DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the preliminary amendment filed 08/14/2020.  
In the instant amendment, claims 1, 4-5, 7-10, 12-17 and 19-20 were amended; claims are cancelled; claims 1,9 and 14 are independent claims. Claims 1 and 3-20 are pending. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1 and 3-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-12 of U.S. Patent No. 10,778,435. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims are anticipated by the parent application (U.S. Patent No: 10,778,435).




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1, 7-9 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Weiner et al (“Weiner,” US 20150073992) in view of Alonso-Cebrian et al (“Alonso-Cebrian,” US 20160156598). 

Regarding claim 1, Weiner discloses a method for electronic device authentication, comprising:
a one-time passcode (Weiner, FIG 1C & FIG 3A show communicating by the authentication server over a first communication channel, the one-time passcode to a computer application executed by the electronic device)
communicating, by the authentication server over a first communication channel, the one-time passcode to a computer application executed by an electronic device; (Weiner, FIG 1C & FIG 3A show communicating by the authentication server over a first communication channel, the one-time passcode to a computer application executed by the electronic device; [0064], MD server provides an authentication service)
validating, by the authentication server, the one-time passcode; (Weiner, [0064], [0117] and [0081] describe validating by the server that performs authentication, the one-time passcode)
generating, by the authentication server, a device identifier for the electronic device; (Weiner, [0071], [0077]-[0082], [0064], describes generating, by server that performs authentication, an identifier of the mobile device) and
binding, by the authentication server, the device identifier and the electronic device to each other; (Weiner, [0077], [0078] & [0064] describes binding, by the server that performs authentication, the mobile device identifier and the mobile device to each other) and
communicating, by the authentication server and over the second communication channel, the device identifier for the electronic device to the computer application, (Weiner, FIG 3A, Band 2; [0077], [0033], [0109] & [0110] describe communicating, by the authentication server and over the second communication channel, the device identifier for the electronic device to the computer application; [0064], MD server provides an authentication service) 
wherein the computer application stores the device identifier (Weiner, FIG 3A, FIG 1C, [0077]-[0078] describe the computer application storing the mobile device identifier)

However, in an analogous art, Alonso-Cebrian discloses generating, by an authentication server comprising at least one computer processor, a one-time passcode; (Alonso-Cebrian, FIG 3 & [0081]-[0085] which describes FIG 3 describes an authentication server; [0050], describes where the server generates a one-time password (OTP)). 
receiving, by the authentication server, from the computer application and over a second communication channel the one-time passcode encrypted with a private key associated with the electronic device (Alonso-Cebrian, FIG 3 shows an authentication server; [0045]-[0046] & [0050] describes signing the signature of the OTP using a private key; [0097], [0041] & [0061] describe a second channel)
decrypting, by the authentication server, the encrypted one-time passcode using a public key, (Alonso-Cebrian, Step S, FIG 5 & [0045] describes decrypting, by the authentication server, the encrypted one-time passcode using a public key)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Alonso-Cebrian with the method/system of Weiner to include generating, by an authentication server comprising at least one computer processor, a one-time passcode; receiving, by the 

Regarding claim 7, Weiner and Alonso-Cebrian disclose the method of claim 1. 
Weiner further discloses further comprising: receiving, by the authentication server from the computer application over the second communication channel, device fingerprint data for the electronic device, (Weiner, [0033], the mobile device server arranged to: input the received obtained server associated digital fingerprint from the second device over the second communication channel).

Regarding claim 8, Weiner and Alonso-Cebrian disclose the method of claim 1.  
Weiner further discloses further comprising: communicating, by the authentication server over the second communication channel, the device identifier to the computer application, (Weiner, FIG 3A, Band 2 contains the addresses and attributes; [0077] describes an identifier of the Mobile Device; [0033] describes a second communication channel; also see [0109] & [0110] which further describe
communicating by the server and over the second communication channel the device ID to the electronic device)

Regarding claim 9, claim 9 is directed to a method. Claim 9 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 13, Weiner and Alonso-Cebrian disclose the method of claim 9. 
Weiner further discloses further comprising: communicating, by the computer application, over the second communication channel, device fingerprint data for the electronic device to the authentication server, (Weiner, FIG 3A, Band 2 contains the addresses and attributes; [0077] describes an identifier of the Mobile Device; [0033] describes a second communication channel; also see [0109] & [0110] which further describes communicating by the server and over the second communication channel the device ID to the electronic device)

Regarding claim 14, claim 14 is directed to a system. Claim 14 is similar in scope to claim 1 and is therefore rejected under similar rationale. 

Claims 3, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Weiner et al (“Weiner,” US 20150073992) in view of Alonso-Cebrian et al (“Alonso-Cebrian,” US 20160156598) and further in view of Brown et al (“Brown,” US 20100217982). 

Regarding claim 3, Weiner and Alonso-Cebrian disclose the method of claim 1. 

However, in an analogous art, Brown discloses wherein the device identifier comprises a universally unique identifier, (Brown, [0059], a UUID-mobile device identifier)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Brown with the method/system of Weiner and Alonso-Cebrian to include wherein the device identifier comprises a universally unique identifier. One would have been motivated to register a presence user with a presence service (Brown, [0022]). 
Regarding claim 11, claim 11 is directed to the method of claim 9. Claim 11 is similar in scope to claim 3 and is therefore rejected under similar rationale. 

Regarding claim 18, claim 18 is directed to the system of claim 15. Claim 18 is directed to the system of claim 15. Claim 18 is similar in scope to claim 3 and is therefore rejected under similar rationale. 

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Weiner et al (“Weiner,” US 20150073992) in view of Alonso-Cebrian et al (“Alonso-Cebrian,” US 20160156598) and further in view of Jaber et al (“Jaber,” US 20160013947).  

Regarding claim 4, Weiner and Alonso-Cebrian disclose the method of claim 1. 

the authentication server receiving from the computer application over the second communication channel, a public key paired with the private key.
However, in an analogous art, Jaber discloses further comprising:
the authentication server receiving from the computer application over the second communication channel, a public key paired with the private key, (Jaber, [0007], [0049] & [0053], describes the authentication server receiving from the computer application over the second communication channel, a public key paired with the private key)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Jaber with the method/system of Weiner and Alonso-Cebrian to include further comprising: the authentication server receiving from the computer application over the second communication channel, a public key paired with the private key. One would have been motivated to securely provision an information handling system (Jaber, [0001]). 

Claims 5 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Weiner et al (“Weiner,” US 20150073992) in view of Alonso-Cebrian et al (“Alonso-Cebrian,” US 20160156598) and further in view Carpenter et al (“Carpenter” US 20160086184).   

Regarding claim 5, Weiner and Alonso-Cebrian disclose the method of claim 1. 
Weiner and Alonso-Cebrian fail to explicitly disclose further comprising:

decrypting, by the authentication server, the application specific verification key;
wherein the step of binding the device identifier and the electronic device further comprises storing an indication that the application specific verification key was valid.
However, in an analogous art, Carpenter discloses further comprising:
receiving, by the authentication server, from the computer application over the second communication channel, an application specific verification key; (Carpenter, [0072], describes an authentication server; FIG 6 shows receive DVV from the user 412; [0011], the communication may include sending the user a one-time password over the  second communication channel, which may be a Short Message Service (SMS) message, email or HTTP message sent by an issuer to the user) and
decrypting, by the authentication server, the application specific verification key; (Carpenter, [0072], describes an authentication server; [0139], Thus, the service provider 230 may have access to a public key of the issuer 240, decrypt the user-provided DVV, and determine whether the resulting clear text value includes the correct PAN and a correct date/time value)
wherein the step of binding the device identifier and the electronic device further comprises storing an indication that the application specific verification key was valid, (Carpenter, 412, FIG 6 receive DVV from user 412; validate DVV by comparing to stored DVV 606)
Therefore, it would have been obvious to one of ordinary skill in the art before the

receiving, by the authentication server, from the computer application over the second communication channel, an application specific verification key; and
decrypting, by the authentication server, the application specific verification key;
wherein the step of binding the device identifier and the electronic device further comprises storing an indication that the application specific verification key was valid. One would have been motivated to secure mobile device payment credential provisioning using selective risk decision overrides (Carpenter, [0002]).

Regarding claim 16, Weiner and Alonso-Cebrian disclose the system of claim 15.
Weiner and Alonso-Cebrian fail to explicitly disclose wherein the authentication server is configured to decrypt the application specific verification key and is configured to store an indication that the application specific verification key was valid.
However, in an analogous art, Carpenter discloses wherein the authentication server is configured to decrypt the application specific verification key (Carpenter, [0072] describes an authentication server; FIG 6 shows receive DVV from the user 412; [0011 ], the communication may include sending the user a one-time password over the second communication channel, which may be a Short Message Service (SMS) message, email or HTTP message sent by an issuer to the user; [0139], Thus, the service provider 230 may have access to a public key of the issuer 240, decrypt the user-provided DVV, and determine whether the resulting clear text value includes the correct PAN and a correct date/time value)
and is configured to store an indication that the application specific verification key was valid (Carpenter, 412, FIG 6 receive DVV from user 412; validate DVV by comparing to stored DVV 606)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Carpenter with the method/system of Weiner and Alonso-Cebrian to include wherein the authentication server is configured to decrypt the application specific verification key and is configured to store an indication that the application specific verification key was valid. One would have been motivated to secure mobile device payment credential provisioning using selective risk decision overrides (Carpenter, [0002]).

Regarding claim 17, Weiner and Alonso-Cebrian disclose the system of claim 15. 
Weiner and Alonso-Cebrian fail to explicitly disclose wherein the authentication server is configured to receive, from the electronic device over the second communication channel, a password, and is configured to save the password.
However, in an analogous art, Carpenter discloses wherein the authentication server is configured to receive, from the electronic device over the second communication channel, a password, (Carpenter, [0072] & [0011], describes wherein the authentication server is configured to receive, from the electronic device over the second communication channel a one-time password)
(Carpenter, [0011] & FIG 2 describe and is configured to save the password)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Carpenter with the method/system of Weiner and Alonso-Cebrian to include further comprising: the authentication server receiving from the computer application over the second communication channel, a public key paired with the private key. One would have been motivated to secure mobile device payment credential provisioning using selective risk decision overrides (Carpenter, [0002]).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Weiner et al (“Weiner,” US 20150073992), Alonso-Cebrian et al (“Alonso-Cebrian,” US 20160156598) in view Carpenter et al (“Carpenter” US 20160086184) and further in view of Kaufman et al (“Kaufman,” US 5764772) and further in view of Mohan et al (“Mohan,” US 20160142205).  

Regarding claim 6, Weiner, Alonso-Cebrian and Carpenter disclose the method of claim 5. 
Weiner, Alonso-Cebrian and Carpenter fail to explicitly disclose wherein the application specific verification key is calculated according to the following equation: ASVK=HASH(salt+Env+OTP); where: “salt” comprises a cryptographic salt; “Env” comprises at least one environmental parameter; OTP is the one-time password; and HASH comprises a hashing algorithm.
(Kaufman, Figure 1, steps 10 "Generate random secret key," 14, "generate hash of secret key and salt," 16
Encrypt entire key and salt using public key," 18 split secret key into partial keys,
20 "Encrypt one partial key, hash and all or part of salt using public key of
authority," 22 Transmit encrypted message, encrypted secret key and encrypted
partial key to intended recipient). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Kaufman with the method/system of Weiner, Alonso-Cebrian and Carpenter to include wherein the application specific verification key is calculated according to the following equation: ASVK=HASH(salt+ OTP); where: “salt” comprises a cryptographic salt; OTP is the one-time password; and HASH comprises a hashing algorithm. One would have been motivated to secure communications against attackers but which satisfy restrictions imposed by governmental authorities against the use, export or import of strong cryptographic systems (Kaufman, Col. 1, Lines 22-28). 
Weiner, Alonso-Cebrian, Carpenter and Kaufman fail to explicitly disclose +Env, “Env” comprises at least one environmental parameter. 
However, in an analogous art, Mohan discloses +Env, “Env” comprises at least one environmental parameter, (Mohan, FIG 4 steps 410, obtain secret key at a device, 420, obtain a salt and an environmental variable at the device, 430 generate a derived key using the secret key, the salt and the environmental variable device, 440 store the derived key, 450 use the derived key for cryptographic communications with another device that also uses the derived key, 460, generate further derived key from secret key and the salt and new environmental variable).
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Mohan with the method/system of Weiner, Alonso-Cebrian, Carpenter and Kaufman to include +Env, “Env” comprises at least one environmental parameter. One would have been motivated to obtaining a secret key at a processor of a device, obtaining a salt and an environmental variable, generating a cryptographically transformed derived key via the processor of the device using the secret key, the salt, and the environmental variable, storing the derived key in a memory of the device, and using the derived key for cryptographic communications via a network with another device (Mohan, [0002]).

Claims 10, 15, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Weiner et al (“Weiner,” US 20150073992), Alonso-Cebrian et al (“Alonso-Cebrian,” US 20160156598) in view of Kaufman et al (“Kaufman,” US 5764772) and further in view of Mohan et al (“Mohan,” US 20160142205).  

Regarding claim 10, Weiner and Alonso-Cebrian disclose the method of claim 9. 
Weiner and Alonso-Cebrian fail to explicitly disclose generating, by the computer application, an application specific verification key; wherein the application specific 
	However, in an analogous art, Kaufman discloses generating, by the computer application, an application specific verification key; (Kaufman, FIG 1 & FIG 1A; Col. 5, Lines 53-56; Col. 11, Lines 7-13 describes generating by software an software specific verification key). 
wherein the application specific verification key is calculated according to the following equation ASVK=HASH (salt+OTP); where: “salt” comprises a cryptographic salt; OTP is the one-time password; and HASH comprises a hashing algorithm, (Kaufman, Figure 1, steps 10 "Generate random secret key," 14, "generate hash of secret key and salt," 16 Encrypt entire key and salt using public key," 18 split secret key into partial keys, 20 "Encrypt one partial key, hash and all or part of salt using public key of authority," 22 Transmit encrypted message, encrypted secret key and encrypted partial key to intended recipient). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Kaufman with the method/system of Weiner and Alonso-Cebrian to include generating, by the computer application, an application specific verification key; wherein the application specific verification key is calculated according to the following equation ASVK=HASH (salt+OTP); where: “salt” comprises a cryptographic salt; OTP is the one-time password; and HASH comprises a hashing algorithm. One would have been motivated to secure 
Weiner, Alonso-Cebrian and Kaufman fail to explicitly disclose and communicating, by the computer application, and over the second communication channel, the application specific verification key to the authentication server; +Env, “Env” comprises at least one environmental parameter
However, in an analogous art, Mohan discloses and communicating, by the computer application, and over the second communication channel, the application specific verification key to the authentication server (Mohan, FIG 2 & [0017]-[0018] & [0037]-[0038] describes communicating over a second channel the application verification key to the server for verification). 
+Env, “Env” comprises at least one environmental parameter, (Mohan, FIG 4 steps 410, obtain secret key at a device, 420, obtain a salt and an environmental variable at the device, 430 generate a derived key using the secret key, the salt and the environmental variable device, 440 store the derived key, 450 use the derived key for cryptographic communications with another device that also uses the derived key, 460, generate further derived key from secret key and the salt and new environmental variable).
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Mohan with the method/system of Weiner, Alonso-Cebrian and Kaufman to include and communicating, by the computer application, and over the second communication 

Regarding claim 15, claim 15 is directed to the system of claim 14. Claim 15 is similar in score to claim 10 and is therefore rejected under similar rationale. 

Regarding claim 19, Weiner, Alonso-Cebrian, Kaufman and Mohan disclose the system of claim 15. 
Weiner further discloses wherein the authentication server is configured to receive, from the computer application, an identification of the first communication channel for receiving the one-time passcode (Weiner, FIG 3A shows that the provider server receives from the application running on the mobile device the encrypted pass code as shown in FIG 1C). 

Regarding claim 20, Weiner, Alonso-Cebrian, Kaufman and Mohan disclose the system of claim 15. 
Weiner further discloses wherein the authentication server is configured to receive from the electronic device over the second communication channel, device (Weiner, [0033], the mobile device server arranged to: input the received obtained server associated digital fingerprint from the second device over the second communication channel).

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Weiner et al (“Weiner,” US 20150073992), Alonso-Cebrian et al (“Alonso-Cebrian,” US 20160156598) in view of Damm-Goosens (“Damm-Goosens,” US 8719952).   

Regarding claim 12, Weiner and Alonso-Cebrian disclose the method of claim 9. 
Weiner and Alonso-Cebrian fail to explicitly disclose further comprising:
generating, by the computer application, a public key and private key pair; and
storing, by the computer application, the private key in one of a secure element of the electronic device or in a secure storage element of one of the computer application and an operating system executed by the electronic device.
However, in an analogous art, Damm Goosens discloses further comprising:
generating, by the computer application, a public key and private key pair; (Damm-Goosens, Col. 6, Lines 3-11 describe an application; FIG 12, step 164, Mobile com. Device generates cryptographic key pair; Co/. 2, Lines 30-31, generating a key pair comprising a private key and corresponding public key; Col. 12, Lines 39-43, mobile communication device creates a cryptographic key pair and transmits a public key to authentication server while storing a corresponding private key locally on the mobile communication device) and
storing, by the computer application, the private key in one of a secure element of the electronic device or in a secure storage element of one of the computer application and an operating system executed by the electronic device, (Damm-Goosens, Col. 6, Lines 3-11 describe an application; FIG 12, step 164, Mobile com. Device generates cryptographic key pair; Col. 2, Lines 30-31, generating a key pair comprising a private key and corresponding public key; Col. 12, Lines 39-43, mobile communication device creates a cryptographic key pair and transmits a public key to authentication server while storing a corresponding private key locally on the mobile communication device).
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Damm-Goosens with the method/system of Weiner and Alonso-Cebrian to include further comprising: generating, by the computer application, a public key and private key pair; and storing, by the computer application, the private key in one of a secure element of the electronic device or in a secure storage element of one of the computer application and an operating system executed by the electronic device. One would have been motivated to provide a method and system for authenticating users of computer systems, and in particular to systems and methods for encryption using asymmetric software key(s) (Damm-Goosens, Col. 1, Lines 13-15). 



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/Examiner, Art Unit 2439  


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439