editing and management of the authentication credentials stored on the memory of the authorized device is performed by a software application operating on the authorized device. 
However, in an analogous art, Reisgies discloses wherein the development, editing and management of the authentication credentials stored on the memory of the authorized device is performed by a software application operating on the authorized device (Reisgies, FIG 4G allows the development and editing of a password; [0043], credential management; [0030], password manager application; [0019], software; FIG 4F shows a password keeper software application on the mobile phone that allows the user to add new account, login and password; FIG 4G allows the user to generate passwords; [0008] describes a system for storing one or more passwords on a portable communication device having a secured element and user interface)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Reisgies with the method/system of Smith and Oberheide to include wherein the development, editing and management of the authentication credentials stored on the memory of the authorized device is performed by a software application operating on the authorized 

Regarding claim 14, Smith and Oberheide disclose the method of claim 10. 
Smith and Oberheide fail to explicitly disclose wherein the development, editing and management of the authentication credentials stored on the memory of the authorized device is performed by a software application operating on the authorized device.
However, in an analogous art, Reisgies discloses wherein the development, editing and management of the authentication credentials stored on the memory of the authorized device is performed by a software application operating on the authorized device (Reisgies, FIG 4G allows the development and editing of a password; [0043], credential management; [0030], password manager application; [0019], software; FIG 4F shows a password keeper software application on the mobile phone that allows the user to add new account, login and password; FIG 4G allows the user to generate passwords; [0008] describes a system for storing one or more passwords on a portable communication device having a secured element and user interface)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Reisgies with the method/system of Smith and Oberheide to include wherein the development, editing and management of the authentication credentials stored on the memory of the authorized device is performed by a software application operating on the authorized . 

                                                                                                                                Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/Examiner, Art Unit 2439    


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439