DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
This action is in reply to the response filed on 5/6/2022.  Claims 1, 9-11, 13 and 25 have been amended.  Claims 7, 8, 18 and 19 have been cancelled.  Claims 1-6, 9-17 and 25 are currently pending and have been examined.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-6, 9-17 and 25 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  A Section 101 analysis is below.
Step 1 – are the claims directed to a process, machine, manufacture or composition of matter.  The method of claim 1, system of claim 13 and CRM of claim 25 are within the statutory categories of invention.
Step 2A, prong one – do the claims recite a judicial exception, which is an abstract idea enumerated in the 2019 PEG, a law of nature, or a natural phenomenon.  Using the text of claim 1 as an example, claims 1, 13 and 25 recite: 
1. A computer-implemented method for authenticating a user, comprising: 
registering, with at least one processor, a plurality of user accounts for a plurality of users in at least one data structure based at least partially on user information and account data for each user of the plurality of users, the account data for each user comprising an account identifier associated with a portable payment device; 
generating, with at least one processor, an identity score for each user based on the account data for the user; 
registering, with at least one processor, a plurality of provider accounts for a plurality of third-party service providers in at least one data structure based at least partially on third-party service provider data; 
receiving, from a third-party system corresponding to a third-party service provider of the plurality of third-party service providers, an initial request to authenticate a user of the plurality of users, the initial request communicated in response to the user creating an account with the third-party service provider; 
receiving, from a device associated with the user, user credentials corresponding to a user account of the user; 
validating, with at least one processor, the user credentials based at least partially on the identity score for the user; 
in response to validating the user credentials, communicating a redirect message to the device associated with the user, the redirect message comprising an authentication code and configured to cause the device to be redirected to the third-party system; 
receiving, from the third-party system, an access token request message comprising an authorization code and third-party service provider data;  
validating, with at least one processor, the access token request message; 
in response to validating the access token request message, generating, with at least one processor, an access token based at least partially on the authorization code and the third-party service provider data; and 
communicating the access token to the third-party system, the access token configured to allow the third-party system to access user information and account data authorized by the user to be shared.

Referring to the bolded limitations above, independent claims 1, 13 and 25 are each directed to an abstract idea enumerated in the 2019 PEG.  Specifically, claims 1, 13 and 25 are each directed to the commercial or legal interaction of authenticating a user.  More specifically, as drafted each of claims 1, 13 and 25 only recite the simple legal or commercial interaction of the remote authentication of people over a network for the purpose, as described in the specification, of accessing services.  Accordingly, each of claims 1, 13 and 25 are directed to the judicial exception of an abstract idea.
Step 2A, prong two – do the claims recite additional elements that integrate the judicial exception into a practical application.   Integration of the judicial exception into a practical application requires an additional element or a combination of additional elements in the claim to apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the exception.  Regarding claims 1, 13 and 25, since these claims only contain mere instructions to implement the abstract idea on a computer in its ordinary capacity for a legal or commercial interaction (e.g., to receive, store, or transmit data), the recitation in claims 1, 13 and 25 of processors and user devices does not integrate the judicial exception into a practical application.  Please see MPEP 2106.05(f) and 2106.05(g).  It is further noted that the claimed invention as recited in claims 1, 13 and 25 does not pertain to an improvement in the functioning of the computer itself or a technological solution to a technological problem.
Step 2B – do the claims recited additional elements that amount to significantly more than the judicial exception.  Regarding claims 1, 13 and 25, these claims recite known activity in the field previously known to the industry, specified at a high level of generality, to the judicial exception.  Please see MPEP 2106.05(d) and the Berkheimer Memo.  For example, user authentication is notoriously well known as evidenced by the references cited on the PTO-892 attached to the OA dated 12/10/2021.  Moreover, the processors and user devices of claims 1, 13 and 25 are known devices, as discussed in paragraph [0055] and [0056] of the Applicant’s specification.   Accordingly, claims 1, 13 and 25 do not recite additional elements that amount to significantly more than the judicial exception.
In view of the above analysis, independent claims 1, 13 and 25 are not patent eligible.  Dependent claims 2-6, 9-12, and 14-17 do not cure the deficiencies in their respective base claims as these claims also recite extra-judicial and known activity, and are also not patent eligible.  Specifically, claims 2-6, 9-12, and 14-17 merely refine the abstract idea by invoking a computer as a tool to perform an existing process (2A2, please see MPEP 2106.05(f)) using known activity such as the use of conventional authentication factors, data storage and tokenization (2B).  

Claim Rejections - 35 USC § 103  
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-6, 9-17 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Williamson (US 2015/0066768) in view of Irish (US 2016/0378549).
Claim 1 recites:
A computer-implemented method for authenticating a user, comprising: (Williamson, Fig. 6, [0057], process 600)
registering, with at least one processor, a plurality of user accounts for a plurality of users in at least one data structure based at least partially on user information and account data for each user of the plurality of users, the account data for each user comprising an account identifier associated with a portable payment device; (Williamson, Fig. 2, [0040], database 120 stores account number)
generating, with at least one processor, an identity score for each user based on the account data for the user; (Williamson, Fig. 6, [0060], confidence score)
registering, with at least one processor, a plurality of provider accounts for a plurality of third-party service providers in at least one data structure based at least partially on third-party service provider data; (Wiiliamson, Fig. 2, [0040], database 120 stores merchant data)
receiving, from a third-party system corresponding to a third-party service provider of the plurality of third-party service providers, an initial request to authenticate a user of the plurality of users, the initial request communicated in response to the user creating an account with the third-party service provider; (Williamson, Fig. 6, [0058], consumer 650 registers payment card with token requestor 655 to store for use in future transactions and token requestor 655 requests authentication of consumer 650; [0059], consumer 650 accesses 602 registration system on a website associated with token requestor) 
receiving, from a device associated with the user, user credentials corresponding to a user account of the user; (Williamson, Fig. 6, [0060], authentication data from the device consumer 650 is transacting on)
validating, with at least one processor, the user credentials based at least partially on the identity score for the user; (Williamson, Fig. 6, [0060], [0061], authentication based in part on confidence score)
in response to validating the user credentials, communicating a redirect message to the device associated with the user, the redirect message comprising an authentication code and configured to cause the device to be redirected to the third-party system; (Williamson, Fig. 6, [0063], issuer 30 generates 628 an accountholder authentication value (AAV) and send the AAV to token requestor 655 as proof of identity and verification (IDV).  Williamson does not specifically disclose communicating a redirect message comprising an authentication code and configured to cause the device to be redirected to the third-party system.  Irish, Fig. 10, [0159], discusses redirect links between retailer and service provider utilizing callback URL, credentials and validation tokens, and specifically notes the service provider may (if valid) respond with the retailer’s provided (in 2, 3) callback URL and a validation token”.  It would have been obvious to a person of ordinary skill in the art at the time of filing to modify the authentication code of Williamson to be sent through a redirect message as disclosed in Irish so that the issuer may perform authentication and response query with the consumer as discussed in Williamson, [0061].)
receiving, from the third-party system, an access token request message comprising an authorization code and third-party service provider data; (Williamson, Fig. 6, [0063], token requestor transmits token provisioning request including AAV; [0032], authorization code)
validating, with at least one processor, the access token request message; (Williamson, [0063], token provider 660 validates 634 the AAV and creates token)
in response to validating the access token request message, generating, with at least one processor, an access token based at least partially on the authorization code and the third-party service provider data; and (Williamson, Fig. 6, [0061], [0063], token creation, AAV)
communicating the access token to the third-party system, the access token configured to allow the third-party system to access user information and account data authorized by the user to be shared.  (Williamson, [0063], token provider transmits token to token requestor, personal identity information; [0040], database) 
Claims 13 and 25 correspond to claim 1 and are rejected on the same grounds.  Regarding claim 13, Williamson, Figs. 2 and 3, system.  Regarding claim 25, Williamson, Fig. 4, [0046], CRM.
Claim 2 recites:
The computer-implemented method of claim 1, wherein generating the identity score for each user is based at least partially on at least one of the following: an account type, a credit score, an account usage, or any combination thereof.  (Williamson, Fig. 6, [0060], days since cardholder 22 last used card)  
Claim 14 corresponds to claim 2 and is rejected on the same grounds.
Claim 3 recites:
The computer-implemented method of claim 1, wherein generating the identity score for each user is based at least partially on an account verification score of the user, the account verification score based at least partially on at least two of the following parameters: a verified Primary Account Number, a verified security code, verified user information, or any combination thereof.  (Williamson, Fig. 6, [0060], [0061], PII, consumer IDV)
Claim 15 corresponds to claim 3 and is rejected on the same grounds.
Claim 4 recites:
The computer-implemented method of claim 1, wherein generating the identity score for each user is based at least partially on a credit score of the user.  (Williamson, Fig. 6, [0060], credit reference agency)
Claim 16 corresponds to claim 4 and is rejected on the same grounds.
Claim 5 recites:
The computer-implemented method of claim 1, wherein generating the identity score for each user is based at least partially on an account usage score of the user, the account usage score based at least partially on at least one of the following: a frequency of usage of a portable payment device, an amount spent with the portable payment device, an age of the portable payment device, or any combination thereof.  (Williamson, Fig. 6, [0060], purchase information and days since cardholder 22 last used card on file)
Claim 17 corresponds to claim 5 and is rejected on the same grounds.
Claim 6 recites:
The computer-implemented method of claim 1, wherein validating the user credentials comprises determining if the identity score for the user satisfies a threshold.  (Williamson, Fig. 6, [0061], threshold test)
Claim 9 recites:
The computer-implemented method of claim 1, wherein a request to authenticate the user is received subsequent to the initial request to authenticate the user, and wherein the request to authenticate the user comprises the access token.  (Williamson, [0064], future transactions utilizing token vault)
Claim 10 recites:
The computer-implemented method of claim 1, wherein the redirect message causes the authentication code to be stored by a browser application executing on the device.  (Williamson, [0049], web browser and client application.  Williamson does not specifically disclose a redirect message.  Irish, Fig. 10, [0159], discusses redirect links between retailer and service provider utilizing callback URL, credentials and validation tokens.  It would have been obvious to a person of ordinary skill in the art at the time of filing to modify the link to click on of Williamson with the redirect links of Irish so that the issuer may perform authentication and response query with the consumer as discussed in Williamson, [0061].)
Claim 11 recites:
The computer-implemented method of claim 1, wherein the redirect message comprises a callback URL, and wherein the initial request to authenticate the user comprises the callback URL.  (Williamson does not specifically disclose a redirect message or callback URL.  Irish, Fig. 10, [0159], discusses redirect links between retailer and service provider utilizing callback URL, credentials and validation tokens.  It would have been obvious to a person of ordinary skill in the art at the time of filing to modify the link to click on of Williamson with the redirect links of Irish so that the issuer may perform authentication and response query with the consumer as discussed in Williamson, [0061].
Claim 12 recites:
The computer-implemented method of claim 1, wherein each account identifier comprises a token corresponding to a Primary Account Number, and wherein registering each user of the plurality of users in the at least one data structure comprises: generating the token based on the Primary Account Number; and storing the token in the at least one data structure in relation to user data.  (Williamson, [0064], primary account number associated with token and token vault)

Response to Arguments
Applicant's arguments filed 5/6/2022 have been fully considered and are addressed below.
Regarding the rejection under 35 U.S.C. 101, Applicant’s arguments have been fully considered but they are not persuasive.  
Regarding the arguments concerning Step 2A, prong one, the certain methods of organizing human activity grouping of abstract ideas includes commercial and legal interactions.  As noted in the title and recited in the claims, the invention is directed to authenticating a user in the context of accessing third party systems.  Since user authentication is a legal requirement of electronic financial transactions and a matter of owner defined rules (contractual relationship) for other third party applications, the claims are clearly within the groupings of abstract ideas discussed in the 2019 PEG.  Regarding the “improvement to technology”, it is respectfully noted that the claim operations are performed by generic computer components and the recitation of generic components in a claim does not preclude a claim from reciting an abstract idea.
Regarding Applicant’s arguments regarding Step 2A, prong two, integration into a practical application requires an additional element or a combination of additional elements in the claim to apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the exception.  Limitations that are indicative of integration into a practical application include improvements to the functioning of a computer, applying the judicial exception with a particular machine, effecting transformation of a particular article to a different state or thing or applying the judicial exception in some other meaningful was beyond generally linking the use of the judicial exception to a particular technological environment.  It is respectfully submitted that the feature cited by the Applicants, “a specific way to securely and effectively authenticate users”, does not fall into one of these categories and instead is adding insignificant extra-solution activity.  Please see MPEP 2106.05(g) regarding adding insignificant extra-solution activity including data gathering and manipulation.  Please see MPEP 2106.05(f) which further discusses a commonplace business method or mathematical algorithm being applied on a general purpose computer is an example where the courts have found the additional elements to be mere instructions to apply an exception, because they do no more than merely invoke computers or machinery as a tool to perform an existing process.
Regarding Applicant’s arguments regarding Step 2B, Step 2B is directed to whether the claim recites additional elements that amount to an inventive concept (AKA “significantly more”) than the judicial exception.  It is respectfully submitted that the feature cited by the Applicants, “receiving an access token request message comprising an authorization code and third-party service provider data; validating the access token request message; generating an access token based at least partially on the authorization code and the third-party service provider data in response to validating the access token; and communicating the access token to the third- party system, where the access token allows the third-party system to access user information and account data authorized by the user to be shared”, is a known activity as tokenization, along with encryption, are ubiquitous features of performing transactions or conveying data over public networks.   
Regarding the rejections under 35 U.S.C. 102 and 103, Applicant’s arguments have been fully considered and the amended claims are addressed in detail above.  Applicant argues Williamson does not disclose “receiving, from the third-party system, an access token request message comprising an authorization code and third- party service provider data; validating, with at least one processor, the access token request message; in response to validating the access token request message, generating, with at least one processor, an access token based at least partially on the authorization code and the third-party service provider data; and communicating the access token to the third-party system, wherein the access token allows the third- party system to access user information and account data authorized by the user to be shared.”  The Examiner respectfully disagrees.  Please see Williamson, [0063], which obviates the above-noted features under the standard of BRI.  


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Rokde (US 2018/0197214) discusses tokenizing including extracting user information, Fig. 6 and [0031].
Kaladgi (US 2018/0026962) discusses tokenizing user information, [0016].
Thomas (US 2017/0244727) discusses associating a token with user information for services of a service network, [0063].
Mohamed (US 2017/0109747) discusses tokenizing user information, [0020].
Esmailzadeh (US 2016/0253521) discusses granting access to personal user data, Fig. 10, [0024].
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Gregory Harper whose telephone number is (571)272-5481. The examiner can normally be reached M-Th 7am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin Hewitt II can be reached on (571) 272-6709. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GH/




/DAVID P SHARVIN/Primary Examiner, Art Unit 3692