DETAILED ACTION
This action is in response to arguments filed 11/26/2021. Claims 1-23 are pending.

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received. 

Response to Arguments
Applicant's arguments filed 11/2607/2021 have been fully considered.
A) Applicant’s arguments with respect to the rejection(s) of claim(s) 1, 15 and 20 under 103 that Kalinichenko et al (US 9,124,582) in view of Zhu et al (US 8,209,744) does not teach “performing an authorization dialog between the platform application and the authentication device” have been fully considered and are not persuasive.
Regarding A) Kalinichenko teaches in figure 3 step 152-153 and column 7 line 51 – column 8 line 3 i.e. Using the device identifier of the mobile device 116 (I.E. claimed user authentication device), business processing server 104 (I.E. claimed platform application) generates (146) an authentication token for confirming that the user is authorized to perform the action. The authentication token includes the device identifier of the mobile device, e.g., to promote using a presence of the mobile device specified by the device identifier as secondary factor authentication information. Business processing server 104 also generates (148), in a data repository, an association among the authentication token and the user profile. Business processing server 104 receives 
Kalinichenko also teaches in column 5 lines 5-13 As described in further detail below, client device 102 (I.E. claimed user workplace application) and mobile device 116 (I.E. claimed user authentication device) are used to perform enrolled multifactor authentication. Client device 102 is a primary factor authentication device. Mobile device 116 is a secondary factor authentication device. Enrolled multifactor authentication includes a multifactor authentication process that is independent of a secondary factor authentication device generating secondary factor authentication information that a user enters into business processing server 104. In enrolled multifactor authentication, a mobile device is enrolled ahead of time with a system as a secondary factor authentication device, e.g., to promote automatic secondary factor authentication. A primary factor authentication device is an authenticated device that generates primary factor authentication information. In enrolled multifactor authentication, the secondary factor authentication device automatically submits the secondary factor authentication information to business processing server 104 (I.E. claimed platform application). Also see column 6 lines 15-41.

Zhu teaches setting up a secure connection between the platform application and a user authentication device (see Zhu figure 3B step 336 and column 6 lines 27-29 i.e. The serve receives these numbers (334) and computes a session key from them (336)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device for secure communication two devices (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11 and 14-23 are rejected under 35 U.S.C. 103 as being unpatentable over Kalinichenko et al (US 9,124,582) in view of Zhu et al (US 8,209,744).

preparing a persistent instruction on a user workplace application that is remotely connected to the platform application (See Kalinichenko figure 2 step 130 and column 5 lines 53-61 i.e. Client device 102 is a primary factor authentication device. Client device 102 generates request 130 to perform an action, e.g., to access a resource hosted by business processing server 104. For example, request 130 includes a request to access financial account information of a user of client device 102. Request 130 includes primary factor authentication information, e.g., a user name and a password for accessing the financial account information); 
forwarding the persistent instruction to the platform application (See Kalinichenko figure 3 step 142 and column 7 lines 36-41 i.e. In operation, business processing server 104 receives (142), from a client device, a request to perform an action, e.g., request 130 (FIG. 2). The received request includes information identifying a user associated with the client device (e.g., login credentials of the user, a user name of the user, and so forth))
setting up a connection between the platform application and a user authentication device (see Kalinichenko column 6 lines 15-24 i.e. Mobile device 116 transmits information 134 to authentication server 114, e.g., via network 124 and through firewall 106. System 100 also includes network 136, which is a private network of authentication server 114 that bypasses firewall…Authentication server 114 receives information 134. Authentication server 114 detects device ID 128 in information 134. Using device ID 128, authentication server 114 identifies, in data repository 112, 
performing an authorization dialog between the platform application and the authentication device (See Kalinichenko figure 3 step 152 and column 7 line 51 – column 8 line 3 i.e. The authentication token includes the device identifier of the mobile device, e.g., to promote using a presence of the mobile device specified by the device identifier as secondary factor authentication information. Business processing server 104 also generates (148), in a data repository, an association among the authentication token and the user profile. Business processing server 104 receives (150), from an authentication server, a decrypted version of an authentication token and a device identifier of a mobile device that is in proximity to the client device. Business processing server 104 identifies (152) a match between the authentication token that is generated for the user and the decrypted version of the authentication token. Business processing server 104 also identifies (153) a match between the received device identifier and the device identifier included in the user profile); and 
executing the persistent instruction only when the authorization dialog has successfully finished (See Kalinichenko figure 3 step 154 and column 7 line 51 – column 8 line 3 i.e. The authentication token includes the device identifier of the mobile device, e.g., to promote using a presence of the mobile device specified by the device identifier as secondary factor authentication information. Business processing server 104 also generates (148), in a data repository, an association among the authentication token and the user profile. Business processing server 104 receives (150), from an In response to the identified matches, business processing server 104 performs (154) the requested action).
Kalinichenko does not teaches setting up a secure connection between the platform application and a user authentication device.
Zhu teaches setting up a secure connection between the platform application and a user authentication device (see Zhu figure 3B step 336 and column 6 lines 27-29 i.e. The serve receives these numbers (334) and computes a session key from them (336)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.
 
	With respect to claim 2, Kalinichenko teaches a method according to claim 1, but does not disclose wherein the secure connection between the platform application and the user authentication device is set up by providing a secure session between a first 
Zhu teaches wherein the secure connection between the platform application and the user authentication device is set up by providing a secure session between a first entity and a second entity, the first and second entity being the user authentication device and an application running on a platform, respectively, or vice versa, the method being performed by the first entity and comprising the steps of: 
generating a first random number (see Zhu figure 3B step 306 and column 5 lines 61-64 i.e. The server then generates a server challenge number (306). This challenge number can take several forms, two of which will be described shortly); 

applying a one-way function to the first string or to a derivative thereof, obtaining an encoded string; transmitting the encoded string to an intermediate node that is in connection to the first entity and the second entity (see Zhu column 5 lines 5-15 i.e. In one embodiment, the combination is accomplished by concatenating the numbers and then computing a cryptographic hash of the concatenation using a prescribed cryptographic hash function (e.g., SHA-256 specified in Federal Information Processing Standards Publications (FIPS PUBS) 180-2 Secure Hash Standard), which is known to the mobile phone and the server associated with the Web site of interest. The resulting combined value is designated as the secret value (208) and is transmitted to the server associated with the Web site via a secure channel (210)); 
the method further comprising the steps of: generating a second random number, deriving a second string from said second random number and transmitting the second string to the second entity if a verifying step of comparing encoded strings transmitted by the first entity and the second entity has a positive result, or receiving from the second entity a second string being derived from a second random number generated by the second entity (see Zhu figure 3B step 322-326 and column 6 lines 7-13 i.e. The mobile device receives the identifications and number (318), and then generates the aforementioned secret value ( 320), a mobile device challenge number (322) and a 
the method further comprising the step of: deriving a secret key from the first and the second string (see Zhu figure 3B step 336 and column 6 lines 27-29 i.e. The serve receives these numbers (334) and computes a session key from them (336)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.

	
With respect to claim 3, Kalinichenko teaches a method according to claim 1, but does not disclose wherein the secure connection between the platform application and the user authentication device is set up by providing a secure session between a first entity and a second entity, the first and second entity being the user authentication device and an application running on a platform, respectively, or vice versa, the method being performed by the second entity and comprising the steps of: receiving, via an I/O interface, a first string derived from a first random number generated by the first entity; applying a one-way function to the first string or to a derivative thereof, obtaining an encoded string; transmitting the encoded string to an intermediate node that is in connection to the first and the second entity, the method further comprising the steps of: 
Zhu teaches wherein the secure connection between the platform application and the user authentication device is set up by providing a secure session between a first entity and a second entity, the first and second entity being the user authentication device and an application running on a platform, respectively, or vice versa, the method being performed by the second entity and comprising the steps of: 
receiving, via an I/O interface, a first string derived from a first random number generated by the first entity (see Zhu figure 3B step 306 and column 5 lines 61-64 i.e. The server then generates a server challenge number (306). This challenge number can take several forms, two of which will be described shortly); 
applying a one-way function to the first string or to a derivative thereof, obtaining an encoded string; transmitting the encoded string to an intermediate node that is in connection to the first and the second entity (see Zhu column 5 lines 5-15 i.e. In one embodiment, the combination is accomplished by concatenating the numbers and then computing a cryptographic hash of the concatenation using a prescribed cryptographic hash function (e.g., SHA-256 specified in Federal Information Processing Standards Publications (FIPS PUBS) 180-2 Secure Hash Standard), which is known to the mobile phone and the server associated with the Web site of interest. The resulting combined 
the method further comprising the steps of: generating a second random number, deriving a second string from said second random number and transmitting the second string to the first entity if a verifying step of comparing encoded strings transmitted by the first entity and the second entity has a positive result, or receiving from the first entity a second string being derived from a second random number generated by the first entity (see Zhu figure 3B step 322-326 and column 6 lines 7-13 i.e. The mobile device receives the identifications and number (318), and then generates the aforementioned secret value ( 320), a mobile device challenge number (322) and a representation of the secret value (324). Next, the mobile device forwards the mobile device challenge number and secret value representation to the client computer (326)),
the method further comprising the step of: deriving a secret key from the first and the second string (see Zhu figure 3B step 336 and column 6 lines 27-29 i.e. The serve receives these numbers (334) and computes a session key from them (336)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.


Zhu teaches wherein the secure connection between the platform application and the user authentication device is set up by providing a secure session between a first entity and a second entity, the first and second entity being the user authentication device and an application running on a platform, respectively, or vice versa, the method being performed by an intermediate node that is in connection to the first and second entity, the method comprising the steps of: receiving an encoded string from the first and second entity, the encoded string being obtained by applying a one-way function to a first string or to a derivative thereof, the first string being derived from a first random number generated by the first entity; verifying whether the encoded strings received from the first and second entity are the same; if the verifying step has a positive result, 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have The server then computes a server version of the combined representation using the user identification, the server identification, the server version of the secret value representation, and the password known to the server (340). The server then compares the server version of the combined representation to the combined representation received from the client computer (342) and determines if the password and secret value known to the server were used to generate the combined representation received from the client computer (see Zhu column 6 lines 23-47). Therefore one would have been motivated to have compares the server version of the combined representation to the combined representation received from the client computer (342) and determines if the password and secret value known to the server were used to generate the combined representation received from the client computer.

With respect to claim 5, Kalinichenko teaches a method according to claim 1, wherein the platform application is a user workplace application, a cloud application, an authentication provider application, or a transaction system application (see Kalinichenko column 3 lines 33-44 i.e. Business processing server 104). 


Zhu teaches wherein the first string is first random number or a random message produced from said first random number (see Zhu column 5 lines 1-15 i.e. The procedure continues with action 206 by combining the hidden number R.sub.m, the mobile device's hardware identification number, optionally the SIM card identification number, and finally a unique number identifying the secure Web site of interest (e.g., the Web site's URL).  In one embodiment, the combination is accomplished by concatenating the numbers and then computing a cryptographic hash of the concatenation using a prescribed cryptographic hash function (e.g., SHA-256 specified in Federal Information Processing Standards Publications (FIPS PUBS) 180-2 Secure Hash Standard), which is known to the mobile phone and the server associated with the Web site of interest. The resulting combined value is designated as the secret value (208) and is transmitted to the server associated with the Web site via a secure channel (210)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have The server then computes a server version of the combined representation using the user identification, the server identification, the server version of the secret value representation, and the password known to the server (340). The server then compares the server version of the combined representation to the combined representation received from the client computer (342) and determines if the password and secret 

With respect to claim 7, Kalinichenko teaches a method according to claim 2, but does not disclose wherein, in the step of applying a one-way function, the derivative of the first string is obtained by performing a hash function to the first string.
Zhu teaches wherein, in the step of applying a one-way function, the derivative of the first string is obtained by performing a hash function to the first string (see Zhu column 5 lines 5-15 i.e. In one embodiment, the combination is accomplished by concatenating the numbers and then computing a cryptographic hash of the concatenation using a prescribed cryptographic hash function (e.g., SHA-256 specified in Federal Information Processing Standards Publications (FIPS PUBS) 180-2 Secure Hash Standard), which is known to the mobile phone and the server associated with the Web site of interest. The resulting combined value is designated as the secret value (208) and is transmitted to the server associated with the Web site via a secure channel (210)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have The server then computes a server version of the combined representation using the user identification, the server identification, the server version of the secret value representation, and the password known to the server (340). The server then compares 

With respect to claim 8, Kalinichenko teaches a method according to claim 2, wherein the second string is transmitted in an encrypted manner (see Kalinichenko column 6 lines 15-24 i.e. Mobile device 116 transmits information 134 to authentication server 114, e.g., via network 124 and through firewall 106. System 100 also includes network 136, which is a private network of authentication server 114 that bypasses firewall…Authentication server 114 receives information 134. Authentication server 114 detects device ID 128 in information 134. Using device ID 128, authentication server 114 identifies, in data repository 112, association 129 among device ID 128 and key 127. Based on association 129, authentication server 114 determines that key 127 is used in decrypting information associated with device ID 128). 

With respect to claim 9, Kalinichenko teaches a method according to claim 2, wherein the intermediate node is an authentication provider securely connected to the user authentication device (see Kalinichenko column 6 lines 15-24 i.e. Mobile device 

With respect to claim 10, Kalinichenko teaches a method according to claim 1, wherein the secure session is used to support secure one-way or two-way data transfer, such as transfer of a message, a decryption and/or encryption key, or an authorization dialog (see Kalinichenko column 6 lines 15-24 i.e. Mobile device 116 transmits information 134 to authentication server 114, e.g., via network 124 and through firewall 106. System 100 also includes network 136, which is a private network of authentication server 114 that bypasses firewall. Examples of network 136 include a LAN and a WAN). 

With respect to claim 11, Kalinichenko teaches a method according to claim 1, wherein the authorization dialog includes the steps of: transmitting a code, from the platform application to the user authentication device for entering the code into the user workplace application; transmitting the code from the user workplace application to the platform application; and verifying whether the code received by the transaction system application is the same as the code transmitted by said platform application (see 

With respect to claim 14, Kalinichenko teaches a method according to claim 1, wherein the user authentication device includes a cellular phone, PDA, smart card, token or electronic key (see Kalinichenko figure 2 element 116 and column 7 line 51- column 8 line 3 i.e. mobile device 116). 

With respect to claim 15. A computer system that is remotely connected to a user workplace application and that has a secure connection with a user authentication 
receive a persistent instruction prepared on the user workplace (see Kalinichenko figure 3 step 142 and column 7 lines 36-41 i.e. In operation, business processing server 104 receives (142), from a client device, a request to perform an action, e.g., request 130 (FIG. 2). The received request includes information identifying a user associated with the client device (e.g., login credentials of the user, a user name of the user, and so forth));
setting up a connection between the platform application and a user authentication device (see Kalinichenko column 6 lines 15-24 i.e. Mobile device 116 transmits information 134 to authentication server 114, e.g., via network 124 and through firewall 106. System 100 also includes network 136, which is a private network of authentication server 114 that bypasses firewall…Authentication server 114 receives information 134. Authentication server 114 detects device ID 128 in information 134. Using device ID 128, authentication server 114 identifies, in data repository 112, association 129 among device ID 128 and key 127. Based on association 129, authentication server 114 determines that key 127 is used in decrypting information associated with device ID 128);
perform an authorization dialog with the user authentication device, via the secure connection (See Kalinichenko figure 3 step 154 and column 7 line 51 – column 8 line 3 i.e. The authentication token includes the device identifier of the mobile device, e.g., to promote using a presence of the mobile device specified by the device identifier as secondary factor authentication information. Business processing server 104 also 
executing the persistent instruction only when the authorization dialog has successfully finished (see Kalinichenko figure 3 step 154 and column 7 line 51 – column 8 line 3 i.e. The authentication token includes the device identifier of the mobile device, e.g., to promote using a presence of the mobile device specified by the device identifier as secondary factor authentication information. Business processing server 104 also generates (148), in a data repository, an association among the authentication token and the user profile. Business processing server 104 receives (150), from an authentication server, a decrypted version of an authentication token and a device identifier of a mobile device that is in proximity to the client device. Business processing server 104 identifies (152) a match between the authentication token that is generated for the user and the decrypted version of the authentication token. Business processing server 104 also identifies (153) a match between the received device identifier and the device identifier included in the user profile. In response to the identified matches, business processing server 104 performs (154) the requested action).

Zhu teaches setting up a secure connection between the platform application and a user authentication device (see Zhu figure 3B step 336 and column 6 lines 27-29 i.e. The serve receives these numbers (334) and computes a session key from them (336)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.

With respect to claim 16 Kalinichenko teaches a computer system according to claim 15  but does not disclose being a first entity arranged for setting up a secure session with the user authentication device being a second entity, the first entity comprising: 
a first random generator for generating a first random number generating a first random number; an I/O interface for exporting a first string derived from said first random number, to a user for entering the first string into the second entity; a processor and a memory storing computer-readable instructions that when executed by the processor cause the processor to apply a one-way function to the first string or to a derivative thereof and obtain an encoded string; a transmitting unit for transmitting the 
Zhu teaches a first entity arranged for setting up a secure session with the user authentication device being a second entity, the first entity comprising: 
a first random generator for generating a first random number generating a first random number (see Zhu figure 3B step 306 and column 5 lines 61-64 i.e. The server then generates a server challenge number (306). This challenge number can take several forms, two of which will be described shortly); 
an I/O interface for exporting a first string derived from said first random number, to a user for entering the first string into the second entity (see Zhu figure 3A step 318 and column 6 line 7-10 i.e. The mobile device receives the identifications and number (318), and then generates the aforementioned secret value (320) and Kalinichenko column 4 lines 16-25); 
a processor and a memory storing computer-readable instructions that when executed by the processor cause the processor to apply a one-way function to the first string or to a derivative thereof and obtain an encoded string; a transmitting unit for 
the first entity further comprising: a second random generator for generating a second random number, wherein the processor is further arranged for deriving a second string from said second random number and for transmitting the second string to the second entity if a verifying step of comparing encoded strings transmitted by the first entity and the second entity has a positive result, or a receiver unit for receiving from the second entity a second string being derived from a second random number generated by the second entity (see Zhu figure 3B step 322-326 and column 6 lines 7-13 i.e. The mobile device receives the identifications and number (318), and then generates the aforementioned secret value ( 320), a mobile device challenge number (322) and a representation of the secret value (324). Next, the mobile device forwards the mobile device challenge number and secret value representation to the client computer (326)), and 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.

With respect to claim 17 Kalinichenko an computer system being a second entity arranged for setting up a secure session with a platform application according to claim 15, but does not disclose the second entity comprising: 
an I/O interface for receiving a first string derived from a first random number generated by a first entity; a processor and a memory storing computer-readable instructions that when executed by the processor cause the processor to apply a one-way function to the first string or to a derivative thereof and obtain an encoded string; a transmitting unit for transmitting the encoded string to an intermediate node that is in connection to a first and the second entity; 
the second entity further comprising: a second random generator for generating a second random number, wherein the processor is arranged for deriving a second string from said second random number and for transmitting the second string to the first 
Zhu teaches the second entity comprising: an I/O interface for receiving a first string derived from a first random number generated by a first entity (see Zhu figure 3A step 318 and column 6 line 7-10 i.e. The mobile device receives the identifications and number (318), and then generates the aforementioned secret value (320) and Kalinichenko column 4 lines 16-25); 
a processor and a memory storing computer-readable instructions that when executed by the processor cause the processor to apply a one-way function to the first string or to a derivative thereof and obtain an encoded string; a transmitting unit for transmitting the encoded string to an intermediate node that is in connection to a first and the second entity (see Zhu column 5 lines 5-15 i.e. In one embodiment, the combination is accomplished by concatenating the numbers and then computing a cryptographic hash of the concatenation using a prescribed cryptographic hash function (e.g., SHA-256 specified in Federal Information Processing Standards Publications (FIPS PUBS) 180-2 Secure Hash Standard), which is known to the mobile phone and the server associated with the Web site of interest. The resulting combined value is designated as the secret value (208) and is transmitted to the server associated with the Web site via a secure channel (210)); 

wherein the processor is further configured to derive a secret key from the first and the second string (see Zhu figure 3B step 336 and column 6 lines 27-29 i.e. The serve receives these numbers (334) and computes a session key from them (336)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.


Zhu teaches wherein the secure connection between the platform application and the user authentication device is set up by providing a secure session between a first entity and a second entity, the first and second entity being the user authentication device and an application running on a platform, respectively, or vice versa, the method being performed by an intermediate node that is in connection to the first and second entity, the method comprising the steps of: receiving an encoded string from the first and second entity, the encoded string being obtained by applying a one-way function to a first string or to a derivative thereof, the first string being derived from a first random number generated by the first entity; verifying whether the encoded strings received from the first and second entity are the same; if the verifying step has a positive result, 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have The server then computes a server version of the combined representation using the user identification, the server identification, the server version of the secret value representation, and the password known to the server (340). The server then compares the server version of the combined representation to the combined representation received from the client computer (342) and determines if the password and secret value known to the server were used to generate the combined representation received from the client computer (see Zhu column 6 lines 23-47). Therefore one would have been motivated to have compares the server version of the combined representation to the combined representation received from the client computer (342) and determines if the password and secret value known to the server were used to generate the combined representation received from the client computer.

With respect to claim 19. A network, comprising a computer system according to claim 15, an authentication device, and an intermediate node (see Kalinichenko figure 2 element 116 element 102 and column 3 lines 19-23 i.e. the system 100 includes a client device 102, a mobile device 116, a business processing server 104, data repositories 110, 112, an authentication server 114, and a firewall 106 coupled via a network). 


preparing a persistent instruction on a user workplace application that is remotely connected to the platform application (See Kalinichenko figure 2 step 130 and column 5 lines 53-61 i.e. Client device 102 is a primary factor authentication device. Client device 102 generates request 130 to perform an action, e.g., to access a resource hosted by business processing server 104. For example, request 130 includes a request to access financial account information of a user of client device 102. Request 130 includes primary factor authentication information, e.g., a user name and a password for accessing the financial account information); 
forwarding the persistent instruction to the platform application (See Kalinichenko figure 3 step 142 and column 7 lines 36-41 i.e. In operation, business processing server 104 receives (142), from a client device, a request to perform an action, e.g., request 130 (FIG. 2). The received request includes information identifying a user associated with the client device (e.g., login credentials of the user, a user name of the user, and so forth))
setting up a connection between the platform application and a user authentication device that the authentication device is different from the user workplace application (see Kalinichenko column 6 lines 15-24 i.e. Mobile device 116 transmits information 134 to authentication server 114, e.g., via network 124 and through firewall 106. System 100 also includes network 136, which is a private network of authentication 
performing an authorization dialog between the platform application and the authentication device (See Kalinichenko figure 3 step 154 and column 7 line 51 – column 8 line 3 i.e. The authentication token includes the device identifier of the mobile device, e.g., to promote using a presence of the mobile device specified by the device identifier as secondary factor authentication information. Business processing server 104 also generates (148), in a data repository, an association among the authentication token and the user profile. Business processing server 104 receives (150), from an authentication server, a decrypted version of an authentication token and a device identifier of a mobile device that is in proximity to the client device. Business processing server 104 identifies (152) a match between the authentication token that is generated for the user and the decrypted version of the authentication token. Business processing server 104 also identifies (153) a match between the received device identifier and the device identifier included in the user profile); and 
executing the persistent instruction only when the authorization dialog has successfully finished (See Kalinichenko figure 3 step 154 and column 7 line 51 – column 8 line 3 i.e. The authentication token includes the device identifier of the mobile device, e.g., to promote using a presence of the mobile device specified by the device In response to the identified matches, business processing server 104 performs (154) the requested action).
Kalinichenko does not teach setting up a secure connection between the platform application and a user authentication device 
Zhu teaches setting up a secure connection between the platform application and a user authentication device (see Zhu figure 3B step 336 and column 6 lines 27-29 i.e. The serve receives these numbers (334) and computes a session key from them (336)). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.


generating a first random number; exporting a first string derived from said first random number, to a user for entering the first string into a second entity; applying a one-way function to the first string or to a derivative thereof, obtaining an encoded string; transmitting the encoded string to an intermediate node that is in connection to a first entity and the second entity, 
further comprising the steps of: generating a second random number, deriving a second string from said second random number and transmitting the second string to the second entity if a verifying step of comparing encoded strings transmitted by the first entity and the second entity has a positive result, or receiving from the second entity a second string being derived from a second random number generated by the second entity, and further comprising the step of: deriving a secret key from the first and the second string. 
Zhu teaches wherein the secure session between the platform application and the authentication device is set up by performing the steps of: 
generating a first random number (see Zhu figure 3B step 306 and column 5 lines 61-64 i.e. The server then generates a server challenge number (306). This challenge number can take several forms, two of which will be described shortly); 
exporting a first string derived from said first random number, to a user for entering the first string into the second entity (see Zhu figure 3A step 318 and column 6 
applying a one-way function to the first string or to a derivative thereof, obtaining an encoded string; transmitting the encoded string to an intermediate node that is in connection to the first entity and the second entity (see Zhu column 5 lines 5-15 i.e. In one embodiment, the combination is accomplished by concatenating the numbers and then computing a cryptographic hash of the concatenation using a prescribed cryptographic hash function (e.g., SHA-256 specified in Federal Information Processing Standards Publications (FIPS PUBS) 180-2 Secure Hash Standard), which is known to the mobile phone and the server associated with the Web site of interest. The resulting combined value is designated as the secret value (208) and is transmitted to the server associated with the Web site via a secure channel (210)); 
further comprising the steps of: generating a second random number, deriving a second string from said second random number and transmitting the second string to the second entity if a verifying step of comparing encoded strings transmitted by the first entity and the second entity has a positive result, or receiving from the second entity a second string being derived from a second random number generated by the second entity (see Zhu figure 3B step 322-326 and column 6 lines 7-13 i.e. The mobile device receives the identifications and number (318), and then generates the aforementioned secret value ( 320), a mobile device challenge number (322) and a representation of the secret value (324). Next, the mobile device forwards the mobile device challenge number and secret value representation to the client computer (326)), and 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.

With respect to claim 22. A non-transitory computer-readable medium according to claim 20, wherein the secure session between the platform application and the authentication device is set up by performing the steps of: 
receiving, via an I/O interface, a first string derived from a first random number generated by a first entity; applying a one-way function to the first string or to a derivative thereof, obtaining an encoded string; transmitting the encoded string to an intermediate node that is in connection to the first and a second entity; 
further comprising the steps of: generating a second random number, deriving a second string from said second random number and transmitting the second string to the first entity if a verifying step of comparing encoded strings transmitted by the first entity and the second entity has a positive result, or receiving from the first entity a second string being derived from a second random number generated by the first entity, 
Zhu teaches wherein the secure session between the platform application and the authentication device is set up by performing the steps of: 
receiving, via an I/O interface, a first string derived from a first random number generated by the first entity (see Zhu figure 3B step 306 and column 5 lines 61-64 i.e. The server then generates a server challenge number (306). This challenge number can take several forms, two of which will be described shortly); 
applying a one-way function to the first string or to a derivative thereof, obtaining an encoded string; transmitting the encoded string to an intermediate node that is in connection to the first and the second entity (see Zhu column 5 lines 5-15 i.e. In one embodiment, the combination is accomplished by concatenating the numbers and then computing a cryptographic hash of the concatenation using a prescribed cryptographic hash function (e.g., SHA-256 specified in Federal Information Processing Standards Publications (FIPS PUBS) 180-2 Secure Hash Standard), which is known to the mobile phone and the server associated with the Web site of interest. The resulting combined value is designated as the secret value (208) and is transmitted to the server associated with the Web site via a secure channel (210)); 
further comprising the steps of: generating a second random number, deriving a second string from said second random number and transmitting the second string to the first entity if a verifying step of comparing encoded strings transmitted by the first entity and the second entity has a positive result, or receiving from the first entity a second string being derived from a second random number generated by the first entity 
further comprising the step of: deriving a secret key from the first and the second string (see Zhu figure 3B step 336 and column 6 lines 27-29 i.e. The serve receives these numbers (334) and computes a session key from them (336)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have shared random numbers used be both the first device and the second device to use to calculate a session key that can be used to create a secure channel between the first and second device (see Zhu column 8 lines 37-47). Therefore one would have been motivated to have shared random numbers that are used be both the first device and the second device to use to calculate a session key.

With respect to claim 23 Kalinichenko teaches a non-transitory computer-readable medium according to claim 20, but does not disclose wherein the secure session between the platform application and the authentication device is set up by performing the steps of: receiving an encoded string from a first and second entity, the encoded string being obtained by applying a one-way function to a first string or to a derivative thereof, the first string being derived from a first random number generated by the first entity; verifying whether the encoded strings received from the first and second 
Zhu teaches wherein the secure session between the platform application and the authentication device is set up by performing the steps of: receiving an encoded string from a first and second entity, the encoded string being obtained by applying a one-way function to a first string or to a derivative thereof, the first string being derived from a first random number generated by the first entity; verifying whether the encoded strings received from the first and second entity are the same; if the verifying step has a positive result, authorizing the first and second entity to share a second string being derived from a second random number generated by the first or second entity, respectively (see Zhu column 6 lines 23-47).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kalinichenko in view of Zhu to have The server then computes a server version of the combined representation using the user identification, the server identification, the server version of the secret value representation, and the password known to the server (340). The server then compares the server version of the combined representation to the combined representation received from the client computer (342) and determines if the password and secret value known to the server were used to generate the combined representation received from the client computer (see Zhu column 6 lines 23-47). Therefore one would have been motivated to have compares the server version of the combined representation to the combined representation received from the client computer (342) and determines if .

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Kalinichenko et al (US 9,124,582) in view of Zhu et al (US 8,209,744)  in view of Metzger (US 2013/0318588).
With respect to claim 12 Kalinichenko does not teach a method according to claim 2, wherein the step of transmitting the second string is implemented by exporting the second string to a user, via an I/O interface of one entity, for manually entering the second string into an I/O interface of the other entity. Metzger teaches wherein the step of transmitting the second string is implemented by exporting the second string to a user, via an I/O interface of one entity, for manually entering the second string into an I/O interface of the other entity (see Metzger paragraph 0013 and 0053-0054). 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have the user manually entering the exported second string into an I/O interface of the other entity as a way to authenticate the device (see Metzger paragraph 0053-0054). Therefore one would have been motivated to have manually entering the second string into an I/O interface of the other entity.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Kalinichenko et al (US 9,124,582) in view of Zhu et al (US 8,209,744) in view of Maidl et al (US 2014/0208409).


Prior Art
	Vanczak (US 2016/0189147) titled “Method And System For Authenticating A User” teaches utilizing smart mobile devices in the manner specified by the invention reduces the costs of existing two-factor authentication methods (SMS, token). Applying the method and system according to the invention alleviate the distrust of users towards online banking, and significantly decrease financial losses resulting from frauds.
	Hon et al (US 2016/0269181) titled “Method And Device For Information System Access Authentication” teaches a two-stage and two-factor authentication method such that the security of the login information is improved without increasing the complexity of the user's login.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  
/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492