8011Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of claims
This office action is in response to claims filed on 02/21/2020
Claims 1-20 are pending and rejected; claims 1, 11 and 17 are independent claims
Examiner remark
	Examiner acknowledges the inadvertent error of applying a prior art reference with the application date that is not prior to the current application date. As a consequence, the reply date is extended to three months from the mailing date of this communication.
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Montgomerie et al. US Pub. No.: 2021/0075791 A1 (hereinafter Dunjic) in view of Tussy et al US Pub. No: 2020/0042685 A1 (hereinafter Tussy).
Dunjic discloses:
1. A method for performing secure transactions, comprising: 
providing an access controller between a core application and a third-party application, wherein the access controller prevents the third-party application from unauthorized access to the core application (see Dunjic Figs. 1-5 and, ¶¶37 38, 125, establishing and managing trust, consent, and permissioning between computing systems and unrelated third-party applications within a computing environment);
receiving, by the access controller, a command from the third-party application to access the core application (see Dunjic Figs. 5 and ¶126, CA system 150 may receive a third-party access request and an applied digital signature from a computing system associated with one or more of the custodians of the confidential data, such as custodian system 110 of FIG. 1 (e.g., in step 502).)
transmitting, by the access controller, an authorization request to a secure application storing credentials of a user (see Dunjic ¶15, the executed third-party application may package the OAuth token into a request for the elements of confidential data, and may transmit the request to the corresponding custodian system across the communications network); 
providing, by the access controller, the third-party application with access to the core application in response to the access controller receiving notification from the secure application that the command is authorized (see Dunjic ¶88, consent verification module 322 may perform operations that parse … identifier 310A of third-party application 106, and may perform operations that validate OAuth token 308… consent verification module 322 may access credential data store 138 (e.g., as maintained within data repository 132), and obtain a reference version of the OAuth token, e.g., OAuth token 324, that is associated with or linked to identifier 310A within credential data store 138 and as such, is associated with third-party application 106); and 
preventing, by the access controller, the third-party application from accessing the core application in response to the access controller receiving notification (see Dunjic ¶89, consent verification module 322 may decline to validate OAuth token 308, and executed consent and permissioning engine 12 may reject request 304 and may perform operations that generate an error message, which custodian system 130 may transmit across network 120 to client device 102, (not illustrated in FIG. 3A)).
Dunjic does not explicitly disclose but the related art Tussy discloses
notification from the secure application that the command is unauthorized (see Tussy ¶322, notification from the secure application that the command is unauthorized)
Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify the managing third-party access to confidential data using dynamic ally generated application-specific credentials disclosed by Dunjic to include the method and apparatus for creation and use of digital identification as thought by Tussy, in order to include the notification from the secure application that command is unauthorized. It would have been obvious to a person with ordinary skill in the art include the notification commend in order to enhance usability.
As to claim 2, the combination of Dunjic and Tussy teaches the method of claim 1, wherein the providing the third-party application with access comprises transmitting, by the access controller, the command to the core application (see Dunjic ¶59, executed centralized on-boarding engine 158 may generate an error message, which CA system 150 may transmit across network 120 to custodian system 110).

As to claim 3, the combination of Dunjic and Tussy teaches the method of claim 2, wherein the core application is associated with an institution, and wherein the core application executes the command (see Dunjic ¶42, executed centralized on-boarding engine 158 may perform any of the exemplary processes described herein to generate an application-specific credential indicative of the determination)

As to claim 4, the combination of Dunjic and Tussy teaches the method of claim 3, wherein the command comprises locking a user account (see Tussy ¶151, then the authentication system locks the account).

As to claim 5, the combination of Dunjic and Tussy teaches the method of claim 3, further comprising: 
receiving, by the access controller, user data from the core application based on the command (see Dunjic ¶126, CA system 150 may receive a third-party access request and an applied digital signature from a computing system associated with one or more of the custodians of the confidential data, such as custodian system 110 of FIG. 1 (e.g., in step 502)); and 
transmitting, by the access controller, the user data to the third-party application, wherein the command comprises a request to download the user data from the core application to the third-party application (see Dunjic ¶126, CA system 150 may receive a third-party access request and an applied digital signature from a computing system associated with one or more of the custodians of the confidential data, such as custodian system 110 of FIG. 1 (e.g., in step 502)).

As to claim 6, the combination of Dunjic and Tussy teaches the method of claim 5, wherein the user data comprises health data of the user (see Dunjic ¶12, the third-party application may perform operations that request access to the elements of the confidential data maintained on behalf of the customer at one or more of the custodian systems (i.e. health data is an intended use the prior art of record is capable to maintain)).

As to claim 7, the combination of Dunjic and Tussy teaches the method of claim 1, further comprising: 
receiving, by the access controller and from the third-party application, an identifier associated with the command and identifying the secure application, wherein the third-party application and the secure application execute on a mobile device of the user, and wherein the access controller transmits the authorization request to the secure application based on the identifier (see Dunjic ¶33, the data records of user databases 114 and 134 may include a corresponding user identifier (e.g., an alphanumeric login credential assigned to user 101), and data that uniquely identifies one or more devices (such as client device 102) associated with or operated by that user (e.g., a unique device identifier, such as an IP address, a MAC address, a mobile telephone number, etc.,).

As to claim 8, the combination of Dunjic and Tussy teaches the method of claim 7, wherein the identifier is located within a two-dimensional bar code generated by the secure application and transmitted by the third-party application (see Tussy ¶257, unique identifying transaction number may also be sent from the user to the second user via NFC, Bluetooth, a QR code)).

As to claim 9, the combination of Dunjic and Tussy teaches the method of claim 3, further comprising: validating the credentials on a ledger with the institution, wherein the institution issued the credentials (see Dunjic ¶17, perform further operations that record the application-specific credential within the ledger blocks of a cryptographically secure distributed ledger accessible to the one or more custodian systems)

As to claim 10, the combination of Dunjic and Tussy teaches the method of claim 1, wherein the secure application displays an alert to the user in response to receiving the authorization request (see Tussy ¶¶251-252,  the authentication server then sends a notification, such as a push notification, to the user's mobile device to request that the user authenticate the transaction).
As to independent claim 11, this claim is directed to a system executing the method of claim 1; therefore, it is rejected along similar rationale.
As to independent claim 17, this claim is directed to a non-transitory computer readable storing instruction for executing the method of claim 1; therefore, it is rejected along similar rationale.
As to dependent claims 12-16 and 18-20, these claims contain substantially similar subject matter as claim 2-10; therefore, they are rejected along the same rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NEGA WOLDEMARIAM/Examiner, Art Unit 2433                 

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433