DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/22/2022 has been entered.
 
Response to Amendment
This office action is in response to the amendment filed on 03/16/2022.
Claims 1-23 are pending for examination. Applicant amends claims 1, 10, 17, and 20. The amendments have been fully considered and entered.
Amendments to claims 1, 10, and 17 regarding the claim objections have been accepted, however, new objections have been made and previous claim objections were not addressed. See below for further details.
Amendment to claim 1 regarding the 35 U.S.C. § 112(b) rejection has been accepted and the 35 U.S.C. § 112(b) rejection has been withdrawn.

Response to Arguments
Applicant’s arguments, see Remarks, filed 03/16/2022, with respect to the rejection of claims 1-9 under 35 U.S.C. § 112(a) have been fully considered but are not persuasive. Applicant argues that "the invention is not limited to the examples described in the specification ... user login interface 222 is not automatically limited to logging into a trusted partner website option. The other option is described as an alternative option, namely logging into a trusted non-partner website" (Remarks, pg. 8). Examiner respectfully disagrees. Firstly, there is no support in the disclosure that suggests the user login interface is not limited to the trusted partner website nor is there any mention or suggestion of "trusted non-partner websites" as applicant has argued and which applicant has not disclosed any support from the disclosure. If indeed support exists, Examiner requests applicant to point out the specific portions of the disclosure which examiner will further consider. Secondly, as submitted previously, the only support found for “a user logging into a page” or a user “logging into” is in paragraphs [0004], [0029], [0031], and [0042] of the specification as filed, which discuss the user logging into a page of the trusted partner when the user selects the first option (i.e., registering using a trusted partner), not the second option. There is no support in the disclosure of the user “logging into a page” when the user selects the second option (i.e., registering manually, see [0034] of the filed specification). Examiner submits there are no mentions of “log”, “logging”, or “page” in paragraphs [0027], [0030], and [0034]-[0036] and Figs. 2 and 3 as cited by applicant (see Remarks filed 09/23/2021) except for “user login interface 222” which is part of “trusted partner 220” as seen in Fig. 2 which reinforces that the user logs into a page of the trusted partner after selecting the first option, not the second option. Furthermore, paragraph [0034] gives details on when the user selects the "second option" where the user enters user data manually to register and does not mention another trusted "non-partner" (third party) website or any action of logging in prior to entering personally identifying information data" as the amended claim requires. Therefore, examiner submits that Applicant failed to show possession of “logging into a page” responsive to selection of the second option as presently claimed. Furthermore, examiner submits that it is unreasonable for one or ordinary skill to conclude that the “logging into a page” limitation of the first option can be interchangeably implemented by the second option based on the disclosure as initially filed. If applicant argues otherwise, examiner requests that specific support from the disclosure be submitted for further consideration. Therefore, examiner maintains the 112(a) rejection.
Applicant’s arguments, see Remarks, filed 03/16/2022, with respect to the rejection of claims 1, 10, and 17 under 35 U.S.C. § 103 have been fully considered and are not persuasive. The following are applicant arguments recited in the Remarks followed by Examiner's response:
a.	Applicant argues, regarding claim 1, that “Third party AI risk analysis to determine the risk of authenticating the user from their PII is not disclosed or suggested by the references.” (Remarks, pg. 12)
Examiner submits that in light of the amendments, a new grounds of rejection under new reference Gharabegian (US 20180268056 A1) is used in combination to teach this limitation as explained below under the 103 section.
b.	Applicant argues, that “the Office Action is improperly changing the function of features in the references to meet the claimed invention. For example, consider the rejections of claims 10 and 17. As another example, consider the change in function in the rejection of claim 18, where the trusted partner teaching of Kim reference is changed by the Office Action to the claimed third party artificial intelligence risk. Trusted partner and third party are mutually excluding opposites.” (Remarks, pg. 12)
Examiner respectfully disagrees and submits that the Office Action is not improperly changing the function of the features in the references. Regarding claims 10 and 11, it is not clear what function is being improperly changed, therefore, examiner submits there is no improper change in any function of the claims. Regarding claim 18, the argument is confusing because claim 18 uses the trusted partner which occurs when the user selects the first option. The third party artificial intelligence risk evaluation is used when the user selects the second option. The first and second options are mutually exclusive. The combination of Srinivasan and Kim teaches a third party (i.e., a trusted partner) that validates the user after the user selects the first option. Therefore, there is no change in function as applicant asserts.
c.	Applicant argues, that “The Al of Trelin is not, or part of, a third-party risk management. In particular, the Office Action is improperly changing the function of Trelin to try to show obviousness where this is none. To clarify, the references do not disclose or suggest the claimed invention because the references do not teach a third party Al risk manager.” (Remarks, pg. 12)
Examiner respectfully disagrees and submits that Trelin reasonably discloses an artificial intelligence risk analysis evaluation to determine the risk of authenticating a user from their PII. While Trelin does not explicitly disclose that the artificial intelligence risk analysis evaluation is from/of a third party, new reference Gharabegian teaches a third party artificial intelligence system utilized to offload processing power. The combination of Trelin and Gharabegian would reasonably produce the third party risk analysis evaluation as amended by applicant. Further explanation is seen below under the 103 rejection.
 
Claim Objections
Claims 1, 10 and 17 are objected to because of the following informalities:  
Regarding claim 1, the limitation “responsive to successfully authentication of the user identity” in line 22 appears to have grammar issues. Examiner suggests to rephrase the limitation to “responsive to successful authentication of the user identity” to correct grammar issues.
Regarding claim 10, there should be a comma after “score” and after “criteria” in line 9 to correct grammar issues.
Regarding claim 17, there should be a comma after “score” and after “criteria” in line 8 to correct grammar issues.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1-9 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 1 includes the limitation “receiving, by the entity, personally identifying information data from the user responsive to the user logging into a page.” After careful review of the paragraphs submitted by applicant and the entire disclosure, examiner submits that this limitation is considered to be new matter. The only support found for “a user logging into a page” or a user “logging into” is in paragraphs [0004], [0029], [0031], and [0042] of the specification as filed, which discuss the user logging into a page of the trusted partner when the user selects the first option (i.e., registering using a trusted partner). There is no support in the disclosure of the user “logging into a page” when the user selects the second option (i.e., registering manually). Examiner submits there are no mentions of “log”, “logging”, or “page” in paragraphs [0027], [0030], and [0034]-[0036] and Figs. 2 and 3 as cited by applicant except for “user login interface 222” which is part of “trusted partner 220” as seen in Fig. 2 which reinforces that the user logs into a page of the trusted partner after selecting the first option, not the second option. Accordingly, claim 1 is appropriately rejected under 35 U.S.C. 112(a) for new matter. Claims 2-9 are rejected similarly for being dependent on claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan et al. (US 20130086657 A1; hereinafter “Srinivasan”) in view of Kim et al. (US 20110307381 A1; hereinafter “Kim”), Trelin (US 20190266314 A1), and further in view of Gharabegian (US 20180268056 A1).
As per claim 1, Srinivasan discloses: a computer implemented method for proving identity when registering for a service provided by an entity, comprising: 
presenting, by the entity, a user with options for registering for the service (Srinivasan, Fig. 7), wherein the options comprise a first option of validating a user identity through a trusted partner and a second option of validating the user identity through receipt of personal identifying information (Srinivasan, [0024], [0066], and Fig. 7, an application/NPR (i.e., entity) displays options to a user to validate their identity for registration, wherein the options include radio buttons that allow a user to validate via a particular identity provider (i.e., trusted partner), or an option to input personal identifying information (PII), e.g., name and email address information (see [0059])); 
responsive to selection of the first option:
receiving, by the entity, user data from the trusted partner responsive to the user logging into a page on the trusted partner (Srinivasan, [0028]-[0029], identity data (e.g., user's name, address, date of birth, relationship information, social graph data) is retrieved from an identity provider in response to successful logging into the identity provider); and
populating entity user data for the service according to the user data received from the trusted partner responsive to successfully validation of the identity of the user (Srinivasan, [0028]-[0029], responsive to successful user login to the application using login credentials for the user’s Facebook identity, identity information/data gathered can be used to automatically fill out (i.e., populate) a portion of a form for the application);
responsive to selection of the second option:
receiving, by the entity, personally identifying information data from the user responsive to the user logging into a page (Srinivasan, [0063] and Fig. 7, user chooses to register for a local NPR (see Fig. 7) which would require the user to create an account by inputting email and password information. Responsive to account creation, the user’s information such as email (i.e., personally identifying information data) is received and stored by the account).
Srinivasan does not disclose, however, Kim teaches or suggests: validating the user identity for the service responsive to a determination that a user identifier from the trusted partner matches a user identifier on record with the entity (Kim, [0095] and [0097], a universally unique identifier (UUID) is received from the trusted third party after successful authentication with the trusted third party, [0097], user identity is validated responsive to a determination that the UUID from the trusted third party matches a previously stored UUID).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Srinivasan to include validating the user identity using a user identifier from the trusted partner matching a user identifier on record as taught by Kim for the benefit of validating a user based on a non-sensitive user identifier that is trusted, as opposed to exposing private information (e.g., credit card) which prevents malicious actors from obtaining user sensitive personal identifying information in the validation process (Kim, [0005]).
While the modified Srinivasan teaches selection of the second option (Srinivasan, [0063] and Fig. 7), the modified Srinivasan does not disclose, however, Trelin teaches or suggests: applying an artificial intelligence (Al) risk analysis evaluation to the personally identifying information data received to generate a risk score (Trelin, [0066], artificial intelligence is used to determine a risk score that represents the risk from the respective information that the person is who he or she asserts to be, [0035], wherein the information includes biographic information, e.g., email address (i.e. personally identifying information data), among other information); 
authenticating the user if the risk score, when compared to a risk score criteria, indicates a low risk that a person attempting to register is not the user (Trelin, [0094], score (i.e., risk score) is determined after identity check, wherein the risk score is compared to a confidence threshold (i.e., risk score criteria), wherein a high risk score indicates that the person is who he or she asserts to be in order to approve the person for enrolment); and 
populating entity user data for the service according to the user data received from the user responsive to successfully authentication of the user identity (Trelin, [0055]-[0056], biographic data is evaluated to determine if the digital representation of the biometric data (e.g., digital picture of user (see [0035])) is genuine. If the digital representation of the biometric data is genuine (i.e., successful authentication), enrollment is processed, [0057], user fills out form specifying name, address, and email to be populated for the user’s /enrollment account), 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include applying artificial intelligence to the user’s personally identifying information for authenticating the user’s identity as taught by Trelin because a person of ordinary skill in the art would know to combine prior art elements according to known methods to yield the predictable result of obtaining the known benefits of using artificial intelligence for the authentication process, such as automation and reduction of human error (KSR).
While the modified Srinivasan teaches an artificial intelligence risk analysis evaluation to determine the risk of authenticating a user from their PII (Trelin, [0066]), the modified Srinivasan does not disclose it being of a third party. However, Gharabegian teaches or suggests: a third party artificial intelligence software hosted on remote servers to be utilized to perform processing or actions (Gharabegian, [0063], “artificial intelligence and/or machine learning software may not need to be stored on an intelligent shading system 300 and/or third party artificial intelligence and/or machine learning software hosted on remote servers may be utilized to perform this processing or these actions”). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include using a third party artificial intelligence software hosted on remote servers as taught by Gharabegian for benefit of offloading processing power (Gharabegian, [0063]).

Claims 2-6, 8, 9 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan view of Kim, Trelin, Gharabegian, and further in view of Fox et al. (US 20180013565 A1; hereinafter “Fox”).
As per claim 2, claim 1 is incorporated and the modified Srinivasan does not disclose, however, Fox teaches or suggests: wherein the user data from the trusted partner comprises an encrypted value (Fox, [0019], user sensitive information encrypted).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include encrypting user sensitive information being communicated as taught by Fox for the benefit of improving remote identity verification by protecting user sensitive information from malicious third parties (Fox, [0003]).

As per claim 3, claim 2 is incorporated and the modified Srinivasan does not disclose, however, Kim teaches or suggests: decrypting the user data received from the trusted partner (Kim, [0075], all important data is encrypted and decrypted).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include decrypting user data as taught by Kim because a person of ordinary skill in the art would know to combine prior art elements according to known methods to yield the predictable result of decrypting encrypted user data (KSR).

As per claim 4, claim 2 is incorporated and the modified Srinivasan discloses: wherein the user data comprises a first name, a last name, and a data of birth of the user (Srinivasan, [0028], identity data, e.g., user's name, address, date of birth, relationship information, social graph data, etc.).

As per claim 5, claim 2 is incorporated and the modified Srinivasan discloses: wherein the user data comprises a user identifier (Srinivasan, [0028], user’s name).

As per claim 6, claim 5 is incorporated and the modified Srinivasan does not disclose, however, Fox teaches or suggests: wherein the encrypted value of the user identifier received from the trusted partner comprises a salt value of the user identifier (Fox, [0065], salt is combined with the sensitive information before applying the hash function).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include salting and hashing the user identifier to be used for validating by the trusted partner as taught by Fox for the benefit of improving remote identity verification by protecting user sensitive information from malicious third parties (Fox, [0003]).

As per claim 8, claim 1 is incorporated and the modified Srinivasan does not disclose, however, Fox teaches or suggests: receiving an access token from the trusted partner, the access token allowing the entity to retrieve the user data from the trusted partner (Fox, [0063] and [0067], authentication server generates and provides an access token to client server for obtaining categories of information to retrieve).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include a token for retrieving user data from the trusted partner as taught by Fox for the benefit of improving remote identity verification by protecting user sensitive information from malicious third parties (Fox, [0003]).

As per claim 9, claim 1 is incorporated and the modified Srinivasan does not disclose, however, Fox teaches or suggests: wherein the user identifier comprises a social security number (Fox, [0065] and [0055], sensitive information includes a social security number).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include the user identifier to be a social security number as taught by Fox because a person of ordinary skill in the art would know to combine prior art elements according to known methods to yield the predictable result of sensitive user identifier information being social security numbers (KSR).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan view of Kim, Trelin, Gharabegian, Fox, and further in view of Itzhaki et al. (US 20200244640 A1; hereinafter “Itzhaki”).
As per claim 7, claim 6 is incorporated and the modified Srinivasan does not disclose, however, Fox teaches or suggests: 
receiving the salt value from the trusted partner (Fox, [0064], salt is provided to the client server from the authentication server); 
salting and hashing the user identifier on record with the entity to produce an entity salted and hashed user identifier (Fox, [0065], salt is combined with the sensitive information before applying the hash function); 
sending the entity salted and hashed user identifier to the trusted partner (Fox, [0066], client server submits the hash information to the authentication server); and 
receiving an indication from the trusted partner that the entity salted and hashed user identifier matches a trusted salted and hashed user identifier (Fox, [0070]-[0071], authentication server transmits a result of the match to client server).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include salting and hashing the user identifier to be used for validating by the trusted partner as taught by Fox for the benefit of improving remote identity verification by protecting user sensitive information from malicious third parties (Fox, [0003]).
The modified Srinivasan does not disclose, however, Itzhaki teaches or suggests: sending a hash function (Itzhaki, [0013]). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include the trusted partner sending a hash function to the entity as taught or suggested by Itzhaki because a person of ordinary skill in the art would know to combine prior art elements according to known methods to yield the predictable result of sending a hash function in order for both parties to be able to generate the correct hash for validation purposes (KSR).

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan view of Kim, Trelin, Gharabegian, and further in view of Duncan (US 20140230032 A1).
As per claim 21, claim 1 is incorporated and the modified Srinivasan does not disclose, however, Duncan teaches or suggests: updating the risk score criteria to change a threshold risk score to identify low risk and high risk authentications in response to changes in information (Duncan, [0052], risk threshold is adjusted/updated based on different input variables such as a high transaction amount, a request to change account information, and relative riskiness of an underlying transaction).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include updating a threshold risk score in response to changes in information as taught by Duncan for the benefit of having a dynamic authentication system where a risk threshold can require a variable degree of confidence that the user is who the user purports to be depending on different information (Duncan, [0052]).

Claims 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Trelin in view of Hart et al. (US 20210056562 A1; hereinafter “Hart”) and further in view of Gharabegian.
As per claim 10, Trelin discloses: a computer implemented method for authenticating a user identity for a user, the method comprising: 
receiving, by a registration entity, user non-sensitive personally identifying information (Trelin, [0083]-[0084], user enters email address (i.e., non-sensitive PII)); 
determining a risk score for the user non-sensitive personally identifying information according to a risk evaluation analysis, wherein the risk score is determined according to an artificial intelligence-based risk analyzer (Trelin, [0086] and [0095], a score is determined based on the email verification by the identification processing 631, [0066], wherein artificial intelligence is used to determine the risk score that represents the risk from the respective information that the person is who he or she asserts to be and 
authenticating the user if the risk score, when compared to a risk score criteria, indicates a low risk that a person attempting to register is not the user (Trelin, [0086] and [0095], user is authenticated if the score indicates sufficient confidence that the person is who he/she is, [0094], wherein the risk score is compared to a confidence threshold (i.e., risk score criteria)).
Trelin does not disclose, however, Hart teaches or suggests: wherein only non-sensitive personally identifying information is exchanged between the entity and the third-party risk analyzer (Hart, [0048], PII is exchanged between ID verification engine 230 and electronic verification system 235 to verify user’s identity, [0046], wherein the PII includes non-sensitive PII such as user’s email address, password, phone number, date of birth, and address).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Trelin to include only exchanging non-sensitive PII as taught by Hart for the benefit of not exposing the user’s sensitive PII which would be more detrimental to the user if obtained by malicious actors.
While the modified Trelin teaches an artificial intelligence-based risk analyzer to determine the risk of authenticating a user from their PII (Trelin, [0066]), the modified Srinivasan does not disclose it being of a third party. However, Gharabegian teaches or suggests: a third party artificial intelligence software hosted on remote servers to be utilized to perform processing or actions (Gharabegian, [0063], “artificial intelligence and/or machine learning software may not need to be stored on an intelligent shading system 300 and/or third party artificial intelligence and/or machine learning software hosted on remote servers may be utilized to perform this processing or these actions”). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include using a third party artificial intelligence software hosted on remote servers as taught by Gharabegian for benefit of offloading processing power (Gharabegian, [0063]).

As per claim 11, claim 10 is incorporated and the modified Trelin discloses: requesting additional information from the user if the risk score indicates a high risk that the person attempting to register is not the user (Trelin, [0087], “approve/deny rules 632 may tell identification processing 631 whether to perform another identity check. When the approve/deny rules 632 determine that a critical point is reached (the point when the identity of the person can be authenticated), the approve/deny rules 632 may communicate with the client 630 (1) pass, (2) fail, or (3) more information needed in order to authenticate the identity of the person”).

Claims 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Trelin in view of Hart, Gharabegian, and further in view of Benayed (US 20180343246 A1).
As per claim 12, claim 11 is incorporated and the modified Trelin does not disclose, however, Benayed teaches or suggests: generating a personal registration code (Benayed, [0029], registration code is generated by authentication server); and 
sending the personal registration code to the user through a secondary channel (Benayed, [0029], registration code is sent through secure email address).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include generating a registration code, sending the registration code to the user via email, and authenticating the user using the registration code as taught by Benayed for the benefit of enhancing secure authentication of the user by requiring the user to be in possession of the unique registration code in addition to the password/biometric when authenticating (Benayed, [0029]).

As per claim 13, claim 12 is incorporated and the modified Trelin does not disclose, however, Benayed teaches or suggests: wherein the secondary channel comprises one of an e-mail and a phone number (Benayed, [0029], registration code is sent through secure email address).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include generating a registration code, sending the registration code to the user via email, and authenticating the user using the registration code as taught by Benayed for the benefit of enhancing secure authentication of the user by requiring the user to be in possession of the unique registration code in addition to the password/biometric when authenticating (Benayed, [0029]).

As per claim 14, claim 12 is incorporated and the modified Trelin does not disclose, however, Benayed teaches or suggests: authenticating the user upon successful use of the personal registration code (Benayed, [0029], user is authenticated after successful use of registration code and user-created password or biometrics).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include generating a registration code, sending the registration code to the user via email, and authenticating the user using the registration code as taught by Benayed for the benefit of enhancing secure authentication of the user by requiring the user to be in possession of the unique registration code in addition to the password/biometric when authenticating (Benayed, [0029]).

Claims 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Trelin in view of Hart, Gharabegian, and further in view of Livesay et al. (US 20160269379 A1; hereinafter “Livesay”).
As per claim 15, claim 11 is incorporated and the modified Trelin does not disclose, however, Livesay teaches or suggests: presenting the user with a query of at least one knowledge based authentication (KBA) question (Livesay, [0167], presenting user with three KBA questions and authenticating the user based on the correct answers to the three KBA questions); and 
authenticating the user when the user successfully answers the at least one KBA question (Livesay, [0167], presenting user with three KBA questions and authenticating the user based on the correct answers to the three KBA questions).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include authenticating the user using three KBA questions as taught by Livesay for the benefit of enhancing secure authentication of the user by requiring the user to know more information before being authenticated.

As per claim 16, claim 15 is incorporated and the modified Trelin does not disclose, however, Livesay teaches or suggests: wherein the at least one KBA question comprises at least three KBA questions and the authenticating is performed only if the user successfully answers the at least three KBA questions (Livesay, [0167], presenting user with three KBA questions and authenticating the user based on the correct answers to the three KBA questions).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include authenticating the user using three KBA questions as taught by Livesay for the benefit of enhancing secure authentication of the user by requiring the user to know more information before being authenticated.

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Trelin in view of Hart, Gharabegian, and further in view of Duncan (US 20140230032 A1).
As per claim 22, claim 10 is incorporated and the modified Trelin does not disclose, however, Duncan teaches or suggests: updating the risk score criteria to change a threshold risk score to identify low risk and high risk authentications in response to changes in information (Duncan, [0052], risk threshold is adjusted/updated based on different input variables such as a high transaction amount, a request to change account information, and relative riskiness of an underlying transaction).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include updating a threshold risk score in response to changes in information as taught by Duncan for the benefit of having a dynamic authentication system where the risk threshold can require a variable degree of confidence that the user is who the user purports to be depending on different information (Duncan, [0052]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan in view of Trelin and further in view of Gharabegian.
As per claim 17, Srinivasan discloses: a computer implemented method for proving identity when registering for a service provided by an entity, comprising: 
presenting, by the entity, options for registering for the service to a user (Srinivasan, Fig. 7), wherein the options comprise a first option of validating a user identity through a trusted partner and a second option of validating the user identity through receipt of personal identifying information from the user (Srinivasan, [0024], [0066], and Fig. 7, an application/NPR (i.e., entity) displays options to a user to validate their identity for registration, wherein the options include radio buttons that allow a user to validate via a particular identity provider (i.e., trusted partner), or an option to input PII, e.g., name and email address information (see [0059])); and 
validating the user identity for the service responsive to successful completion of the first option or the second option (Srinivasan, [0066], user is validated through successfully authenticating via a particular identity provider).
Srinivasan does not explicitly disclose, however, Trelin teaches or suggests: applying an artificial intelligence-based risk analysis evaluation to the personal identifying information to generate a risk score and validating the user if the risk score when compared to a risk score criteria indicates a low risk that a person attempting to register is not the user (Trelin, [0083]-[0084], user enters email address and other personal identification information during enrollment/registration, [0066], artificial intelligence is used to determine a risk score that represents the risk from the respective information that the person is who he or she asserts to be, [0094], score (i.e., risk score) is determined after identity check, wherein the risk score is compared to a confidence threshold (i.e., risk score criteria), wherein a high risk score indicates that the person is who he or she asserts to be in order to approve the person for enrolment). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Srinivasan to include applying artificial intelligence to the user’s PII for authenticating the user’s identity as taught by Trelin because a person of ordinary skill in the art would know to combine prior art elements according to known methods to yield the predictable result of obtaining the known benefits of using artificial intelligence for the authentication process, such as automation and reduction of human error (KSR).
While the modified Srinivasan teaches an artificial intelligence-based risk analysis evaluation to determine the risk of authenticating a user from their PII (Trelin, [0066]), the modified Srinivasan does not disclose it being of a third party. However, Gharabegian teaches or suggests: a third party artificial intelligence software hosted on remote servers to be utilized to perform processing or actions (Gharabegian, [0063], “artificial intelligence and/or machine learning software may not need to be stored on an intelligent shading system 300 and/or third party artificial intelligence and/or machine learning software hosted on remote servers may be utilized to perform this processing or these actions”). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include using a third party artificial intelligence software hosted on remote servers as taught by Gharabegian for benefit of offload processing power (Gharabegian, [0063]).

Claims 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan in view of Trelin, Gharabegian, and further in view of Kim.
As per claim 18, claim 17 is incorporated and the modified Srinivasan discloses: 
receiving, by the entity, user data from the trusted partner responsive to the user logging into a page on the trusted partner (Srinivasan, [0028]-[0029], identity data is retrieved from an identity provider in response to successful logging into the identity provider); and 
validating the user identity for the service (Srinivasan, [0028], “the user may log in to an application using login credentials for the user's Facebook identity”).
The modified Srinivasan does not disclose, however, Kim teaches or suggests: 
validating the user identity responsive to a determination that a user identifier from the trusted partner matches a user identifier on record with the entity (Kim, [0095] and [0097], a universally unique identifier (UUID) is received from the trusted third party after successful authentication with the trusted third party, [0097], user identity is validated responsive to a determination that the UUID from the trusted third party matches a previously stored UUID).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include validating the user identity using a user identifier from the trusted partner matching a user identifier on record as taught by Kim for the benefit of validating a user based on a non-sensitive user identifier that is trusted, as opposed to exposing private information (e.g., credit card) which prevents malicious actors from obtaining user sensitive personal identifying information in the validation process (Kim, [0005]).

As per claim 19, claim 18 is incorporated and the modified Srinivasan discloses: populating entity user data for the service according to the user data received from the trusted partner responsive to successfully validation of the user identity (Srinivasan, [0028]-[0029], responsive to successful user log in to the application using login credentials for the user’s Facebook identity, identity information gathered can be used to automatically fill out (i.e., populate) a portion of a form).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan in view of Trelin, Gharabegian, and further in view of Hart.
As per claim 20, claim 17 is incorporated and the modified Srinivasan does not disclose, however, Trelin teaches or suggests: receiving user non-sensitive personally identifying information (Trelin, [0083]-[0084], user enters email address (i.e., non-sensitive PII)); 
determining a risk score for the user non-sensitive personally identifying information according to the risk evaluation analysis, wherein the risk score is determined according to a third-party risk analyzer (Trelin, [0086] and [0095], a score is determined based on the email verification by the identification processing 631, [0116], identification processing 631 is implemented as a separate computing device (i.e., third-party risk analyzer)); and 
authenticating the user if the risk score indicates a low risk that a person attempting to register is not the user (Trelin, [0086] and [0095], user is authenticated if the score indicates sufficient confidence that the person is who he/she is).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include receiving non-sensitive PII from the user and authenticating the user based on a score for the received non-sensitive PII as taught by Trelin because validating the non-sensitive PII makes sure that the obtained user information is sufficient to positively identify that the person is who the person claims to be (Trelin, [0005]).
The modified Srinivasan does not disclose, however, Hart teaches or suggests: wherein only non-sensitive personally identifying information is exchanged between the entity and the third-party risk analyzer (Hart, [0048], PII is exchanged between ID verification engine 230 and electronic verification system 235 to verify user’s identity, [0046], wherein the PII includes non-sensitive PII such as user’s email address, password, phone number, date of birth, and address).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include only exchanging non-sensitive PII as taught by Hart for the benefit of not exposing the user’s sensitive PII which would be more detrimental to the user if obtained by malicious actors.

Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan in view of Trelin, Gharabegian, and further in view of Duncan (US 20140230032 A1).
As per claim 23, claim 17 is incorporated and the modified Srinivasan does not disclose, however, Duncan teaches or suggests: updating the risk score criteria to change a threshold risk score to identify low risk and high risk authentications in response to changes in information (Duncan, [0052], risk threshold is adjusted/updated based on different input variables such as a high transaction amount, a request to change account information, and relative riskiness of an underlying transaction).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include updating a threshold risk score in response to changes in information as taught by Duncan for the benefit of having a dynamic authentication system where the risk threshold can require a variable degree of confidence that the user is who the user purports to be depending on different information (Duncan, [0052]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Holly, JR. et al. (US 20190384794 A1) discloses an AI/decisioning third party being contemplated as a third party sub-system because it requires significant labor and planning to be integrated into another platform/system ([0111]).	

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552.  The examiner can normally be reached on M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437