Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
2.	Applicant's arguments filed 11/30/2021 have been fully considered but they are not persuasive. Applicant asserts (page 10 of Remarks):
Claim 1
a)	Katoh and Beiter fail to teach or suggest a uniform resource locator (URL) generator configured to generate a first URL that encodes the authentication object and authenticator associated with the first URL configured to receive the authentication object from the device associated with the user subsequent to the first URL being provided, and based at least on a software application at the device consuming and then providing the authentication object to the authenticator; and authenticate the identity of the user for the software application at the device based on the authentication object being received. 
b)	However, the Examiner very kindly directs applicant to “client 
device 130 may acquire an arbitrary QR-ID and an arbitrary QR-ENC encryption 
key that is generated and encoded into a QR code by the authentication server 
140.  Alternatively, the client device 130 may create the QR-ID and the QR-ENC 
encryption key and submit the QR-ID and QR-ENC to the authentication server 
140.  Regardless, the client device 130 may display a login page with the QR 
code that includes the QR-ID and QR-ENC that is generated at the client device 
extract the QR-ID and QR-ENC from the QR code and send the QR-ID, QR-ENC, and the mobile authentication token to the authentication server 140 for authentication.  The authentication server 140, for example, may validate the mobile authentication token and derive a device authentication token based on the mobile authentication token (i.e. authentication object).  Alternatively, the authentication server 140 may store the mobile authentication token in a data store or create an intermediary token.  In this regard, the authentication server 140 may later derive the device authentication token from the stored mobile authentication token or the intermediary token.  The authentication server 140 may then encrypt the device authentication token using QR-ENC as the encryption key, and store the result of the encryption in a row of a session table in the data store 104 (e.g., session store), using the QR-ID as the locator key (Beiter, ¶0032-33). Also, the user 110 may open an authentication application (or a browser) on the client device 130.  In response to the user 110 opening the authentication application, the client device 130 may retrieve and launch a login page (i.e., GetPage( )) that is hosted in the authentication server 140 (e.g., a cloud web application), as shown in arc 410.  The authentication server 140 may recognize that the user 110 has not been authenticated at this point and determine by a mechanism (e.g., a flag that is set by the client device 130) that QR code based login is supported by the client device 130. At arc 415, the authentication server 140 may generate an identification value (e.g., nonce) of high entropy.  This identification value is called a "QR-ID".  The authentication server may also create an arbitrary encryption key, called a "QR-ENC".  According to an example, both QR-ID and QR-ENC are encoded in a QR code.  The QR code may be embedded in a response hypertext markup language (HTML) page (therefore, first URL) that is returned as the login page, as shown in arc 420.  This response may also include QR-ID and QR-ENC in an encoded text representation that is only visible to the client device 130, and is not included in the login page.  According to another example, both the QR-ID and QR-ENC may be created on the client device 130.  In this example, the client device 130 would send the QR-ID and QR-ENC to the authentication server 140.  In such examples, the client device 130 may include and utilize a pseudo-random number generator of sufficient quality (Beiter, ¶0040-41). Further, In a parallel thread, the client device 130 may repeatedly poll the authentication server 140 to check for a server side status change associated with QR-ID (i.e., UserLoggedIn(QR-ID)), as shown in arcs 435 and 445.  Until the user 110 has transferred the authentication session as discussed further 
below in FIG. 5, the authentication server 140 will return a "no" response indicating that the user 110 is not authenticated, as shown in arcs 440 and 450.  However, once the user 110 has successfully transferred the authentication session as discussed further with respect to FIG. 5, the user's status may be changed from "user is not authenticated" to "user is authenticated" at the authentication server 140.  A predetermined polling interval may determine the user experience.  For instance, the shorter the polling interval, the faster the user 110 may be authenticated on the client 
device 130 after the use has scanned the QR code with the mobile device 120.  
However, a faster user authentication may place a greater load on the authentication server 140.  In method 400, the user 110 does not provide any secret information to 
authentication application extracts the QR-ID and QR-ENC from the QR code.  At arc 510, the authentication application then sends the QR-ID, QR-ENC, and the mobile authentication token (i.e., mobAuthN), which was obtained in arc 
315 in FIG. 3, to the authentication server 140 (e.g., qrLogin(QR-ID, QR-ENC, mobAuthN)).  The authentication server 140, for example, may map the QR-ID to 
the mobile authentication token.  Accordingly, the mobile device 120, the client device 130, and the authentication server 140 share a common secret QR-ID.  In this regard, for instance, the mobile device 120 may be used to broker the relationship between the mobile device 120, the client device 130, and the authentication server 140 (Beiter, ¶0043-46).
c)	Applicant further asserts (page 11 of Remarks): statement that QR code is a first URL is incorrect. 
d)	However, the Examiner very kindly directs applicant to QR code may be embedded in a response hypertext markup language (HTML) page (therefore, first URL) that is returned as the login page (Beiter, ¶0041). In addition, Examiner point out that it is well known in the art that QR code contains the address of a website. By scanning the code, the website can be access by the user without the hassle of manually entering the address (URL). This works because the QR reader recognizes the http(s):// protocol prefix and then interprets the text as a website address / URL. Therefore, the information encoded in static QR codes is a URL.
e)	Applicant further asserts (pages 11-12 of Remarks): Beiter fails to teach or suggest generate a first URL that encodes the authentication object. 
f)	However, the Examiner very kindly point out generating or creating QR code that encodes the encryption key and the authentication server 140 may then encrypt the device authentication token (i.e. authentication object) using QR-ENC as the encryption key (Beiter, ¶0032-33). 
g)	Applicant further asserts (page 12 of Remarks): Beiter makes no mention of application at the client device consuming and then providing authentication objects in the QR code to an authenticator.
h)	However, the Examiner respectfully directs applicant to user may log in to the mobile device 120 by, manual entry of authentication credentials an installed mobile authentication application 260 on the mobile device 120.  The authentication server 140 may receive the authentication credentials from the mobile device 120, validate the 
received authentication credentials, and transmit a mobile authentication token (therefore providing the authentication object) (i.e., mobAuthN) to the mobile device 120.  The mobile device 120 may store, the mobile authentication token in the data store 254 (Beiter, ¶0031). Also, based on the application 260 at the device 
Claim 8
i)	Applicant further asserts (pages 13-14 of Remarks): Beiter fails to teach or suggest “authenticating the identity of the user for another software application at the second device based on an authentication token received over the network from the software application executing at the second device”.
j)	However, the Examiner very kindly directs applicant to allowing a user to conveniently enter their credentials on the mobile device and then transfer the authenticated session to the client device without loss of security.  Additionally, the disclosed examples may leverage generic soft token clients in the form of applications (i.e. first, second or more application) that operate on any mobile device platform.  Accordingly, when using advanced authentication mechanisms, such as biometric mechanisms or cryptographic protocols, the user may install an application on their mobile device that interacts with standard hardware supported by the mobile device without needing additional dedicated hardware (Beiter, ¶0017). Also, once the user has successfully authenticated (Beiter, ¶0043). Further, as shown in arc 505, the user 110 may scan the QR code that is displayed on the client device 130 using the authentication application on their mobile device 120 (i.e. second device).  Once the authentication application then sends the QR-ID, QR-ENC, and the mobile authentication token (i.e., mobAuthN), which was obtained in arc 315 in FIG. 3, to the authentication server 140 (e.g., qrLogin(QR-ID, QR-ENC, mobAuthN)).  The authentication server 140, for example, may map the QR-ID to the mobile authentication token.  Accordingly, the mobile device 120, the client device 130, and the authentication server 140 share a common secret QR-ID.  In this regard, for instance, the mobile device 120 may be used to broker the relationship between the mobile device 120, the client device 130, and the authentication server 140. When the authentication server 140 receives the mobile authentication token from the mobile device 120, the authentication server 140 may validate the mobile authentication token and ensure that the associated session is still valid, as shown in arc 515.  According to an example, the authentication server 140 then creates a new session for the client device 130 that is derived from the session represented by the mobile authentication token, as shown in arc 520.  The new session, for instance, is represented by a device authentication 
token (i.e., deviceAuthN) (Beiter, ¶0046-47). Therefore, Beiter teaches authenticating the user identity for the authentication applications (i.e. first, second, or more) at the second device (i.e. device 120) based on the authentication token received from the authentication applications executing at the second device. 
k)	Applicant also asserts: authenticating the user identity for the applications (i.e. first, second or more) is not found anywhere in the Beiter. 
l)	please refer to part j
Claim 15
m)	Applicant further asserts (page 17 of Remarks): Katoh disclosure has nothing at all to do with “receiving a request having information that includes an identifier of a user and an identifier of a software application, the request received from an administrator of a group affiliated with the user. 
n)	However, the Examiner very kindly directs applicant to the verification data management table stores, for each one of a plurality of persons to be verified, a file name of an image file (such as a facial image) as the verification data and a 
name of a person identified with a facial image (Katoh, ¶0139). Also, transmitting a verification request for verifying the data to be verified using the verification data, to the centralized data processing server 7, or performs processing on the verification result sent from the centralized data processing server 7 (i.e. administrator).  The transmitter and receiver 61 transmit or receives various data (or information), such as the data to be verified (Katoh, ¶0141). Further, Katoh teaches different applications such as image recognition application and email application (Katoh, ¶0084 and ¶0169). 
o)	Applicant's arguments with regards to dependent claims are based on the deficiency of the references to support the limitations of independent claims. The arguments are respectfully traversed for the same reason(s) as stated above for rejection of independent claims.
3.	Therefore, the limitations of the claims are met and the rejection is made final. 

Claim Rejections - 35 USC § 103
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
A)	Claims 1-2, 6-9, and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Katoh (US 2019/0306334 A1) in view of Beiter (US 2017/0244555 A1). 
As per claim 1, Katoh teaches a system (Katoh, Fig.9, a system), comprising: a processing system comprising one or more processors (Katoh, Fig.9 and ¶0191, authentication server 9 with authentication unit 92 implemented by CPU (i.e. processor)); and a memory configured to store program code to be executed by the processing system (Katoh, Fig.9, storage unit 9000 storing programs and instructions executed by authentication server), the program code including: an object generator (Katoh, ¶0158, generator 74) configured to: receive information associated with a user 
However, Katoh does not explicitly teach URL generator configured to: generate a first URL that encodes the authentication object; and provide the first URL to a device associated with the user; and an authenticator, associated with the first URL, configured to: receive the authentication object from the device associated with the user subsequent to the first URL being provided, and based at least on a software application at the device consuming and then providing the authentication object to the authenticator ; and authenticate the identity of the user for  the software application at the device based on the authentication object being received.  
In the same field of endeavor, Beiter teaches URL generator configured to: generate a first URL that encodes the authentication object (Beiter, ¶0041, generate an identification value called “QR-ID”. The authentication server may also create an arbitrary encryption key, called a "QR-ENC".  According to an example, both QR-ID and QR-ENC are encoded in a QR code (i.e. first URL).  The QR code may be embedded in a response hypertext markup language (HTML) page that is returned as the login page; therefore generating QR code that encodes; also see ¶0032, an arbitrary QR-ID and an arbitrary QR-ENC encryption key that is generated and encoded into a QR code); and provide the first URL to a device associated with the 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of applicant’s claimed invention to have incorporated the teaching of Beiter into invention of Katoh in order to provide credentials to the service for use in 
	As per claim 2 as applied to claim 1 above, Katoh does not explicitly teach, receive the authentication object via a first browser session instantiated responsive to activation of the first URL at the device associated with the user,AMENDMENT AND REPLY UNDER 37 CFR § 1.114Page 3Serial No. 16/588,719Attorney Docket No.: 407026-US-NP Filing Date: September 30, 2019establish an authenticated browser session with the device associated with the user based at least on the authentication object; and authenticate the identity of the user for the software application responsive to the software application invoking the authenticated browser session at the device associated with the user.  
	In the same field of endeavor, Beiter teaches receive the authentication object via a first browser session instantiated responsive to activation of the first URL at the device associated with the user (Beiter, ¶0040-41, receive authentication token via browser (i.e. first browser) incorporated in response to receiving QR code at the device associated with the user),AMENDMENT AND REPLY UNDER 37 CFR § 1.114Page 3Serial No. 16/588,719Attorney Docket No.: 407026-US-NP Filing Date: September 30, 2019establish an authenticated browser session with the device associated with the user based at least on the authentication object (Beiter, ¶0040-41, open authentication application (or a browser) with the device associated with the user based on the authentication token); and authenticate the identity of the user for the software application responsive to the software application invoking the authenticated browser session at the device associated with the user (Beiter, ¶0040 and ¶0046, authenticating by recognizing the user (i.e. user’s identity) for the application based on using the authentication application (or a browser) at the device associated with a user). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of applicant’s claimed invention to have incorporated the teaching of 
As per claim 6 as applied to claim 1 above, Katoh teaches wherein the at least one identifier included with the information includes at least one of: a communication identifier; a name of the user (Katoh, ¶0053, name of a person or user); an alias or another identifier of the user; or an identifier of the software application (Katoh, ¶0084, image recognition application API).  
As per claim 7 as applied to claim 1 above, Katoh teaches, the software application consuming and then providing the authentication object to the authenticator is an application being installed at the device (Katoh, ¶0109, application or program using or consuming and providing authentication being installed in the terminal).  
As per claim 8, Katoh teaches a method implemented by a computing system (Katoh, Fig.9 and ¶0191, authentication server 9 with authentication unit 92 implemented by CPU (i.e. computing system)), the method comprising: validating user credentials received over a network from a first device associated with a user (Katoh, ¶0136 and ¶0139, receiving verification data (i.e. user credential) received over a network from the terminal 6 associated with a user); receiving over the network a user input specifying a communication identifier (Katoh, ¶0130 and ¶0142, receiving a service request over the network by user input specifying service identifier (i.e. email)); and generate a uniform resource locator (URL) (Katoh, ¶0203, generating URL).
However, Katoh does not explicitly teach providing, over the network to a second device associated with the user that is associated with the communication identifier, a 
In the same field of endeavor, Beiter teaches providing, over the network to a second device associated with the user that is associated with the communication identifier (Beiter, ¶0037, providing over the network to second device (i.e. device 120) associated with user that is associated with email (i.e. communication identifier)), a first uniform resource locator (URL) that is generated by the computing system and that encodes an authentication object associated with an identity of the user (Beiter, ¶0037 and ¶0041, generate an identification value called “QR-ID”. The authentication server may also create an arbitrary encryption key, called a "QR-ENC".  According to an example, both QR-ID and QR-ENC are encoded in a QR code (i.e. first URL).  The QR code may be embedded in a response hypertext markup language (HTML) page that is returned as the login page; therefore generating QR code is generated which encodes); 
receiving the authentication object over the network from the second device subsequent to the first URL being provided (Beiter, ¶0043 the client device 130 repeatedly poll the authentication server 140 to check for a server side status change associated with QR-ID (i.e. UserLoggedIn (QR-ID)), as shown in arcs 435 and 445); authenticating the 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of applicant’s claimed invention to have incorporated the teaching of Beiter into invention of Katoh in order to provide credentials to the service for use in authenticating the identity of the user and determining that the user is authorized to access various resources of the service. 

As per claim 9 as applied to claim 8 above, Katoh does not explicitly teach, receiving over the network the authentication object via a first browser session instantiated responsive to activation of the first URL at the second device; establishing an authenticated browser session with the second device based at least on the authentication object; and authenticating the identity of the user for the software application subsequent to the software application invoking the authenticated browser session at the second device.  

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of applicant’s claimed invention to have incorporated the teaching of Beiter into invention of Katoh in order to provide credentials to the service for use in authenticating the identity of the user and determining that the user is authorized to access various resources of the service. 
  	As per claim 14 as applied to claim 8 above, Katoh teaches wherein the computing system is a cloud-based computing system, and comprises an identity service that is configured to perform authentication for identities of users (Katoh, ¶0153 and ¶0156, centralized data processing server is cloud based system configured to perform data verification such as identifying a user). 

However, Katoh does not explicitly teach generating a first URL that encodes an authentication object associated with an identity of the user; providing the first URL to a device associated with the user; receiving the authentication object from the device associated with the user subsequent to the first URL being provided; and authenticating the identity of the user for the software application based on the authentication object being received.  
In the same field of endeavor, Beiter teaches generating a first URL that encodes an authentication object associated with an identity of the user (Beiter, ¶0041, generate an identification value called “QR-ID”. The authentication server may also create an arbitrary encryption key, called a "QR-ENC".  According to an example, both QR-ID and QR-ENC are encoded in a QR code (i.e. first URL).  The QR code may be embedded in a response hypertext markup language (HTML) page that is returned as the login page; 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of applicant’s claimed invention to have incorporated the teaching of Beiter into invention of Katoh in order to provide credentials to the service for use in authenticating the identity of the user and determining that the user is authorized to access various resources of the service. 
As per claim 16 as applied to claim 15 above, Katoh does not explicitly teach, receiving the authentication object via a first browser session instantiated responsive to activation of the first URL at the second device; establishing an authenticated browser 
In the same field of endeavor, Beiter teaches receiving the authentication object via a first browser session instantiated responsive to activation of the first URL at the second device (Beiter, ¶0040-41, receive authentication token via browser (i.e. first browser) incorporated in response to receiving QR code at the device associated with the user); establishing an authenticated browser session with the second device based at least on the authentication object (Beiter, ¶0040-41, open authentication application (or a browser) with the device associated with the user based on the authentication token); and authenticating the identity of the user for the software application subsequent to the software application invoking the authenticated browser session at the second device (Beiter, ¶0040 and ¶0046, authenticating by recognizing the user (i.e. user’s identity) for the application based on using the authentication application (or a browser) at the device associated with a user). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of applicant’s claimed invention to have incorporated the teaching of Beiter into invention of Katoh in order to provide credentials to the service for use in authenticating the identity of the user and determining that the user is authorized to access various resources of the service. 
B)	Claims 3-5, 10-11, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Katoh (US 2019/0306334 A1) in view of Beiter (US 2017/0244555 A1) and further in view of Mullen (US 20060026260 A1). 

	In the same field of endeavor, Mullen teaches generate an application download object that specifies a redirection to a second browser session for a download website or an application store for the software application based on the information (Mullen, ¶0010, initiate or generate application download file or object that redirect the client web browser to a second web page to reload or download web server), wherein the first URL encodes the application download object associated with the software application (Mullen, ¶0026 and ¶0010, URL for page Y (first URL) which encoding the data for application download); and wherein the URL generator is further configured to: generate a second URL (Mullen, ¶0028, URL for page Z (second URL)), based on the application download object, that specifies a redirection to a second browser session for a download website or an application store for the software application; and provide the second URL (Mullen, ¶0028 and ¶0010, based on application download files which 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to have incorporated the teaching of Mullen into invention of Katoh in view of Beiter in order to provide communications between a web-based application and a client application while maintaining a unique client session with a web server.
 	As per claim 4 as applied to claim 3 above, Katoh in view of Beiter teaches, wherein the URL generator is further configured to: provide the second URL to at least one of the device or a different device associated with the user (Beiter, ¶0028 and ¶0046, QR codes (first, second or more) to second device 120), and wherein the second URL is provided as at least one of a web link, a quick response (QR) code, a sub-audio frequency communication, a near-field communication (NFC), a radio frequency (RF) communication, or a Bluetooth communication (Beiter, ¶0028 and ¶0046, quick response (QR) code). 
  
 	As per claim 5 as applied to claim 3 above, Katoh in view of Beiter teaches all the claim limitation substantially as claimed in claim 3. However, Katoh in view of Beiter does not explicitly teach receive a session artifact from the device that is generated in association with the redirection to the second browser session; and authenticate the identity of the user for the software application based on the session artifact.  
 	In the same field of endeavor, Mullen teaches receive a session artifact from the device that is generated in association with the redirection to the second browser 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to have incorporated the teaching of Mullen into invention of Katoh in view of Beiter in order to provide communications between a web-based application and a client application while maintaining a unique client session with a web server.
	As per claim 10 as applied to claim 9 above, Katoh in view of Beiter teaches all the claim limitation substantially as claimed in claim 9. However, Katoh in view of Beiter does not explicitly teach generating an application download object that specifies a redirection to a second browser session for a download website or an application store for the software application based on the information, wherein the first URL encodes the application download object associated with the software application; and wherein the URL generator is further configured to: generating a second URL, based on the application download object, that specifies a redirection to a second browser session for a download website or an application store for the software application; and providing the second URL to the second device as a web link to the second device.  
	In the same field of endeavor, Mullen teaches generate an application download object that specifies a redirection to a second browser session for a download website or an application store for the software application based on the information (Mullen, 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to have incorporated the teaching of Mullen into invention of Katoh in view of Beiter in order to provide communications between a web-based application and a client application while maintaining a unique client session with a web server.
 	As per claim 11 as applied to claim 10 above, Katoh in view of Beiter teaches all the claim limitation substantially as claimed in claim 10. However, Katoh in view of Beiter does not explicitly teach receiving a session artifact from the second device that is generated in association with the redirection to the second browser session; and authenticating the identity of the user for the software application based on the session artifact.  

	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to have incorporated the teaching of Mullen into invention of Katoh in view of Beiter in order to provide communications between a web-based application and a client application while maintaining a unique client session with a web server.
	As per claim 17 as applied to claim 16 above, Katoh in view of Beiter teaches all the claim limitation substantially as claimed in claim 16, However, Katoh in view of Beiter does not explicitly teach, wherein the first URL encodes an application download object associated with the software application; and wherein the method further comprises: generating a second URL, based at least on the application download object, that specifies a redirection to a second browser session for a download website or an application store for the software application; and providing the second URL.  
 	In the same field of endeavor, Mullen teaches wherein the first URL encodes an application download object associated with the software application (Mullen, ¶0026 and ¶0010, URL for page Y (first URL) which encoding the data for application download); and wherein the method further comprises: generating a second URL 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to have incorporated the teaching of Mullen into invention of Katoh in view of Beiter in order to provide communications between a web-based application and a client application while maintaining a unique client session with a web server.
As per claim 18 as applied to claim 17 above, Katoh in view of Beiter teaches, wherein providing the second URL comprises: providing the second URL to at least one of the device or a different device associated with the user (Beiter, ¶0028 and ¶0046, QR codes (first, second or more) to second device 120), and wherein the second URL is provided as at least one of a web link, a quick response (QR) code, a sub-audio frequency communication, a near-field communication (NFC), a radio frequency (RF) communication, or a Bluetooth communication (Beiter, ¶0028 and ¶0046, quick response (QR) code). 
As per claim 19 as applied to claim 17 above, Katoh in view of Beiter teaches all the claim limitation substantially as claimed in claim 17. However, Katoh in view of Beiter does not explicitly teach receive a session artifact from the device that is generated in association with the redirection to the second browser session; and 
 	In the same field of endeavor, Mullen teaches receive a session artifact from the device that is generated in association with the redirection to the second browser session (Mullen, ¶0010, receiving HTML form (session artifact) from the client computer/device that is generated based on the redirection to the second web page); and authenticate the identity of the user for the software application based on the session artifact (Mullen, ¶0010 and ¶0018, the session uniquely identifies the user for the application based on the HTML form). 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to have incorporated the teaching of Mullen into invention of Katoh in view of Beiter in order to provide communications between a web-based application and a client application while maintaining a unique client session with a web server.
 	As per claim 20 as applied to claim 17 above, Katoh in view of Beiter teaches all the claim limitation as claimed in claim 17. However, Katoh in view of Beiter does not explicitly teachAMENDMENT AND REPLY TO RESTRICTION REQUIREMENTPage 8 Serial No. 16/588,719Attorney Docket No.: 407026-US-NPFiling Date: September 30, 2019generating an application download object that specifies a redirection to a second browser session for a download website or an application store for the software application, and the authentication object, based on the information.
 	In the same field of endeavor, Mullen teaches generating an application download object that specifies a redirection to a second browser session for a download website or an application store for the software application, and the authentication object, based on the information (Mullen, ¶0010, initiate or generate application 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to have incorporated the teaching of Mullen into invention of Katoh in view of Beiter in order to provide communications between a web-based application and a client application while maintaining a unique client session with a web server.
C)	Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Katoh (US 2019/0306334 A1) in view of Beiter (US 2017/0244555 A1) and further in view of Mullen (US 20060026260 A1) and Chen (US 9817646 B1). 
	As per claim 12 as applied to claim 10 above, Katoh in view of Beiter and Mullen teaches all the claim limitation substantially as claimed in claim 10. However, Katoh in view of Beiter and Mullen does not explicitly teach receiving a request to install the software application; and generating the application download object and the authentication object based on the request.  
 	In the same field of endeavor, Chen teaches receiving a request to install the software application (Chen, Col.2, lines 50-52, receiving a request to install a web application); and generating the application download object and the authentication object based on the request (Chen, Col.2, lines and Col.13, lines 12-15, generating application download files or objects and the authentication based on the access request). 
 	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to have incorporated the teaching of 
D)	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Katoh (US 2019/0306334 A1) in view of Beiter (US 2017/0244555 A1) and further in view of Dudley (US 2019/0065724 A1). 
As per claim 13 as applied to claim 9 above, Katoh in view of Beiter does not explicitly teach wherein establishing the authenticated browser session is also based on receiving over the network from the first device a response to a secondary authentication challenge provided to the second device.  
		In the same field of endeavor, Dudley teaches wherein establishing the authenticated browser session is also based on receiving over the network from the first device a response to a secondary authentication challenge provided to the second device (Dudley, Fig.1, ¶0025-26, establishing browser (i.e. browser 108) based on receiving challenge questions (first, second, or more) provided to the device). 
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to have incorporated the teaching of Dudley into invention of Katoh and Beiter in order to provide multi-factor authentication with Uniform Resource Locator (URL) validation to avoid illicit access to network resources by unauthorized users and to trust that network providers can maintain confidential data securely.
Conclusion
5.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FARIDEH MADANI whose telephone number is (571)272-1249. The examiner can normally be reached Monday through Friday; 9 AM to 5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JINSONG HU can be reached on 5712723965. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/FARIDEH MADANI/Examiner, Art Unit 2643                                                                                                                                                                                                        

/JINSONG HU/Supervisory Patent Examiner, Art Unit 2643