DETAILED ACTION
This action is in response to the application filed on September 16, 2020. Claims 1-20 are pending. Of such, claims 1-8 represent a system, claim 9-15 represents a method, claims 16-20 represent a computer readable medium directed validating software agents in robotic process automation systems.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8-13, and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Dunjic et al (US Patent Application Publication 2021/0036854), hereinafter referred to as Dunjic, in view of Williams et al (US Patent Application Publication 2008/0214300), hereinafter referred to as Williams.
Regarding Claim 1, Dunjic discloses:
A system comprising: at least one processor programmed(In ¶ 3, Dunjic discloses “an apparatus includes a communications interface, a memory storing instructions, and at least one processor coupled to the communications interface and the memory”)  or configured to: provision a client device for access to an online source of information (In ¶ 5, Dunjic discloses “The at least one processor is configured to execute the instructions to receive, via the communications interface, a request for an element of data from a device. The request is generated by an application program executed at the device”) ; receive a first hash value from the software agent of the client device, wherein the first hash value is generated using the private encryption key (In ¶ 5, Dunjic discloses “the request includes a first consent hash value”, Dunjic further discloses in ¶ 63 “executed consent management module 266 also apply a digital signature 286 to all or a portion of attestation data 284 using any appropriate digital signature algorithm in conjunction with private cryptographic key of computing system”); receive a second hash value from the software agent of the client device (In ¶ 5, Dunjic discloses “The at least one processor is further configured to obtain a consent document associated with the application program and a second consent hash value representative of the consent document”); determine whether to allow access to the online source of information by the software agent based on the first hash value and the second hash value received from the software agent of the client device (In ¶ 5, Dunjic discloses “determine that the first consent hash value corresponds to the second consent hash value, and determine that requested data element is accessible to the application program based on the consent document”); process a request to access the online source of information involving the software agent of the client device, wherein, when processing the request to access the online source of information, the at least one processor is programmed or configured to (In ¶ 122, Dunjic discloses “Based on the verified integrity of current consent data 424 (and additionally, or alternatively, the verified integrity of consent documents 268 and 418), executed verification module 430 may provide current consent data 424 as an input to a local consent management module 432 of executed mobile banking application 110”): allow the software agent to conduct a data transaction involving the online source of information based on determining to allow access to the online source of information by the software agent of the client device (In ¶ 127, Dunjic discloses “which indicates that user 101 grants third-party application 114 access to at least a portion of the confidential account and transaction data maintained at computing system 130”); and store a data record associated with the data transaction involving the online source of information in a data structure (In ¶ 3, Dunjic discloses “The permissioning data includes information that instructs the executed application program to store the consent hash value within a local memory of the device and to associate the consent hash value with an access token of the executed application program.”).
Dunjic does not explicitly teach the limitation of sending a private key to a software agent. 
However, Williams discloses the following limitation:
Transmit a private encryption key of a public/private encryption key pair to a software agent of the client device (In ¶ 56, Williams discloses “, the authorization device 103 may compare the hash value received from the target device 101 with the reference hash value it computed after embedding and encryption operations in 123. In 126, when the hashes match, the authorization device 103 may transmit the decryption key (comparable to a private key in PKI methods) to the target device 101 via the secure channel”).
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to utilize William’s approach of sending a private key to the software agent rather than the software agent utilizing their own private key as the motivation would be to further protect the secure communications over the channel. (see Williams ¶ 55).
Regarding Claim 2, the combination of Dunjic and Williams disclose:
 (In ¶ 113, Dunjic discloses “consent documents 268 and 418 may, for respective ones of third-party applications 112 and 114, identify a selective grant of access to specific types or classes of confidential data maintained within confidential data store 136, such as, but not limited to, customer data, account data, or transaction data maintained on behalf of user 101 by computing system 130”): store the data record associated with the data transaction involving the online source of information in a distributed ledger  (In ¶ 32, Dunjic discloses “distributed ledger 186 may include ledger blocks, such as consent ledger blocks 188, that record OAuth tokens, consent documents, and additionally, or alternatively, hash values representative of the consent documents for one or more third-party applications provisioned to computing devices and systems operating within environment 100, such as, but not limited to, third-party application 112 provisioned to client device 102”).
Regarding Claim 3, the combination of Dunjic and Williams disclose:
The system of claim 1, wherein the at least one processor is further programmed or configured to (In ¶ 3, Dunjic discloses “an apparatus includes a communications interface, a memory storing instructions, and at least one processor coupled to the communications interface and the memory”): store the first hash value with an identifier of the software agent of the client device in the data structure (In ¶ 3, Dunjic discloses “The permissioning data includes information that instructs the executed application program to store the consent hash value within a local memory of the device and to associate the consent hash value with an access token of the executed application program.”); and wherein, when determining whether to allow access to the online source of information by the software agent of the client device, the at least one processor is programmed or configured to: retrieve the first hash value  (In ¶ 118, Dunjic discloses “Although not illustrated in FIG. 4A, executed consent management module 266 may also extract, from consent data store 138, consent hash values 270 and 420 associated with respective ones of third-party applications ”); compare the second hash value received from the software agent to the first hash value retrieved from the data structure (In ¶ 121, Dunjic discloses “executed verification module 430 may perform additional operations that verify an integrity of each of consent documents 268 and 418 by computing corresponding local hash values (e.g., through an appropriate one of the exemplary hash functions described herein to consent documents 268 and 418) and by comparing the local hash values against respective ones of consent hash values 270 and 420”); and determine to allow access to the online source of information by the software agent of the client device based on determining that the second hash value received from the software agent corresponds to the first hash value retrieved from the data structure (In ¶ 5, Dunjic discloses “determine that the first consent hash value corresponds to the second consent hash value, and determine that requested data element is accessible to the application program based on the consent document”).
Regarding Claim 4, the combination of Dunjic and Williams disclose:
The system of claim 1, wherein, when receiving the second hash value from the software agent of the client device, the at least one processor is programmed or configured to: receive the request to access the online source of information from the software agent, wherein the request to access the online source of information includes the second hash value and data associated with the software agent of the client device (In ¶ 5, Dunjic discloses “the request includes a first consent hash value”, Dunjic further discloses in ¶ 63 “executed consent management module 266 also apply a digital signature 286 to all or a portion of attestation data 284 using any appropriate digital signature algorithm in conjunction with private cryptographic key of computing system”).
Regarding Claim 5, the combination of Dunjic and Williams disclose:
The system of claim 4, wherein, when determining whether to allow access to the online source of information by the software agent of the client device, the at least one processor is programmed or configured to: determine whether to allow access to the online source of information by the software agent of the client device based on the first hash value, the second hash value and data associated with the software agent of the client device included in the request to access the online source of information (In ¶ 5, Dunjic discloses “determine that the first consent hash value corresponds to the second consent hash value, and determine that requested data element is accessible to the application program based on the consent document”); and 4VK6576Page 41 of 49Attorney Docket No. 8223-2003773 (4612US01) wherein, when processing the request to access the online source of information involving the software agent of the client device, the at least one processor is programmed or configured to: allow the software agent to conduct the data transaction involving a specific type of data included in the online source of information based on the data associated with the software agent of the client device (In ¶ 112, Dunjic discloses “Based on the verified integrity of current consent data 424 (and additionally, or alternatively, the verified integrity of consent documents 268 and 418), executed verification module 430 may provide current consent data 424 as an input to a local consent management module 432 of executed mobile banking application 110.”).
Regarding Claim 6, the combination of Dunjic and Williams disclose:
The system of claim 1, wherein, when receiving the second hash value from the software agent of the client device, the at least one processor is programmed or configured to: receive the request to access sensitive data included in the online source of information from  (In ¶ 28, Dunjic discloses “a consent document that, among other things, includes data identifying one or more accessible types, classes, or elements of confidential data maintained at computing system 130, and data identifying one or more permissible operations on the accessible types, classes, or elements of confidential data”).
Regarding Claim 8, the combination of Dunjic and Williams disclose:
Wherein the at least one processor is further programmed or configured to:  receive an initialization access request from the client device, wherein the initialization access request is a request for authorization to access the online source of information by the software agent of the client device (In ¶ 5, Dunjic discloses “The request is generated by an application program executed at the device, and the request includes a first consent hash value.”).
Dunjic does not explicitly teach the limitation of sending a private key to a software agent. 
However, Williams discloses the following limitation:
Wherein, when transmitting the private encryption key of the public/private encryption key pair to the software agent of the client device, the at least one processor is programmed or configured to: transmit the private encryption key of the public/private encryption key pair to the software agent of the client device based on receiving the initialization access request from the client device  (In ¶ 56, Williams discloses “In 125, the authorization device 103 may compare the hash value received from the target device 101 with the reference hash value it computed after embedding and encryption operations in 123. In 126, when the hashes match, the authorization device 103 may transmit the decryption key (comparable to a private key in PKI methods) to the target device 101 via the secure channel”).
(see Williams ¶ 55).
Regarding Claim 9, Dunjic discloses:
A computer-implemented method, comprising: provisioning, with at least one processor, a client device for access to an online source of information (In ¶ 4, Dunjic discloses “In other examples, a computer-implemented method, includes obtaining, using at least one processor, consent data that identifies one or more elements of data accessible to an application program executed by a device, and using the at least one processor”); receiving, with at least one processor, a first hash value from the software agent of the client device, wherein the first hash value is generated using the private encryption key (In ¶ 5, Dunjic discloses “the request includes a first consent hash value”, Dunjic further discloses in ¶ 63 “executed consent management module 266 also apply a digital signature 286 to all or a portion of attestation data 284 using any appropriate digital signature algorithm in conjunction with private cryptographic key of computing system”); receiving, with at least one processor, a second hash value from the software agent of the client device (In ¶ 5, Dunjic discloses “The at least one processor is further configured to obtain a consent document associated with the application program and a second consent hash value representative of the consent document”); determining, with at least one processor, to allow access to the online source of information by the software agent based on the first hash value and the second hash value received from the software agent of the client device (In ¶ 5, Dunjic discloses “determine that the first consent hash value corresponds to the second consent hash value, and determine that requested data element is accessible to the application program based on the consent document”); processing, with at least one processor, a request to access the online source  (In ¶ 122, Dunjic discloses “Based on the verified integrity of current consent data 424 (and additionally, or alternatively, the verified integrity of consent documents 268 and 418), executed verification module 430 may provide current consent data 424 as an input to a local consent management module 432 of executed mobile banking application 110.”) allowing the software agent to conduct a data transaction involving the online source of information based on determining to allow access to the online source of information by the software agent of the client device (In ¶ 127, Dunjic discloses “which indicates that user 101 grants third-party application 114 access to at least a portion of the confidential account and transaction data maintained at computing system 130”); and storing, with at least one processor, a data record associated with the data transaction involving the online source of information in a data structure (In ¶ 3, Dunjic discloses “The permissioning data includes information that instructs the executed application program to store the consent hash value within a local memory of the device and to associate the consent hash value with an access token of the executed application program.”).
Dunjic does not explicitly teach the limitation of sending a private key to a software agent. 
However, Williams discloses the following limitation:
Transmitting, with at least one processor, a private encryption key of a public/private encryption key pair to a software agent of the client device (In ¶ 56, Williams discloses “the authorization device 103 may compare the hash value received from the target device 101 with the reference hash value it computed after embedding and encryption operations in 123. In 126, when the hashes match, the authorization device 103 may transmit the decryption key (comparable to a private key in PKI methods) to the target device 101 via the secure channel”).
(see Williams ¶ 55).
Regarding Claim 10, the combination of Dunjic and Williams disclose:
The method of claim 9, wherein storing the data record associated with the data transaction involving the online source of information in the data structure comprises  (In ¶ 3, Dunjic discloses “The permissioning data includes information that instructs the executed application program to store the consent hash value within a local memory of the device and to associate the consent hash value with an access token of the executed application program.”): storing the data record associated with the data transaction involving the online source of information in a distributed ledger  (In ¶ 32, Dunjic discloses “distributed ledger 186 may include ledger blocks, such as consent ledger blocks 188, that record OAuth tokens, consent documents, and additionally, or alternatively, hash values representative of the consent documents for one or more third-party applications provisioned to computing devices and systems operating within environment 100, such as, but not limited to, third-party application 112 provisioned to client device 102”).
Regarding Claim 11, the combination of Dunjic and Williams disclose:
The method of claim 9, further comprising: storing the first hash value with an identifier of the software agent of the client device in a data structure (In ¶ 3, Dunjic discloses “The permissioning data includes information that instructs the executed application program to store the consent hash value within a local memory of the device and to associate the consent hash value with an access token of the executed application program”), wherein determining  (In ¶ 118, Dunjic discloses “Although not illustrated in FIG. 4A, executed consent management module 266 may also extract, from consent data store 138, consent hash values 270 and 420 associated with respective ones of third-party applications 1”); comparing the second hash value received from the software agent to the first hash value retrieved from the data structure (In ¶ 121, Dunjic discloses “executed verification module 430 may perform additional operations that verify an integrity of each of consent documents 268 and 418 by computing corresponding local hash values (e.g., through an appropriate one of the exemplary hash functions described herein to consent documents 268 and 418) and by comparing the local hash values against respective ones of consent hash values 270 and 420.”); and determining to allow access to the online source of information by the software agent of the client device based on determining that the second hash value received from the software agent corresponds to the first hash value retrieved from the data structure (In ¶ 5, Dunjic discloses “determine that the first consent hash value corresponds to the second consent hash value, and determine that requested data element is accessible to the application program based on the consent document”).
Regarding Claim 12, the combination of Dunjic and Williams disclose:
The method of claim 9, wherein receiving the second hash value from the software agent comprises: receiving a request to access the online source of information from the software agent, wherein the request to access the online source of information includes the second hash value and data associated with the software agent of the client device (In ¶ 5, Dunjic discloses “the request includes a first consent hash value”, Dunjic further discloses in ¶ 63 “executed consent management module 266 also apply a digital signature 286 to all or a portion of attestation data 284 using any appropriate digital signature algorithm in conjunction with private cryptographic key of computing system”);
Regarding Claim 13, the combination of Dunjic and Williams disclose:
The method of claim 12, further comprising: wherein determining to allow access to the online source of information by the software agent of the client device comprises: determining to allow access to the online source of information by the software agent of the client device based on the first hash value, the second 4VK6576Page 44 of 49Attorney Docket No. 8223-2003773 (4612US01) hash value, and data associated with the software agent of the client device included in the request to access the online source of information (In ¶ 5, Dunjic discloses “determine that the first consent hash value corresponds to the second consent hash value, and determine that requested data element is accessible to the application program based on the consent document”); and wherein processing the request to access the online source of information involving the software agent of the client device comprises: allowing the software agent to conduct the data transaction involving a specific type of data included in the online source of information based on the data associated with the software agent of the client device (In ¶ 122, Dunjic discloses “Based on the verified integrity of current consent data 424 (and additionally, or alternatively, the verified integrity of consent documents 268 and 418), executed verification module 430 may provide current consent data 424 as an input to a local consent management module 432 of executed mobile banking application 110.”).
Regarding Claim 15, the combination of Dunjic and Williams disclose:
The method of claim 9, further comprising: receiving an initialization access request from the client device, wherein the initialization access request is a request for authorization to access to the online source of information by the software agent of the client device (In ¶ 5, Dunjic discloses “The request is generated by an application program executed at the device, and the request includes a first consent hash value.”);
Dunjic does not explicitly teach the limitation of sending a private key to a software agent. 
However, Williams discloses the following limitation:
wherein transmitting the private encryption key of the public/private encryption key pair to the software agent of the client device comprises: transmitting the private encryption key of the public/private encryption key pair to the software agent of the client device based on receiving the initialization access request from the client device (In ¶ 56, Williams discloses “the authorization device 103 may compare the hash value received from the target device 101 with the reference hash value it computed after embedding and encryption operations in 123. In 126, when the hashes match, the authorization device 103 may transmit the decryption key (comparable to a private key in PKI methods) to the target device 101 via the secure channel.”).
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to utilize William’s approach of sending a private key to the software agent rather than the software agent utilizing their own private key as the motivation would be to further protect the secure communications over the channel. (see Williams ¶ 55).
Regarding Claim 16, Dunjic discloses:
A computer program product, the computer program product comprising at least one non-transitory computer-readable medium including one or more instructions that (In ¶ 5, Dunjic discloses “in some examples, an apparatus includes a communications interface, a memory storing instructions, and at least one processor coupled to the communications interface and to the memory”), when executed by at least one processor, cause the at least one processor to: provision a client device for  (In ¶ 5, Dunjic discloses “The at least one processor is configured to execute the instructions to receive, via the communications interface, a request for an element of data from a device. The request is generated by an application program executed at the device”); receive a first hash value from the software agent of the client device, wherein the first hash value is generated using the private encryption key (In ¶ 5, Dunjic discloses “the request includes a first consent hash value”, Dunjic further discloses in ¶ 63 “executed consent management module 266 also apply a digital signature 286 to all or a portion of attestation data 284 using any appropriate digital signature algorithm in conjunction with private cryptographic key of computing system”); receive a second hash value from the software agent of the client device (In ¶ 5, Dunjic discloses “The at least one processor is further configured to obtain a consent document associated with the application program and a second consent hash value representative of the consent document”); determine whether to allow access to the online source of information by the software agent based on the first hash value and the second hash value received from the software agent of the client device (In ¶ 5, Dunjic discloses “determine that the first consent hash value corresponds to the second consent hash value, and determine that requested data element is accessible to the application program based on the consent document”); process a request to access the online source of information involving the software agent of the client device (In ¶ 122, Dunjic discloses “Based on the verified integrity of current consent data 424 (and additionally, or alternatively, the verified integrity of consent documents 268 and 418), executed verification module 430 may provide current consent data 424 as an input to a local consent management module 432 of executed mobile banking application 110.”), wherein, when processing the request to access the online source of information, the at least one processor is programmed or configured to: allow the software agent to conduct a data transaction involving the online source of information based on determining to allow access to the online source of information by the software agent of the client device (In ¶ 127, Dunjic discloses “which indicates that user 101 grants third-party application 114 access to at least a portion of the confidential account and transaction data maintained at computing system 130.”); and store a data record associated with the data transaction involving the online source of information in a distributed ledger (In ¶ 32, Dunjic discloses “distributed ledger 186 may include ledger blocks, such as consent ledger blocks 188, that record OAuth tokens, consent documents, and additionally, or alternatively, hash values representative of the consent documents for one or more third-party applications provisioned to computing devices and systems operating within environment 100, such as, but not limited to, third-party application 112 provisioned to client device 102.”).
Dunjic does not explicitly teach the limitation of sending a private key to a software agent. 
However, Williams discloses the following limitation:
Transmit a private encryption key of a public/private encryption key pair to a software agent of the client device (In ¶ 56, Williams discloses “the authorization device 103 may compare the hash value received from the target device 101 with the reference hash value it computed after embedding and encryption operations in 123. In 126, when the hashes match, the authorization device 103 may transmit the decryption key (comparable to a private key in PKI methods) to the target device 101 via the secure channel.”).
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to utilize William’s approach of sending a private key to the software agent rather than the software agent utilizing their own private key as the motivation would be to further protect the secure communications over the channel. (see Williams ¶ 55).
Regarding Claim 17, the combination of Dunjic and Williams disclose:
The computer program product of claim 16, wherein the one or more instructions that cause the at least one processor to receive the second hash value from the software agent of  (In ¶ 5, Dunjic discloses “the request includes a first consent hash value”, Dunjic further discloses in ¶ 63 “executed consent management module 266 also apply a digital signature 286 to all or a portion of attestation data 284 using any appropriate digital signature algorithm in conjunction with private cryptographic key of computing system”).
Regarding Claim 18, the combination of Dunjic and Williams disclose:
The computer program product of claim 17, wherein, the one or more instructions that cause the at least one processor to determine whether to allow access to the online source of information by the software agent of the client device, cause the at least one processor to: determine whether to allow access to the online source of information by the software agent of the client device based on the first hash value, the second hash value, and data associated with the software agent of the client device included in the request to access the online source of information (In ¶ 5, Dunjic discloses “determine that the first consent hash value corresponds to the second consent hash value, and determine that requested data element is accessible to the application program based on the consent document”); and wherein, the one or more instructions that cause the at least one processor to process the request to access the online source of information involving the software agent of the client device, cause the at least one processor to: allow the software agent to conduct the data transaction involving a specific type of data included in the online source of information based on the data associated with the software agent of the client device (In ¶ 122, Dunjic discloses “Based on the verified integrity of current consent data 424 (and additionally, or alternatively, the verified integrity of consent documents 268 and 418), executed verification module 430 may provide current consent data 424 as an input to a local consent management module 432 of executed mobile banking application 110”).
Regarding Claim 19, the combination of Dunjic and Williams disclose:
The computer program product of claim 16, wherein, the one or more instructions that cause the at least one processor to receive the second hash value from the software agent of the client device, cause the at least one processor to: receive a request to access sensitive data included in the online source of information from the software agent, wherein the request to access sensitive data included in the online source of information includes the second hash value (In ¶ 28, Dunjic discloses “a consent document that, among other things, includes data identifying one or more accessible types, classes, or elements of confidential data maintained at computing system 130, and data identifying one or more permissible operations on the accessible types, classes, or elements of confidential data”).
Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dunjic et al (US Patent Application Publication 2021/0036854), hereinafter referred to as Dunjic, in view of Williams et al (US Patent Application Publication 2008/0214300), hereinafter referred to as Williams,  and further in view of Spangemacher et al. (US Patent 10382965), hereinafter referred to as Spangemacher.
Regarding Claim 7, the combination of Dunjic and Williams teach all the elements of the current invention with respect to claim 6 as referenced above.
However, Dunjic and Williams do not explicitly disclose the use of challenge questions. 
Spangemacher discloses wherein the at least one processor is further programmed or configured to: transmit a challenge question to the software agent of the client device (In ¶ 43, Spangemacher discloses “FIG. 4 is a diagram illustrating an example validation process in which data is requested with a challenge.”); and receive a response to the challenge question  (In ¶ 44, Spangemacher discloses “The data and the answer to the challenge are then sent to the validator”); wherein, when determining whether to allow access to the online source of information by the software agent of the client device, the at least one processor is programmed or configured to: determine whether to allow access to the sensitive data included in the online source of information by the software agent of the client device based on the first hash value, the second hash value, and the response to the challenge question from the software agent of the client device (In ¶ 44, Spangemacher discloses “The validator then checks if the signature matches the data and checks if the challenge is matching”).
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to utilize Spangemacher’s approach utilizing challenge questions as an extra verification layer as the motivation would be to add an additional layer of protection to prevent fraudulent activity and exposing of sensitive personal data  (see Spangemacher ¶ 10).
Regarding Claim 14, the combination of Dunjic and Williams teach all the elements of the current invention with respect to claim 9 as referenced above.
However, Dunjic and Williams do not explicitly disclose the use of challenge questions. 
Spangemacher discloses transmitting a challenge question to the software agent of the client device (In ¶ 43, Spangemacher discloses “FIG. 4 is a diagram illustrating an example validation process in which data is requested with a challenge.”); and receiving a response to the challenge question from the software agent of the client device (In ¶ 44, Spangemacher discloses “The data and the answer to the challenge are then sent to the validator”); wherein determining to allow access to the online source of information by the software agent of the client device comprises: determining to allow access to sensitive data included in the online  (In ¶ 44, Spangemacher discloses “The validator then checks if the signature matches the data and checks if the challenge is matching”).
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to utilize Spangemacher’s approach utilizing challenge questions as an extra verification layer as the motivation would be to add an additional layer of protection to prevent fraudulent activity and exposing of sensitive personal data  (see Spangemacher ¶ 10).
Regarding Claim 20, the combination of Dunjic and Williams teach all the elements of the current invention with respect to claim 19 as referenced above.
However, Dunjic and Williams do not explicitly disclose the use of challenge questions. 
Spangemacher discloses wherein the at least one processor is further programmed or configured to: transmit a challenge question to the software agent of the client device (In ¶ 43, Spangemacher discloses “FIG. 4 is a diagram illustrating an example validation process in which data is requested with a challenge.”); and receive a response to the challenge question from the software agent of the client device (In ¶ 44, Spangemacher discloses “The data and the answer to the challenge are then sent to the validator”); wherein, the one or more instructions that cause the at least one processor to determine whether to allow access to the online source of information by the software agent of the client device, cause the at least one processor to: determine whether to allow access to the sensitive data included in the online source of information by the software agent of the client device based on the first hash value, the second hash value, and the response to the challenge question from the software agent of  (In ¶ 44, Spangemacher discloses “The validator then checks if the signature matches the data and checks if the challenge is matching”).
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to utilize Spangemacher’s approach utilizing challenge questions as an extra verification layer as the motivation would be to add an additional layer of protection to prevent fraudulent activity and exposing of sensitive personal data  (see Spangemacher ¶ 10).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Gagnon (US Publication Number 2021/0297423) discloses a system and method for securing access to network assets.
Oberheide et al. (US Publication Number 2016/0294562) discloses a method for distributed trust authentication of service providers.
Winklevoss et al. (US Patent Number 10158480) discloses a system and method for authorizing and performing autonomous device transactions.
Soundararajan et al. (US Publication Number 2020/0042958) discloses a system and method for providing transaction provenance of off-chain transactions.
Reed (US Patent Number 10579974) discloses a system and method for administration  and management of a digital asset network with rapid transaction settlements.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHADI H KOBROSLI whose telephone number is (571)272-1952. The examiner can normally be reached M-F 9am-5pm ET.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHADI H KOBROSLI/               Examiner, Art Unit 2492                                                                                                                                                                                         
/SALEH NAJJAR/               Supervisory Patent Examiner, Art Unit 2492