Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.       This action is in response to application amendments filed on 2-9-2022. 
2.        Claims 2, 4, 6 - 9, 11, 13 - 15, 17, 19 - 22 are pending.  Claims 2, 9, 15 have been amended.  Claims 1, 3, 5, 10, 12, 16, 18 have been canceled.  Claims 2, 9, 15 are independent.  This application was filed on 10-23-2019. 
 
Response to Arguments

3.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 2-9-2022, with respect to the rejection(s) under Ramaswamy in view of Yoshioka and further in view of Dibble have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Ramaswamy in view of Graham and further in view of Carman.

A.  Applicant argues on page 10 of Remarks:    ...   the applied references fail to teach or render obvious “selecting one group of at least two verification code generators from a verification code generator set comprising a plurality of verification code generators to compose a current use set, wherein the verification code generator set includes a plurality of groups, wherein each group includes at least two verification code generators, and wherein the selecting of the one group of at least two verification code generators from the verification code generator set comprises: determining a number of verification code generators for the one group of at least two verification code generators    ...   . 

    The Examiner respectfully disagrees.  Ramaswamy discloses the selection of a group of authentication generators to generate and compose a set of authentication information for verification of a user. (see Ramaswamy paragraph 0050], lines 1-9: a set of verification engines; each verification engine operates on a family (group) of verification objects (a verification mode) such as a knowledge engine operating on different types of challenge-response questions; paragraph [0008], lines 1-10: authentication framework implemented by enabling dynamic user authentication that combines multiple authentication objects using a shared context based on varying customizable user preferences (i.e. number of generators within a group) and transaction requirements)   

B.  Applicant argues on page 10 of Remarks:   ...   a high risk setting or a low risk setting, wherein the high risk setting relates to a number of login failures within a fixed time segment is equal to or exceeds a predetermined login failure threshold, wherein the low risk setting relates to a number of login failures within the fixed time segment fails to equal to or exceed the predetermined login failure threshold,   ...   . 

    The Examiner respectfully disagrees.  Graham discloses a high risk setting and a low risk setting based upon the number of login failures encountered over a time period. (see Graham paragraph [0032], lines 1-17: receiving continual invalid login incidents 

C.  Applicant argues on page 10 of Remarks:    ...   the number of verification code generators associated with the high risk setting is greater than the number of verification code generators associated with the low risk setting,   ...   . 

    The Examiner respectfully disagrees.  Carman discloses a determination of low security level and high security level based upon the amount of authentication information (i.e. authentication tag) utilized for authentication. (see Carman col 21, lines 22-28: receiver can verify utilizing authentication tags information generated using only some of the message data (or at a lower security level), or perform a verification process utilizing authentication tags information generated utilizing all of the message data (or at a higher security level); (high security level utilizes a larger set of authentication information (i.e. authentication tags information)))

D.  Applicant argues on page 10 of Remarks: The dependent claims depend from claims 2, 9, and 15 and are therefore believed to be allowable for the same reasons described above   ...   . 

    Independent claims 9 and 15 have similar limitations as independent claim 1.  Responses to arguments against independent claim 1 also answer arguments against independent claims 9 and 15.    
    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.

Claim Rejections - 35 USC § 103  

4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 2, 7, 8, 9, 14, 15, 20 - 22 are rejected under 35 U.S.C. 103 as being unpatentable over Ramaswamy et al. (US PGPUB No. 20040088587) in view of 
Graham et al. (US PGPUB No. 20070022090) and further in view of Carman et al. (US Patent No. 6,915,426).  

Regarding Claims 2, 9, 15, Ramaswamy discloses a method and a system and a computer program product being embodied in a tangible non-transitory computer readable storage medium comprising computer instructions (see Ramaswamy paragraph [0087], lines 1-5: computer system programmed to implement the inventive 
a)  selecting one group of at least two verification code generators from a verification code generator set comprising a plurality of verification code generators to compose a current use set, wherein the verification code generator set includes a plurality of groups, wherein each group includes at least two verification code generators, and wherein the selecting of the one group of at least two verification code generators from the verification code generator set. (see Ramaswamy paragraph 0050], lines 1-9: a set of verification engines (selected number of generators); each verification engine operates on a family (group) of verification objects (a verification mode) such as a knowledge engine operating on different types of challenge-response questions; paragraph [0029], lines 1-9: file that specifies relevant authentication objects (e.g., questions to be asked, actions to be performed, etc.) and files that contain user profiles (e.g., user selected authentication objects and correct responses, user preferences, etc.)) 

Furthermore, Ramaswamy discloses wherein comprising the following: 
c)  executing each verification code generator in the current use set to obtain corresponding partial verification codes; (see Ramaswamy paragraph [0008], lines 1-10: authentication framework implemented by enabling dynamic user authentication that combines multiple authentication objects using a shared 
d)  composing a current verification code from the partial verification codes; and e) outputting the current verification code to a user. (see Ramaswamy Figure 3 and 4; paragraph [0008], lines 1-10: authentication framework implemented by enabling dynamic user authentication that combines multiple authentication objects using a shared context based on varying customizable user preferences and transaction requirements (composes a final verification object for authentication by combining multiple verification objects))    

Furthermore, Ramaswamy discloses wherein for b) determining a number of verification code generators for the one group of at least two verification code generators. (see Ramaswamy paragraph 0050], lines 1-9: a set of verification engines; each verification engine operates on a family (group) of verification objects (a verification mode) such as a knowledge engine operating on different types of challenge-response questions; paragraph [0029], lines 1-9: file that specifies relevant authentication objects (e.g., questions to be asked, actions to be performed, etc.) and files that contain user profiles (e.g., user selected or determined authentication objects and correct responses, user preferences, etc.); paragraph [0008], lines 1-10: authentication framework implemented by enabling dynamic user authentication that combines multiple authentication objects using a shared context based on varying customizable user preferences and 

Ramaswamy does not specifically disclose for b) a high risk setting or a low risk setting, wherein a high risk setting relates to number of login failures within a fixed time segment equal to or exceeding a predetermined login failure threshold, and a low risk setting relates to a number of login failures within the fixed time segment failing to equal to or exceed a predetermined login failure threshold, and for f) receive a user response made in response to a current verification code, and for g) compare a current verification code and a user response to determine whether a user is verified.
However, Graham discloses for b) wherein based on a high risk setting or a low risk setting, wherein the high risk setting relates to a number of login failures within a fixed time segment is equal to or exceeds a predetermined login failure threshold, wherein the low risk setting relates to a number of login failures within the fixed time segment fails to equal to or exceed the predetermined login failure threshold.  (see Graham paragraph [0032], lines 1-17: receiving continual invalid login incidents from suspect nodes; each threshold is a trigger to take some action; as aggravation level increases, at threshold target node begins a passive scan on all incoming incidents; paragraphs [0033]; [0034]; [0035]; paragraph [0036], lines 1-12: at its highest aggravation threshold, the target has received numerous successive login failure incidents, resulting in an unreasonably high probability that an unauthorized suspect is attempting to gain access to its 
And, Graham discloses the following:
f)   receiving a user response that is made in response to the current verification code; (see Graham paragraph [0035], lines 10-14: if suspect once again transmits correct login information will target provide suspect access; by forcing a double logon in this manner, target will prevent suspects from acquiring unauthorized access by using automated login scripts) and 
g)  comparing the current verification code and the user response to determine whether the user is verified. (see Graham paragraph [0035], lines 10-14: if suspect once again transmits correct login information will target provide suspect access; by forcing a double logon in this manner, target will prevent suspects from acquiring unauthorized access by using automated login scripts; (correct login information must be input for verification, verification performed via a comparison type operation))
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Ramaswamy for b) a high risk setting or a low risk setting, wherein a high risk setting relates to number of login failures within a fixed time segment equal to or exceeding a predetermined login failure threshold, and a low risk setting relates to a number of login failures within the 

Ramaswamy-Graham does not specifically disclose for b) number of verification code generators associated with a high risk setting is greater than the number of verification code generators associated with a low risk setting. 
However, Carman discloses for b) wherein the number of verification code generators associated with the high risk setting is greater than the number of verification code generators associated with the low risk setting. (see Carman col 21, lines 22-28: receiver can verify utilizing authentication tags generated using only some of the message data (or a lower security level for authentication information), or can performs a verification process utilizing authentication tags generated utilizing all of the message data (or a higher security level for authentication information); (higher security level utilizes a larger set of authentication information (i.e. authentication tags))) 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Ramaswamy-Graham for number of verification code generators associated with a high risk setting is greater 

Furthermore for Claim 9, Ramaswamy discloses wherein a processor; and a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to perform operations. (see Ramaswamy paragraph [0087], lines 1-5: computer system programmed to implement the inventive techniques such as a personal computer, PDA, etc. (computer indicates a processor coupled to memory), paragraph [0088], lines 1-6: software instructions for performing methodologies of invention, are stored in associated memory devices and executed by CPU (HW processor)) 

Furthermore for Claim 15, Ramaswamy discloses wherein a computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for performing operations. (see Ramaswamy paragraph [0087], lines 1-5: computer system programmed to implement the inventive techniques such as a personal computer, PDA, etc. (computer indicates a processor coupled to memory), paragraph [0088], lines 1-6: software instructions for performing methodologies of invention, are stored in associated memory devices and executed by CPU (HW processor))

Regarding Claims 7, 14, 20, Ramaswamy-Graham-Carman discloses the method as described in claim 2 and the system as described in claim 9 and the computer program product as described in claim 15, further comprising: composing a current verification code checksum from partial verification code checksums generated by each verification code generator in the current use set. (see Ramaswamy Figure 4; paragraph [0011], lines 1-12: context shared across two or more verification objects comprises one or more variables associated with the verification operation; context variables represent one or more of user specific requirements and logical variables; paragraph [0097], lines 1-12: second and third objects are responses (i.e. partial variables) to a challenge; fourth object is a response (i.e. partial variable) to a challenge, fifth object is a voiceprint object (i.e. speech, partial response); (partial responses are combined for a final verification response to a set of verification objects)) 
    
    Specification in paragraph [0037] discloses a checksum can be an expected partial answer (or partial response) to a challenge question associated with a set of challenge questions used for verification. 

Regarding Claims 8, 21, Ramaswamy-Graham-Carman discloses the method as described in claim 2 and the computer program product as described in claim 15, wherein at least two verification modes are used by the selected one group of at least two verification code generators in the current use set. (see Ramaswamy paragraph [0033], lines 1-13: verification objects are used for verifying the identity of users; verification objects associated with a user’s biometric characteristics such as a voiceprint (speech verification mode), a user’s knowledge such as answers to challenge 

Regarding Claim 22, Ramaswamy-Graham-Carman discloses the method as described in claim 2, wherein the plurality of pre-established screening techniques includes two or more of the following:
a)  selecting two verification code generators; Ramaswamy discloses the selection of verification objects (two or more objects) to be utilized in performing an authentication procedure; (see Ramaswamy paragraph [0033], lines 1-13: verification objects are selected and used for verifying the identity of users; verification objects associated with a user’s biometric characteristics such as a voiceprint (speech verification mode), a user’s knowledge such as answers to challenge questions (question-and-answer verification mode), and a user’s possession (i.e. cards, tokens, certificates, and etc.); paragraph [0029], lines 1-9: file that specifies relevant authentication objects (e.g., questions to be asked, actions to be performed, etc.) and files that contain user profiles (e.g., user selected authentication objects and correct responses, user preferences, etc.); paragraph 0050], lines 1-9: a set of verification engines; each verification engine operates on a family (group) of verification objects (a verification mode) such as a knowledge engine operating on different types of challenge-response 
b)  selecting three verification code generators, wherein the three verification code generators includes at least two different verification modes; and c) selecting a first specific verification mode and a second specific verification mode. Ramaswamy discloses the selection of verification objects (three or more objects) to be utilized in performing an authentication procedure. (see Ramaswamy paragraph [0033], lines 1-13: verification objects are selected and used for verifying the identity of users; verification objects associated with a user’s biometric characteristics such as a voiceprint (speech verification mode), a user’s knowledge such as answers to challenge questions (question-and-answer verification mode), and a user’s possession (i.e. cards, tokens, certificates, and etc.); paragraph 0050], lines 1-9: a set of verification engines; each verification engine operates on a family (group) of verification objects (a verification mode) such as a knowledge engine operating on different types of challenge-response questions; (i.e. question-and-answer verification mode); (two verification modes selected: speech verification mode and question-and-answer verification mode); (three verification objects selected from each verification mode, type or group)) 

    Specification in paragraph [0025] discloses that a screening techniques “specifies which verification code generators are selected and in what order, the screening technique specifies a sequence of verification code generators.

6.        Claims 4, 11, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Ramaswamy in view of Graham and further in view of Carman and Sandhu et al. (US PGPUB No. 20060248333).

Regarding Claims 4, 11, 17, Ramaswamy-Graham-Carman discloses the method as described in claim 2 and the system as described in claim 9 and the computer program product as described in claim 15.
Ramaswamy-Graham-Carman does not specifically disclose for a) screening techniques have varying levels of complexity, and for b) a screening technique of a certain level of complexity. 
However, Sandhu discloses:
a)  the pre-established screening techniques have varying levels of complexity; (see Sandhu paragraph [0044], lines 1-18: a first and a second level of complexity corresponding to a factor; factor represents a type of user, the user, time of receipt of first message, user of a different type, type of location, and etc.) and
b)  the specifying of the screening technique from the pre-established screening techniques includes: selecting the screening technique of a certain level of complexity based on historical behavior records of the user. (see Sandhu paragraph [0044], lines 1-18: a first and a second level of complexity corresponding to a factor; factor can represent a type of user, the user, time of receipt of first message, user of a different type, type of location, and etc.; paragraph [0073], lines 9-11: stored data includes one or more databases containing information associated with network users; paragraph [0094], lines 1-
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Ramaswamy-Graham-Carman for a) screening techniques have varying levels of complexity, and for b) a screening technique of a certain level of complexity as taught by Sandhu. One of ordinary skill in the art would have been motivated to employ the teachings of Sandhu for the benefits achieved from the added security for a system improving conventional public key cryptography to enable multiple levels of authentication security. (see Sandhu paragraph [0041], lines 1-4)       
   
    Specification in paragraph [0025] discloses that a screening techniques “specifies which verification code generators are selected and in what order, the screening technique specifies a sequence of verification code generators.

7.        Claims 6, 13, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ramaswamy in view of Graham and further in view of Carman and Komano et al. (US PGPUB No. 20050201561)

Regarding Claims 6, 13, 19, Ramaswamy-Graham-Carman discloses the method as described in claim 2 and the system as described in claim 9 and the computer program product as described in claim 15. 
Ramaswamy-Graham-Carman does not specifically disclose a current verification code from partial verification codes corresponding to a sequence of two verification code generators in the current use set. 

        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Ramaswamy-Graham-Carman for a current verification code from partial verification codes corresponding to a sequence of two verification code generators in the current use set as taught by Komano.  One of ordinary skill in the art would have been motivated to employ the teachings of Komano for the benefits achieved from the added security of utilizing a plurality of signature digests generated from partial objects and combining the secure encrypted partial objects into a combined final encrypted signature object. (see Komano paragraph [0064], lines 1-6)    

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 
 Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032.  The examiner can normally be reached on Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 






/CJ/
March 14, 2022


                                                                                                                                                                                                                                                                                                                                                                          

/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436