DETAILED ACTION
This is a non-final office action in response to applicant’s amendment filed on 12/17/2021.
Claims 1-20 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Status of Claims
The amendment filed 12/17/2021 has been entered. Claims 1, 11 are currently amended claims. Claims 1-20 are pending in the application.
Response to Amendments
The objection of claims 1, 11 due to informalities has been withdrawn in light of applicant’s amendment to the claims.
Response to Arguments
Applicant’s arguments, see pg. 8-12 of the Remarks filed 12/17/2021 regarding claims rejected under 35 USC 103 over prior arts of record have been fully considered and are moot in view of current office action with previously applied prior arts.
Applicant’s argument regarding independent claims 1, 11 rejected under 35 USC 103 mainly concerns the motivation of combining Hamel’s encryption of authentication token with Dorfman’s QR code, see pages 8-10 of the Remarks. Applicant further argued 
“However, Applicant maintains that there was no reasonable expectation of success in the modification of Dorfman's QR code sent by the authentication service to the user's browser with Hamel's encrypted lease key signed with the user system private key to provide a signed encrypted lease key to the authentication device, (see paragraph [0148], lines 6-10). Nowhere in the cited art is there any motivation for the QR code of Dorfman "being encrypted using a public key associated with the client device," per the recitation of independent claim 1. Hamel discloses that a "user system" signs an encrypted lease key with a user system private key. 
Nowhere in the Office Action is there any motivation provided as to how or why the QR code would be signed with a user system private key for the purpose of encryption.
Applicant further maintains that nowhere in the state of the art is there any teaching or disclosure regarding QR codes that are further encrypted before being transmitted to a user and maintains that such a modification would not be obvious to one of ordinary skill in the art.” (See page 9 of the Remark)

Applicant further argued,

“The references to Lea and Alhothaily fail to remedy the deficiencies of Dorfman in view of Hamel, namely, ‘transmitting, to the first client device, the first authentication token being encrypted using a public key associated with the first client device,’ per the recitations of independent claim 1 and similarly claim 11”. (See page 10 of the Remark)

Examiner agrees with applicant about the motivation of combining Dorfman’s QR code with Hamel’s encrypting authentication token, however disagrees with applicant that Lea fails to remedy the deficiencies of Dorman in view of Hamel. Lea teaches generating an identity for a user by generating an authentication token associated with the user identifier and providing the token to user. Hamel teaches user device authentication with digital credentials. Hamel encrypted authentication token back to the user device (para [148]). It is obvious and well-known to one ordinary skilled in the arts that the motivation of encrypting the authentication token and sending the encrypted authentication token (instead of plain text authentication token) to the user is to securely providing the authentication token to the user. Further the authentication token being encrypted with user device public key can be securely decrypted by the user with user device private key. Therefore examiner asserts Lea in combination of Hamel teaches the encrypted authentication token. In the current office action, Lea reference is used as primary prior art. 
For the above reason, examiner asserts Lea in combination of Alhothaily, Hamel and Dorfman teaches all elements of the independent claims. 
Applicant’s further arguments regarding dependent claims are not persuasive due to the same reason as discussed above for the independent claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4-6, 11, 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Lea (US20150222435A1, hereinafter, “Lea”), in view of Alhothaily et al (US20170339163A1, hereinafter, “Alhothaily”), in further view of Hamel et al (US20190305964A1, hereinafter, “Hamel”) and Dorfman et al (US20140282961A1, hereinafter, “Dorfman”).
Regarding claim 1, Lea teaches:
A method of authenticating a client device with a server (Lea, discloses authenticating user with authentication token, see [Abstract]), the method comprising: 
receiving a first authentication request from a first client device (Lea, See Fig. 2 step 203, and [0009] c) the first user device transmitting a first request, including the identifier and the public key, to a server); 
generating, in response to receiving the first authentication request, a first authentication token, the first authentication token including a first [dynamic] user ID and [a (Lea, Fig. 2 step 204, and [0038] The server generates an authentication token with the UUID (i.e. user ID) and the public key in step 204); (see Alhothaily and Dorfman below for dynamic user ID and session ID respectively)
transmitting, to the first client device, the first authentication token [being encrypted using a public key associated with the first client device] (Lea, Fig. 2 step 204-205, and [0038] The token may be encoded into another format and transmitted to the email address of the user); (See Hamel below for limitation(s) in bracket)
receiving, based on transmitting the [encrypted] first authentication token to the first client device, a digital signature and a second authentication token from the first client device, the second authentication token including the first [dynamic] user ID and the [first session ID] (Lea, [0041] The application on the first user device receives the token (and decodes it if encoded) in step 205. The application generates, in step 206, a message, including the UUID and token, signs it with the private key (i.e. digital signature) and transmits it to the server in step 207); (See Alhothaily and Dorfman below for dynamic user ID and session ID respectively)
verifying, using the public key associated with the first client device transmitted to the first client device, the digital signature based on the contents of the second authentication token (Lea, Fig. 2 step 208, [0042] The server verifies the signed message using the stored public key (i.e. public key associated with the first client device) in step 208); 
generating a second [dynamic] user ID (Lea, [0034] The first user device generates a UUID, in step 201). Examiner notes the same steps for generating the first user ID applies to the generating of second user ID; 
the second [dynamic] user ID (Lea, see Fig. 2 step 204, and [0038] The server generates an authentication token with the UUID and the public key in step 204). Examiner notes the same steps for generating the first authentication token with first user ID applies to the generating of third authentication token with the second user ID; 
receiving the second [dynamic] user ID and the third authentication token from the first client device in a second authentication request occurring after the first authentication request (Lea, Fig. 2 step 206, and [0041] The application on the first user device receives the token (and decodes it if encoded) in step 205. The application generates, in step 206, a message, including the UUID and token, signs it with the private key and transmits it to the server in step 207). Examiner notes since the second user ID is generated after the first user ID, it is obvious to one ordinary skilled that the second authentication request is after the first authentication request, also it can be seen from the flowchart of Fig. 2 of Lea that the second request at 206 is after the first request at 203; 
and authenticating the first client device using the third authentication token (Lea, [0010] when verified, validating an identifier associated with the second request as an identity for the user). Examiner notes the claim’s recitation of second dynamic user ID and third authentication token and using the third authentication token for user authentication appears to suggest the authentication of the user does not depends on the steps prior to the generation of second dynamic user ID.

authentication token including a first dynamic user ID (Alhothaily, discloses method for authenticating a user with dynamic username with ticket, see [Title] and [Abstract]. And [0029] The dynamic One-Time Username (OTU) (i.e. dynamic user ID) may be used by a user for a specific session login after service provider 325 verifies the user ticket (i.e. authentication token) and authenticates the user. And [0054] The ticket, as described in detail above, may include a dynamic one-time username (OTU), a session key k…).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Alhothaily in the authenticating an identity of a user of Lea by using ticket (i.e. authentication token) including dynamic one-time usernames for user authentication to access to a service provider. This would have been obvious because the person having ordinary skill in the art would have been motivated to use dynamic one-time usernames for enhanced security for remote user authentication (Alhothaily, [Abstract], [0003]).
The combination of Lea-Alhothaily teaches the main concept of the invention and encoding the authentication token but does not explicitly teach encrypting the authentication token using a public key associated with the first client device, however in the same field of endeavor Hamel teaches:
… the first authentication token being encrypted using a public key associated with the first client device; … based on transmitting the encrypted first authentication token to the first (Hamel, discloses digital credentials for user device authentication, see [Title] and [Abstract]. And [0148] … The authentication device checks the signature and decrypts the lease key. It then creates a new authentication token signed with the lease key, encrypts the authentication token with the user device public key, and provides the encrypted token back to the user device);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Hamel in the method of identity generation for user authentication of Lea-Alhothaily by generating authentication token based on verified user credentials and encrypting the authentication token with user device public key. This would have been obvious because the person having ordinary skill in the art would have been motivated to encrypt the authentication token using user device’s public key as security measure so that user device can decrypt the encrypted authentication token with user device’s private key and provide the token to the system for digital credentials (Hamel, [Abstract], [0148]).
While combination of Lea-Alhothaily-Hamel teaches authenticating user with authentication token with user ID by verifying user identity of the user but does not specifically teach the authentication token including a session ID, however in the same field of endeavor Dorfman teaches:
[generating,… the first authentication token including a first user ID] (see Lea as shown above) and a first session ID (Dorfman, discloses authenticate online users using imaging, see [Title], [Abstract]. And [0039] In response to the user's request, the authentication service may then generate a unique ID (i.e. user ID) and send the user's browser a QR code (i.e. authentication token)…The authentication servers may then save the generated unique ID, which was sent to the browser in the QR code, along with a session ID (i.e. first session ID) that identifies the pending request);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dorfman in the method of identity generation for user authentication of Lea-Alhothaily-Hamel by including a session ID with QR code as authentication token. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the session ID to associate the pending user request for user authentication to access a web page associated with the user's online account (Dorfman, [Abstract], [0039]).

Regarding claim 11, Lea-Alhothaily-Hamel-Dorfman combination teaches:
A non-transitory computer-readable medium storing a plurality of instructions which, when executed by a processor (Lee, Lea, discloses authenticating user with authentication token, see [Abstract]. And [0013-0014] processors and [claim 33] computer readable medium), perform a method comprising: the method steps substantially similar to the method steps of claim 1, therefore is rejected with same reason set forth as rejection of claim 1 above. 

Regarding claim 4, similarly claim 14, Lea-Alhothaily-Hamel-Dorfman combination further teaches:
The method of claim 1, the method of claim 11, 
(Dorfman, [0006] a log-in ID associated with the user and the unique ID; and authenticating the identity of the user to grant the user access, through the first device, to the web page associated with the user's online account). Examiner notes Dorfman teaches a unique ID, i.e. it is a unique ID assigned to the user, not assigned to other user.

Regarding claim 5, similarly claim 15, Lea-Alhothaily-Hamel-Dorfman combination further teaches:
The method of claim 1, the method of claim 11,
further comprising: generating a third session ID that is assigned to the second dynamic user ID (Dorfman, [0039] The authentication servers may then save the generated unique ID, which was sent to the browser in the QR code, along with a session ID that identifies the pending request by the browser to receive notice of completed log-in (step 410). Thus, in one embodiment, the authorization service may store in a database, a plurality of unique IDs and session IDs received from various users' browsers, with the data indexed by the unique IDs). 

Regarding claim 6, similarly claim 16, Lea-Alhothaily-Hamel-Dorfman combination further teaches:
The method of claim 1, the method of claim 11, 
wherein the second dynamic user ID is transmitted within the third authentication token (Lea, [0010] a server is configured to generate an authentication token associated with the identifier in response to a first request, to transmit the authentication token for receipt by an address associated with the user in response to the second request. And [0041] The application generates, in step 206, a message, including the UUID and token, signs it with the private key and transmits it to the server in step 207).  

Claims 2, 12 are rejected under 35 U.S.C. 103 as being unpatentable over Lea-Alhothaily-Hamel-Dorfman as applied above, further in view of Kanukollu (US20200112436A1, hereinafter, “Kanukollu”).
Regarding claim 2, similarly claim 12, Lea-Alhothaily-Hamel-Dorfman teaches:
The method of claim 1, the medium of claim 11,
While the combination of Lea-Alhothaily-Hamel-Dorfman does not explicitly teach the following limitation(s), Kanukollu in the same field of endeavor teaches:
wherein the first authentication request includes a fourth authentication token (Kanukollu, [0037] At operation 208, the client 102 sends a client token (i.e. fourth authentication token) and the code received at operation 204 to the identity provider 106), 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kanukollu in the method of identity generation for user authentication of Lea-Alhothaily-Hamel-Dorfman by receiving client generated token from client. This would have been obvious because the person having ordinary skill in the art would have been motivated to have client generate token to send to identity provider to further generate temporary token for client authentication (Kanukollu, [Abstract]).
(Dorfman, [0041] The authentication service may then look-up the session ID for which the extracted unique ID was saved (step 420)); and determining whether a valid session for the first client device exists based on the second session ID (Dorfman, [0041] thus, the authentication service may, having received a digital certificate and enclosed unique ID and log-in ID, desire to identify the browser session corresponding to that unique ID.  That is, the authentication service may determine which browser issued a pending request for notice of completed log-in associated with the log-in ID that it now received from a mobile device).  

Claims 3, 7, 13, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Lea-Alhothaily-Hamel-Dorfman-Kanukollu as applied above, further in view of Shablygin (US20130145148A1, hereinafter, “Shablygin”).
Regarding claim 3, similarly claim 13, Lea-Alhothaily-Hamel-Dorfman-Kanukollu teaches:
The method of claim 2, the medium of claim 12,
While the combination of Lea-Alhothaily-Hamel-Dorfman-Kanukollu does not explicitly teach the following limitation(s), Shablygin in the same field of endeavor teaches:
wherein the fourth authentication token contains a third dynamic user ID having a null or empty value (Shablygin, [0277] While a blank token resulting from the deactivation of an active token, may have a token ID, user ID, and encryption keys stored on the token, the deactivated token cannot be used for any form of authentication… a disabled token may be reused by overwriting existing information with a new token ID, user ID, and encryption keys as described above).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Shablygin in the method of identity generation for user authentication of Lea-Alhothaily-Hamel-Dorfman-Kanukollu by disabling deactivated token as blank token. This would have been obvious because the person having ordinary skill in the art would have been motivated to reuse the disabled token for a new token ID, user ID etc. for user authentication (Shablygin, [0004], [0006], [0277]).

Regarding claim 7, similarly claim 17, Lea-Alhothaily-Hamel-Dorfman-Kanukollu-Shablygin combination further teaches:
The method of claim 3, the method of claim 13, 
wherein the third dynamic user ID is transmitted separately from the third authentication token (Dorfman, Fig. 4 step 404, Send (i.e. transmitting) QR code with server URL and unique ID. Examiner notes the third dynamic user ID is transmitted with the fourth authentication token as seen from claim 3 therefore it is obvious that it is transmitted separately from the third authentication token).  

Claims 8, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Lea-Alhothaily-Hamel-Dorfman-Kanukollu as applied above, further in view of Pearson et al (US20060218625A1, hereinafter, “Pearson”).
Regarding claim 8, similarly claim 18, Lea-Alhothaily-Hamel-Dorfman-Kanukollu combination teaches:
The method of claim 2, the method of claim 12,
While the combination Lea-Alhothaily-Hamel-Dorfman-Kanukollu does not explicitly teach the following limitations, in the same field of endeavor Pearson teaches:
further comprising: determining that a valid session for the first client device does not exist; generating a challenge (Pearson, [0045] the first identity provider server determines that the end-user has a valid login session.  If the end-user does not have a valid login session, the first identity provider server challenges the end-user for a username and password, i.e., credentials, before moving to step 422); generating a third session ID; and transmitting the challenge to the client device (Pearson, [0045] At step 422, the first identity provider server formulates a redirecting authentication response, e.g., https://www.SP1.com/ AuthnResponse? [Encrypted Payload] and sends it back to the end-user browser.  Then, at step 424, the end-user browser forwards the identity provider server authentication response to first service provider server).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Pearson in the method of identity generation for user authentication of Lea-Alhothaily-Hamel-Dorfman-Kanukollu by challenging the end-user if the end-user does not have valid login session. This would have been obvious because the person having ordinary skill in the art would have been motivated to have service provider server to provide the end-user to access a protected .

Claims 9, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Lea-Alhothaily-Hamel-Dorfman as applied above to claim 1, 11 respectively, further in view of Xu et al (US20150163216A1, hereinafter, “Xu”).
Regarding claim 9, similarly claim 19, Lea-Alhothaily-Hamel-Dorfman combination teaches:
The method of claim 1, the method of claim 11,
While the combination Lea-Alhothaily-Hamel-Dorfman does not explicitly teach the following limitation(s), in the same field of endeavor Xu teaches:
further comprising: after generating the second dynamic user ID, rejecting authentication of a second client device in response to receiving an authentication token containing the first dynamic user ID (Xu, discloses identity authentication see [Abstract]. And [0120] the method for identity authentication provided in the embodiments can switch to another check character generation rule when the current check character generation rule is cracked and puts the version number of the new rule in the new access ID to assign to the authorized third party developer in order to invalidate the old access ID (i.e. rejecting authentication of first dynamic user ID).  As such, the difficulty of cracking access ID is increased).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Xu in the .

Claims 10, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lea-Alhothaily-Hamel-Dorfman-Xu as applied above to claim 9, 19 respectively, further in view of Atwood et al (US20190363886A1, hereinafter, “Atwood”).
Regarding claim 10, similarly claim 20, Dorfman-Lea-Alhothaily-Hamel-Xu combination teaches:
The method of claim 9, the method of claim 19,
While the combination of Lea-Alhothaily-Hamel-Dorfman-Xu does not explicitly teach the following limitation(s), in the same field of endeavor Atwood teaches:
wherein the second client device is the first client device (Atwood, [0014] the first server may maintain a record of a plurality of applications, each of which may be authenticated by receipt of the token. The first server may receive an additional service request for a different application from the client electronic device, wherein the additional service request includes the token, a different application identifier, and the device identifier… determining that the token is valid may include confirming that the device identifier received with the additional service request is the same device identifier (i.e. first client device) that was received with the handshake request).  

Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Hugot (US20200067904A1) discloses method for authenticating a user and corresponding device with authentication tokens. 
Cernoch et al (US20170163647A1) discloses authentication systems and methods that selectively authenticate request to access resource data store.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        


/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436