DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the communication filed on 05/08/2020.
Claims 1-3 are pending for consideration.

Priority
Should applicant desire to obtain the benefit of foreign priority under 35 U.S.C. 119(a)-(d) prior to declaration of an interference, a certified English translation of the foreign application must be submitted in reply to this action.  37 CFR 41.154(b) and 41.202(e).
Failure to provide a certified translation may result in no benefit being accorded for the non-English application.

Drawings
The drawings in Figures 1-3 are objected to under 37 CFR 1.83(a) because they fail to show text labels for each element in the drawing as described in the specification.  An ordinary skilled in the art should be able to look at the drawing and have reasonable level of understanding without undue diligent of looking up every element in the drawings in the specification to understand the drawings.  Any structural detail that is essential for a proper understanding of the disclosed invention should be shown in the drawing. MPEP § 608.02(d). Corrected drawing sheets in compliance with 37 CFR 
In addition to Replacement Sheets containing the corrected drawing figure(s), applicant is required to submit a marked-up copy of each Replacement Sheet including annotations indicating the changes made to the previous version.  The marked-up copy must be clearly labeled as “Annotated Sheets” and must be presented in the amendment or remarks section that explains the change(s) to the drawings.  See 37 CFR 1.121(d)(1).  Failure to timely submit the proposed drawing and marked-up copy will result in the abandonment of the application.
Claim Rejections - 35 USC § 112

(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-3 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
	Regarding claim 1, on lines 23-25 of claim 1, the claim recites “sending the challenge message, by the authentication server, to the notification server, wherein the authentication server receives in response a challenge token”.  The notification server is not being involved per the specification/drawing but the claim requires the notification server’s involvement for the response message to authentication server.  It is not clear if the “challenge token” is sent in the response to the “challenge message” from the notification server or from the proxy authentication server. Line 28 of claim 1 also recite 

	Regarding claims 2-3, the claims are rejected for the same reasons as that of claim 1.
	For the purpose of prior art examination, the limitations are interpreted as best understood.
Appropriate corrections are required.
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-3 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
	Regarding claim 1, the claim recites the following limitations that are indefinite since they do not clearly define the metes and bounds of the claimed limitations:
Line 4, the claim recites “an identifier of the user on the authentication server”.  It is unclear what this identifier is used for since this identifier is not being recited again anywhere.
Limitation on line 7 of claim 1 “it” is unclear as to what it refers to.
Limitation on line 7 of claim 1 “his” is unclear what it refers to.
Line 9, the claim recites “the private key”.  There is a lack of antecedent basis since “private key” was not recited before.
Lines 23-25 of claim 1, the claim recites “sending the challenge message, by the authentication server, to the notification server, wherein the authentication server receives in response a challenge token”.  The notification server is not being involved per the specification/drawing but the claim requires the notification server’s involvement for the response message to authentication server.  It is not clear if the “challenge token” is sent in the response to the “challenge message” from the notification server or from the proxy authentication server. Line 28 of claim 1 also recite “a challenge token”.  It is not clear if the “challenge token” in line 28 and line 25 of claim 1 is the same or not.  For the purpose of prior examination, the Examiner interprets the two challenge tokens mentioned above are the same and that the challenge token is sent to the authentication server from the proxy authentication server.
Limitation on line 27 of claim 1 “a challenge message”, it is not clear if it referring to the challenge message recited on lines 19-20 or a different challenge message.
Limitation on line 46 of claim 1 “a challenge message”, it is not clear if it is referring to the challenge message recited on lines 19-20 or a different challenge message.
There is a lack of antecedent bases for limitation “the encrypted random variable” on line 45.
Limitation on line 47 of claim 1 “…found thanks to the content of …” is unclear what “thanks” means to a person of ordinary skill in the art.
On line 52, the claim recites “the decryption of the random variable”.  There is a lack of antecedent basis for “the decryption” since decryption was not mentioned before.
On the last two lines of claim 1 limitation “the random variable produced” has no antecedent basis.
	Regarding claim 2, the claim recites the following limitations that are indefinite since they do not clearly define the metes and bounds of the claimed limitations:
On lines 2, 17, 49, 67-68 of claim 2, the claim recites limitation “the proxy server”.  There is a lack of precedent basis for this limitation.  It is not clear if “the proxy server” refers to “the proxy authentication server” recited in line 5 of the parent claim 1 or it refers to something else.
On line 8, the claim recites “the user uses the secure terminal to authenticate himself”.  It is unclear what the user authenticate himself to.  It is not clear if the user logins to a terminal that is locked, or if the user authenticate himself to the authentication server or something else.
On line 12 of claim 2, the claim recites “a dual key”.  It is unclear if this dual key is the same as that dual key recited in the independent claim 1, line 6.
On line 22 of claim 2, the claim recites “sending the initiated enrollment message in response to the enrollment initiation message”.  It is unclear where the “initiated enrollment message” is sent to.
On line 25 of claim 2, the claim recites “an enrollment initiation message”.  It is unclear if “an enrollment initiation message” is the same as the limitation “an initiated enrollment message” recited in line 19 of claim 2.
On lines 30 of claim 2, the claim recites “sending the enrollment acceptance message in response to the enrollment request message”.  It is unclear where the enrollment acceptance message is sent to.
On lines 32-33 of claim 2, the claim recites a limitation “an enrollment acceptance message”.  It is not clear if this limitation is the same as that of the limitation “an enrollment acceptance message” on line 26 of claim 2.
On line 35 of claim 2, the claim recites “the message received”.  It is unclear what “the message received” means.  Is it the same as the limitation “an enrollment acceptance message” in line 33 of claim 2 of is it referring to something else?
On line 41 of claim 2, the claim recites a limitation “the private key”.  There is a lack of antecedent basis for the limitation because it was not recited before.
On line 42 of claim 2, the claim recites a limitation “the identifier of the user on the notification server”.  It is not clear the limitation “the identifier of the user on the notification server” refers to the limitation “the user identifier on the notification server” on lines 2-3 of claim 2 or it refers to limitation “the identifier of the user on the notification server” on line 31 of the independent claim 1.  
On line 46 of claim 2, the claim recites a limitation “the identifier on the notification server”.  It is unclear if the limitation refers to the same limitation “the identifier of the user on the notification server” recited on line 42 of claim 2 or “the user identifier on the notification server” on line 7 of claim 2.
On line 59 of claim 2, the claim recites “sending the finalized enrollment message in response to the message of finalization of registration”.  It is unclear where the finalized enrollment message is sent to.
On line 60 of claim 2, the claim recites a limitation “the message of finalization of registration”.  There is a lack of antecedent basis for the limitation since “message of finalization of registration” was not recited before. Is it referring to “finalized enrollment message” on line 55 of the claim or “enrollment finalization message” on line 43, or is it referring to something else?
On lines 64-65 of claim 2, the claim recites a limitation “a finalized enrollment message”.  It is not clear if the limitation refers to the same 
	For the purpose of prior art examination, the limitations are interpreted as best understood.

Regarding claim 3, it is dependent on claim 1 and the claim is rejected for the same reasons as that of claim 1.

Appropriate corrections are required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Rosati et al. (US 20130046976 A1, hereinafter Rosati) in view of Leicher et al. (US 20110067095 A1, hereinafter Leicher) and further in view of Hito et al. (US 20110219427 A1, hereinafter Hito).
	Regarding claim 1, Rosati teaches a method for authenticating a user with an authentication server wherein the authentication server comprises:
a memory zone for storing a registration associating (Rosati ¶35, the authentication server 12 including a public key store 44 for storing a public key Ai associated with each user registered to access the private network):		an identifier of the user on the authentication server (Rosati ¶35, the authentication server 12 also includes a public key store 44 for storing a public key Ai associated with each user);
		an identifier of the user on a proxy authentication server (¶36, the challenge may be sent using an email, short message service (SMS) message, peer-to-peer (P2P) message (e.g. PIN-based message) or any other form of communication;  fig. 8 elements 100, send challenge to VPN client; [Examiner remark: the email address of the user corresponds to the identifier of the user on the proxy authentication server; the email server corresponds to identifier of the user on the proxy authentication server]);
		a public key of a dual key (¶24, private/public key pair (a, A), authentication server 12 is also provisioned by the CA 16 to have a copy of the public key A associated with each mobile device 10 registered to access the private network; see also ¶35);	the method making it possible to authenticate the user having at his disposal a calculator comprising (¶24, The mobile device 10):		a memory zone for storing the private key of the dual key (¶24, The mobile device 10 is provisioned with a private/public key pair (a, A), fig. 3 element 22);
		a memory zone for storing an identifier of the user on a notification server (¶36, the challenge may be sent using an email; [Examiner remark: the email ;		a memory zone for storing an identifier of the user on the proxy authentication server (¶36, the challenge may be sent using an email, short message service (SMS) message, peer-to-peer (P2P) message (e.g. PIN-based message) or any other form of communication;  fig. 8 elements 100, send challenge to VPN client; [Examiner remark: the email address of the user corresponds to the identifier of the user on the proxy authentication server; the email server corresponds to the notification server]);	the authentication taking place through the proxy authentication server comprising (fig. 8, element 6, VPN gateway, elements 100, 114, 124 and 126): 		a memory zone for storing a registration associating (¶36, the challenge may be sent using an email; fig. 8 element 100, send challenge to VPN client; element 108, element 112 send response to VPN gateway):		the identifier of the user on the proxy authentication server (¶36 the challenge may be sent using an email; see fig. 8, element 100 where the VPN Gateway sends the challenge message; [Examiner remark: the email recipient address, which is used to identify the user on the receiving end of the challenge message corresponds to the identifier]); 		the identifier of the user on the notification server (¶36, the challenge may be sent using an email, short message service (SMS) message, peer-to-peer (P2P) message (e.g. PIN-based message) or any other form of communication;  fig. 8 elements 100, send challenge to VPN client; [Examiner remark: the email address of ;	the method comprising:		producing, by the authentication server (¶27 authentication server 12), a challenge message comprising (¶27, initiates a challenge/response protocol and sends a cryptographic challenge; see also fig. 7-8):			a random variable ([Examiner remark: the encryption of a random variable with the public key is disclosed by Leicher below];  ¶27, the challenge may be a random number; see also ¶35; see also fig. 7-8); 			the identifier of the user on the proxy authentication server (¶36 the challenge may be sent using an email; see fig. 8, element 100; [Examiner remark: the email address, which is used to identify the user on the receiving end of the challenge message corresponds to the identifier]); 	sending the challenge message, by the authentication server, to the notification server (¶36 the challenge may be sent using an email; see fig. 8, elements 98, 100 and 102; [Examiner remark: the email server associating with the email recipient address corresponds to the notification server]);	producing, by the proxy authentication server upon receipt of a challenge message (fig. 8, element 6, VPN gateway, elements 98 and 100):			a challenge token associated with the challenge message (¶27, the challenge may be a random number; see also ¶35; see also fig. 8, element 98, 100 send challenge to VPN client and element 102; [Examiner remark: the VPN gateway 6 sends the random number to the VPN client]);			a notification message comprising (¶36 the challenge may be sent using an email):				the identifier of the user on the notification server (¶36 the challenge may be sent using an email; [Examiner remark: the recipient email address corresponds to the identifier of the user on the notification server; the email server receiving the email corresponds to the notification server]);				a notification token (¶27, the challenge may be a random number), produced by the proxy authentication server (fig. 8, element 6, VPN gateway, elements 98 and 100), the notification token being associated, on the proxy authentication server, with the challenge message (¶27, the challenge may be a random number;  see also ¶35; see also fig. 8, elements 98, 100 and 102; [Examiner remark: the VPN gateway 6 sends the random number to the VPN client]);	sending the notification message, by the proxy authentication server, to the notification server (¶36 the challenge may be sent using an email; see also fig. 8; [Examiner remark: the recipient email address corresponds to the identifier of the user on the notification server; the email server receiving the email corresponds to the notification server]);	delivering the notification message by the notification server (see fig. 8 element 104, receive challenge; ¶36 the challenge may be sent using an email; [Examiner remark: the email server associating with the email address corresponds to the notification server]);	producing by the calculator, upon receipt of the notification message, a challenge accepted message (¶36, the challenge may be sent using an email, short selecting a link or option in the message, the UI 50 shown in FIG. 6 is displayed; see also fig. 8), the challenge accepted message comprising (fig. 8 element 108, generate response using challenge private key and PIN);		the notification token ([0028] To respond to the challenge received from the authentication server 12, … to sign the challenge, and returns a response at stage 6, the response including the signed challenge; see also fig. 8; [Examiner remark: the challenge includes the notification token.  As a result, the signed challenge is interpreted as having the notification token]);	sending, by the calculator, the challenge accepted message to the proxy authentication server (¶36, selecting a link or option in the message; ¶41, response is then sent at 110 to the VPN client 20 on the computing device 4 to have the VPN client 20 send the response to the VPN gateway 6 at 112. The VPN gateway 6 then sends the response to the authentication server 12 at 114; see also fig. 8);	producing by the proxy authentication server (¶40, The authentication server 12 then sends the challenge to the VPN gateway 6 at 98 to have the VPN gateway 6 send the challenge to the VPN client 20 on the computing device 4 at 100, see also fig. 8 elements 98, 100, 102 and 104), a challenge message comprising (Rosati ¶40, the VPN gateway 6 send the challenge to the VPN client 20 on the computing device 4 at 100):		the ([Examiner note: the encryption of the random variable ; 	sending (¶40 the VPN gateway 6 send the challenge to the VPN client 20 on the computing device 4), by the proxy authentication server (¶40 the VPN gateway 6), the challenge message to the calculator (¶40, The authentication server 12 then sends the challenge to the VPN gateway 6 at 98 to have the VPN gateway 6 send the challenge to the VPN client 20 on the computing device 4; see also fig. 8);	producing by the calculator, upon receipt of the challenge message (¶40, the mobile device 10 receives the challenge at 104; see also fig. 7-8), of a response message comprising:		the result of the  ([Examiner note: the decryption of the encrypted random variable is discussed below by Leicher]; ¶41, generate a response at 108 using the challenge, the private key, the response may include a signature on the challenge, wherein the challenge is signed using the private key a and the PIN 30 and may include additional information such as a timestamp; see also fig. 8);	sending, by the calculator, the response message to the proxy authentication server (¶40, The response is then sent at 110 to the VPN client 20 on the computing device 4 to have the VPN client 20 send the response to the VPN gateway 6 at 112. The VPN gateway 6 then sends the response to the authentication server 12 at 114; see also fig. 7-8);	comparing by the authentication server of the content of the response message with the random variable produced to determine the result of the authentication (¶41, the response is verified at 118 by the cryptographic module 42 on the authentication server 12. For example, the signature on the challenge may be verified using a verification scheme that is complementary to the signing scheme used by the cryptographic module 18 on the mobile device 10; see also fig. 7-8).	Although Rosati teaches the aforementioned limitations of the claimed invention as disclosed above, Rosati discloses the process is performed using one round trip (Rosati fig. 8, element 102 send challenge, and element 116 receive response,

    PNG
    media_image1.png
    539
    770
    media_image1.png
    Greyscale
), Rosati does not explicitly disclose the process is carried out in two round trips as claimed, which comprises:	a challenge message comprising a random variable encrypted with the public key;producing by the proxy authentication serve, a challenge message comprising the encrypted random variable found thanks to the content of the challenge accepted message; 	producing by the calculator, upon receipt of the challenge message, of a response message comprising:		the result of the decryption of the random variable encrypted by the use of the private key. 	On the other hand, Leicher teaches authentication process using two round trips process (Leicher fig. 3,

    PNG
    media_image2.png
    536
    712
    media_image2.png
    Greyscale
;
Leicher fig. 3A element 310 corresponds to the proxy authentication server, sending a challenge in message 327; Leicher [0030] The TicketServer 305 runs as a service application on the client; The ticket server element 305 corresponds to the calculator provided a challenge accepted message 329.  The Ticket challenger sends a nonce in element 339, and the ticket server 305 responds in element 351);	producing, by the authentication server (Leicher ¶43, the identity provider encrypts the cookie), a challenge message comprising (Leicher ¶43, encrypts the cookie using a secret key and sends it to the TicketServer on the client side, protected by the public CSK, user may decrypt it and use it as an authentication token):		a random variable encrypted with the public key (Leicher ¶43, encrypts the cookie using a secret key and sends it to the TicketServer on the client side, producing by the calculator, upon receipt of the challenge message (Leicher ¶43, user may decrypt it and use it as an authentication token; ¶34 FIGS. 3(a) and (b) represent the inner operations of the TTVerifier Thread 258 in Leicher FIG. 2; ¶27, the provider.jsp webpage 245 which waits for the TTverifier 258 to finish and evaluate the result of the challenge provided in challenge answer message 254, TicketServer 250 uses TPM functionality to generate the appropriate answer including a ticket; for more information about the ticket, see also ¶18, ¶19, ¶49-¶53 of Leicher ), of a response message comprising:		the result of the decryption of the random variable encrypted by the use of the private key (Leicher ¶43, user may decrypt it and use it as an authentication token, the secret key which is used to encrypt the cookie. The secret key may be a symmetric or asymmetric key; Leicher ¶44, the cookie may then be decrypted when needed the decryption requires the user to authenticate for the CSK usage with the (local) CSK secret; Rosati ¶40, The response is then sent at 110 to the VPN client 20 on the computing device 4 to have the VPN client 20 send the response to the VPN gateway 6 at 112; Rosati ¶41, generate a response at 108 using the challenge, the private key; [Examiner note: Leicher disclose to decrypt the cookie when needed, Rosati teaches the challenge is sent back as a result, where the challenge is signed.  The challenge is a random number and encrypted in view of Leicher and Rosati (see discussion above).  The combination of Rosati in view of Leicher teaches the decryption of the encrypted random and provided back as a response]) 
the authentication server receives in response a challenge token;		the identifier of the user on the proxy authentication server;		the identifier of the user on the notification server 	associating by the proxy authentication server, upon receipt of the response message, the result of the decryption and of the challenge token;	interrogating by the authentication server of the proxy authentication server to obtain the content of the response message associated with the challenge token.	On the other hand, Hito teaches:	the authentication server receives in response a challenge token (Hito [0077] Async Model: The client will get the unique request ID, which it can use to poll the server application for the status of the pending request [Examiner remark, Hito teaches the client can use Async model or Sync model (see ¶78 of Hito).  With Async model, the client gets the unique request ID to poll for the status of a request.  As a result, a person of ordinary skill in the art can apply this teaching with the combination of Rosati in view of Leicher to result in authentication server by Kolb gets the request ID taught by Hito from the proxy authentication server to poll for the status of the authentication request]);	producing by the calculator, upon receipt of the notification message (Hito [0043] Once the authentication request is generated, the user will start the application on his mobile device and use device authentication 415 protocol to verify his/her identity with the authentication provider), a challenge accepted message (Hito [0046] The application will compose the string "DID| UN|AC"; Hito [0127] Instead of the Internet connections shown other communication channels or some combination thereof may be employed. For example, SMS, email; [Examiner note: the mobile device response email :		the identifier of the user on the proxy authentication server (Hito [0127] Instead of the Internet connections shown other communication channels or some combination thereof may be employed. For example, SMS, email, or the like may be employed for one or more of the connections; [Examiner remark: when using email for responding to the challenge, the recipient email address corresponds to the identifier of the user on the proxy authentication server. Hito also teaches the response including several other user identifier on the proxy authentication server, the “UN” or user name field is used in ¶73 by the authentication provider to locate public key in the database, the “DID” or device ID is used in ¶73 by the authentication provider to verify the device]);		the identifier of the user on the notification server (Hito [0127] Instead of the Internet connections shown other communication channels or some combination thereof may be employed. For example, SMS, email, or the like may be employed for one or more of the connections; [Examiner remark: when using email for responding to the challenge, the response message sender email address corresponds to the identifier of the user on the notification server]);	associating by the proxy authentication server, upon receipt of the response message, the result of the decryption and of the challenge token (Hito [0076] Once the verification process 420 has been completed, the authentication process will send the status of the request to the client to provide notification of success or failure 425; [Examiner remark: Rosati in view of Leicher teaches the receiving of ;	interrogating by the authentication server of the proxy authentication server to obtain the content of the response message associated with the challenge token (Hito [0077] Async Model: The client will get the unique request ID, which it can use to poll the server application for the status of the pending request [Examiner remark, Hito teaches the client can use Async model or Sync model (see ¶78 of Hito).  With Async model, the client get the unique request ID to poll for the status of a request.  As a result, a person of ordinary skill in the art can apply this teaching with the combination of Rosati in view of Leicher to result in the authentication server disclosed by Kolb in Fig. 8 of Kolb element 98 receiving the request ID taught by Hito to poll for the response versus waiting for the response message in Fig. 8 of Kolb, going from element 114 to element 116]).
	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Hito, which teaches authentication system which teaches an authentication system with challenge and response using either async or sync method for retrieving authentication status into the teaching of Rosati in view of Leicher to result in the claimed invention.
.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Rosati in view of Leicher and Hito and further in view of Oberheide et al. (US 20150304110 A1, hereinafter Oberheide) and Gubbi (US 9119076 B1, hereinafter Gubbi) .	Regarding claim 2, Rosati in view of Leicher and Hito teaches the method according to claim 1 (see discussion above), wherein the dual key (Rosati ¶24 mobile device 10 is provisioned with a private/public key pair), the user identifier on the proxy server (Rosati ¶38, challenge is signed using the private key a and the PIN 30, ¶41 generate a response at 108 using the challenge, the private key a, and the PIN , response is received by the authentication server 12 at 116, and the response is verified), the user identifier on the notification server are produced during an enrollment of the calculator (Rosati ¶36, the challenge may be sent using an email; [Examiner remark: the recipient email address of the email corresponds to the user identifier on the notification server]), said enrollment taking place as follows, the user having at his disposal the calculator (Rosati [0041] The mobile device) and a secure terminal connected to the authentication server (Rosati ¶35, registered to access the private network 2 using a VPN client 20):the user registers himself, with the calculator, on the notification server and obtains the user identifier on the notification server (Rosati ¶36, the challenge may be sent using an email; [Examiner remark: the recipient email address corresponds to the user identifier on the notification server, the email address’ server corresponds to the notification server]);	Rosati in view of Leicher and Hito does explicitly disclose all of the following limitations.	However Oberheide teaches:	the user uses the ([Examiner remark, the crossed over text is disclosed by Gubbi below]; Oberheide ¶53, the primary device 130 provides an enrollment request to the service provider 120);	producing, by the authentication server upon receipt of an enrollment request message (Oberheide fig. 7, Authentication service 110), of the following elements:		a dual key associated with the user (Oberheide Fig. 9A, S920; Oberheide ¶77 the service provider 120 generates a key pair that includes the public key and the private key; see also ¶61; [Examiner remark: S910 of fig. 9  follows step S760 of fig. 7]);		an enrollment initiation message sent to the proxy authentication server (Oberheide ¶53, the service provider 120 provides an enrollment request to the authentication service 110, fig. 7 element S720);	implementing, by the proxy authentication server upon receipt of an enrollment initiation message (Oberheide fig. 7, Authentication service 110, S730; ¶54  responsive to the enrollment request at the process S720), of the following actions:		creating a registration associating (Oberheide ¶54, The activation code is associated with the enrollment request):			a user identifier on the proxy server (Oberheide ¶53 The enrollment request provided by the service provider 120 specifies the user identifier);			an enrollment token (Oberheide ¶54 an activation code);		producing of an initiated enrollment message comprising (Oberheide ¶54, the authentication service provides an activation code to the service provider 120):			the user identifier on the proxy server (Oberheide ¶75, the authentication service provides the synchronization request to the service provider 120 along with the user identifier corresponding to the activation code of the process S750 of FIG. 7; [Examiner remark: Oberheide discloses the user id can also be provided to the service provider corresponding to the activation code, which is also disclosed in ¶54 by Oberheide to provide the activation code to the service provider.  As a result, it would be obvious to an ordinary skilled to implement one way or another according to the teaching of Oberheide to send the user identifier along with the activation code, or send it later]);			the enrollment token (Oberheide ¶54 an activation code);		sending the initiated enrollment message in response to the enrollment initiation message (Oberheide ¶54, the authentication service provides an activation code to the service provider 120);implementing, by the authentication server upon receipt of an enrollment initiation message, of the following actions (Oberheide Fig. 7, Service provider 120, S740 after S730):		producing of an enrollment acceptance message comprising (Oberheide Fig. 7, S740; ¶55, the service provider 120 provides the activation code to the primary device 130):			at least the private key of the dual key (Oberheide [0079] At the process S940, the service provider 120 provides the private key to the authentication device 140; see also ¶61);			the enrollment token (Oberheide Fig. 7, S740; ¶55, the service provider 120 provides the activation code to the primary device 130);		sending the enrollment acceptance message in response to the enrollment request message (Oberheide Fig. 7, S740; ¶55, the service provider 120 provides the activation code to the primary device 130);	implementing by the ([Examiner remark, the crossed over text is disclosed by Gubbi below]; Oberheide ¶55, At the process S740, the service provider 120 provides the activation code to the primary device 130, the primary device displays the activation code):		displaying, on a screen of the secure terminal, the content of the message received (Oberheide ¶55, the primary device displays the activation code);	acquiring, by the calculator, data displayed on the screen of the secure terminal (Oberheide ¶55, the authentication device 140 obtains the activation code by implementing, by the calculator further to the acquisition of the data (Oberheide fig. 7 Auth Device 140), of the following actions (Oberheide fig. 7, S750; ¶57, At the process S750, the authentication device has received the activation code, and provides an activation request to the authentication service 110):		creating a registration associating (Oberheide fig. 9A, S950, store private key; Oberheide [0080] At process S950, the authentication device 140 stores the private key received from the service provider 120. In some implementations, the authentication device stores the private key received from the service provider 120 in association with the user identifier of the enrollment request provided to the authentication service 110 at the process S720 of FIG. 7of Oberheide):			at least the private key of the dual key (Oberheide ¶80, stores the private key in association with the user identifier of the enrollment request; see also ¶61);			the identifier of the user on the notification server 	(Oberheide ¶29 an email address or username may be used as a user identifier within the authentication service and the service provider; Oberheide ¶80, stores the private key in association with the user identifier of the enrollment request).	
		producing an enrollment finalization message comprising (Oberheide Fig. 7, Activate S750, Activation code, Oberheide ¶57, provides an activation request to the authentication service 110):			the enrollment token (Oberheide ¶57. the activation request specifies the activation code and address information of the authentication device 140);			the identifier on the notification server (Oberheide ¶29, an email address or username may be used as a user identifier within the authentication service and the service provider, registering additionally includes providing communication addressing such as a phone number; ¶31 The authentication request can alternatively be sent in an SMS message, MMS message, email, in-app messaging protocol, or any suitable communication channel ¶57, address information of the authentication device; [Examiner note: Oberheide discloses the communication address, and further discloses email as communication channel.  Oberheide further teaches sending address information; As a result, Oberheide teaches an email address corresponds to the identifier on the notification server]);		sending the enrollment finalization message to the proxy authentication server (Oberheide Fig. 7, Activate S750, Activation code, Oberheide ¶57, provides an activation request to the authentication service 110);	implementing, by the proxy server following the receipt of an enrollment finalization message (Oberheide fig. 7 Authentication service 110, Generate enrollment record S760), of the following actions:		when a registration corresponds to the enrollment token of the finalization message then (Oberheide ¶58, At the process S760, responsive to the activation request of the process S750, the authentication service generates an enrollment record, the authentication service determines that the activation code received from the authentication device 140 at the process S150 matches the activation :			associating the identifier on the notification server with the corresponding registration (Oberheide ¶59, associates the address information received at the process S150 with the user identifier and the service provider account information corresponding to the activation code);	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Oberheide, which teaches a system enabling registration of subscribers into the teaching of Rosati in view of Leicher, Hito to result in the aforementioned limitations of the claimed invention.	One of ordinary skilled would be motivated to do so as incorporating Oberheide‘s teaching would provide a convenient mechanism for authentication/authorization to a service provider while preserving security considerations such as integrity, confidentiality, and optionally availability (see Oberheide ¶18). In addition, both of the references (Oberheide and Rosati in view of Leicher, Hito) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, authentication and registration. This close relation between both of the references highly suggests an expectation of success when combined.	Rosati in view of Leicher, Hito and Oberheide does not explicitly disclose:	the user uses the secure terminal to authenticate himself and to send an enrollment request message to the authentication server;	producing a finalized enrollment message comprising:		the identifier on the proxy authentication server of the corresponding registration;	sending the finalized enrollment message in response to the message of finalization of registration;	implementing, by the calculator upon receipt of a finalized enrollment message, of the following actions:		associating with the registration corresponding to the message of finalization of the registration of the identifier on the proxy server	deleting the enrollment token.	On the other hand, Gubbi teaches:	the user uses the secure terminal to authenticate himself and to send an enrollment request message to the authentication server (Gubbi col. 3 lines 35-67, the user will confirm that he has access to the website by logging in. The user may enter a user name or corporate ID number, as well as a password that has previously been registered with the secure network service. For example, the user may be required to enter the same information used to access the corporate email server or network storage. In block 205, the secure network service will authenticate the user by confirming the entered user name and password. The secure network service will confirm whether the user is authorized to register his mobile communication device with the secure network service in block 207);	producing a finalized enrollment message comprising (Gubbi col. 4 lines 4-12, in block 215, the user may receive a notification, email or SMS confirming successful registration; Gubbi fig. 2
    PNG
    media_image3.png
    799
    361
    media_image3.png
    Greyscale
):		the identifier on the proxy authentication server of the corresponding registration (Gubbi col. 4, lines 4-12, the recipient email address or SMS phone number correspond to the identifier);	sending the finalized enrollment message in response to the message of finalization of registration (Gubbi col. 4 lines 4-12, in block 215, the user may receive a notification, email or SMS confirming successful registration);	implementing, by the calculator upon receipt of a finalized enrollment message, of the following actions (Gubbi col. 4 lines 4-12, the user submits this information to the secure network service in block 213, in block 215, the user may receive a notification, email or SMS confirming successful registration):		associating with the registration corresponding to the message of finalization of the registration of the identifier on the proxy server (Gubbi col. 4 lines 4-12, the user submits this information to the secure network service in block 213, in block 215, the user may receive a notification, email or SMS confirming successful registration);	deleting the enrollment token (Gubbi Abstract, The server provides a OTP when the user calls or sends a SMS message request from the authorized mobile phone to the server. Once a OTP is provided to the authorized mobile phone, the OTP will also be discarded once the server is notified that the OTP has been used; Oberheide Fig. 7, S740; ¶55, the service provider 120 provides the activation code to the primary device 130; [Examiner remark: an ordinary skilled in the art would find it obvious to use Gubbi teaching to of discarding the activation code disclosed by Oberheide after the registration is complete]).	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Gubbi, which teaches device registration with final confirmation message and discarding of OTP once it is used into the teaching of Rosati in view of Leicher, Hito and Oberheide to result in the limitations of the claimed invention.	One of ordinary skilled would be motivated to do so as incorporating Gubbi teaching would help ensure a secure environment and improve usability. In addition, both of the references (Gubbi and Rosati in view of Leicher, Hito and Oberheide) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, user and device registration. This close relation between both of the .
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Rosati in view of Leicher and Hito and further in view of Benayed (US 20180343246 A1, hereinafter Benayed). 	Regarding claim 3, Rosati in view of Leicher and Hito teaches the method according to claim 1 (see discussion above).	The combination of Rosati, Leicher and Hito does not explicitly disclose wherein access to the memory zones of the calculator is locked by a security mechanism local to the calculator.	On the other hand, Benayed teaches wherein access to the memory zones of the calculator is locked by a security mechanism local to the calculator (Benayed, ¶29, The private key of the key pair is stored in a secure area of the device and is not revealed during the authentication process described with reference to FIG. 2A).	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Benayed, which teaches a system enabling registration of subscribers into the teaching of Rosati in view of Leicher and Hito to result in the aforementioned limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Benayed‘s teaching would help provide end users with convenience and flexibility in accessing computer programs and provides organizations with required security (see Benayed ¶26). In addition, both of the references (Benayed and Rosati in view of Leicher, and Hito) teach features that are directed to analogous art and they are directed to the same .
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 10270774 B1 - transmitting, by the restricted access system and to a credential management system, a request to authenticate the user; receiving, by the restricted access system and from the credential management system, a token indicating that the credential management system authenticated the user based on the user interacting with a representation of the challenge data that was provided to the client device.  Polling, by the restricted access system, the credential management system, wherein receiving the token comprises receiving, in response to the polling, the credential management system.
US 20180324173 A1 - verify a unique user identification credential for a requesting user of a first client in response to receiving request for access to a microservice process from the user via the first client; create a client identification token in response to verifying a unique user identification credential for the user, and a session identification token for the request; pass the session identification token to the requesting client mapped to the client identification token; enable requested access by the first client to the requested microservice process in association with the session 
US 20180041467 A1 - cloud gate terminates the application-specific user session, kills the user's host SSO cookie.
US 20180063564 A1 - registering a new subscriber, the subscription service is used to create an identity for a new subscriber, the subscriber's user ID can be retrieved.
US 20140096220 A1 - the authentication module polls the authentication server for an authentication token.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Vy Huy Ho whose telephone number is (571) 272-3261.  The examiner can normally be reached on Monday - Friday 7:30 am-5:30 pm.
	Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/V.H.H/
Examiner, Art Unit 2197
/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497