Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the claims filed 2/02/2021.  Claims 1-20 are pending.  Claims 1 (a non-transitory CRM), 11 (a method), and 17 (a machine) are independent. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 15 and 16 rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claims 15 and 16 depend on claim 14.  Claim 14 requires: “wherein the requested validation action comprises a request to provide a security question”.  Claim 15 requires: “wherein the requested validation action comprises a request to provide a biometric input”.  Claim 16 requires: “wherein the requested validation action comprises a request to provide a photograph”.  
Claims 15 and 16 redefine “the requested validation action” that was previously defined in claim 14.  Claims 15 and 16 fail to further limit claim 14.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4-8, 11, 13-15, and 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Geupel, US 2018/0276647 (filed 2017-03), in view of Shah et al., US 2016/0087957 (filed 2014-04). 
As to claims 1, 11, and 17, Geupel discloses a CRM/method/machine comprising:
(as to the hardware of claims 11 and 17: “A suitable smartphone therein assumes the function of a debit/credit card point-of-sale terminal capable of wireless short-range data transmission (NFC).” Geupel ¶ 7)
(“transmitting initial transaction data from a web server to a display unit connected to the data network via said data network, and a01) local visual and/or acoustic displaying of the initial transaction data thereon, particularly visually displaying as bar code or QR code on a provider website” Geupel ¶ 29)
receive a request from a validation server; (“a01) local visual and/or acoustic displaying of the initial transaction data thereon, particularly visually displaying as bar code or QR code on a provider website, or a02) forwarding the initial transaction data via Google or Apple Push Notification service to the user terminal,” Geupel ¶ 29)
perform a first validation action by authenticating (“The mobile app 7 establishes a mutually authenticated encrypted TLS communication channel with the online banking server 10 and sends the user authentication data over same to the online banking server 10; i.e. the result of the smartphone's internal fingerprint comparison or PIN input as saved once in the online banking server 10 (step SB′).” Geupel ¶ 44), on a computing device, an identity of the user; (“The mobile app 7 displays the transaction data to the user, requesting the user to confirm the transaction within the framework of a fingerprint or PIN input” Geupel ¶ 44)
perform a second validation action by receiving, via a short-range communication protocol, a scan of a code from a physical token;  (“The online banking server 10 sends the encrypted or signed transaction file to the mobile app 7 (step SD′).
The mobile app 7 packs the transaction file into an APDU command without decrypting or processing it and forwards it to the card 9 via NFC (step SE′).
The card 9 receives the APDU command and decrypts the transaction file if the online banking server 10 uses symmetrical keys or respectively checks the transaction file signature if the online banking server 10 uses asymmetrical keys (step SP).
The card 9 generates a digital signature or cryptogram respectively, e.g. Message Authentication Code (MAC), for the transaction file pursuant to the common standards and transmits same in APDU format to the mobile app 7 (step SG′).” Geupel ¶ 44.  See also Geupel ¶ 26)
based on the first validation action and the second validation action, generate a validation response package … and the code retrieved from the physical token; and (“a final transaction file, which includes the transaction signature, is generated in the mobile app 7 and transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44.  Recall that the “transaction file” is generated based on checking the user’s fingerprint or PIN in ¶ 44)
transmit the response package to the validation server. (“transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44)


	Geupel, although directed to online banking, does not explicitly state that user information, or account identification is included in the transmitted data.  Geupel does not explicitly disclose:
the request associated with a user account associated with a user
	Identifying the user

	Shah discloses a multi-factor authentication system that may be used for online banking (Shah ¶ 54).  Shah discloses:
the request associated with a user account associated with a user (“The browser may communicate with the SP 104, and the communication may include a user ID that is associated with the user 107.” Shah ¶ 153. “the MFAS 106 determines the types and strengths of the authentication factors that can be performed to achieve the required assurance level. The MFAS 106 may further identify authentication agents that can perform the required authentications.” Shah ¶ 154. “the authentication factors can be performed locally or they can be split such that some factors are performed locally on the UE 102 and others are performed on the IdP 106.” Shah ¶ 58. See Figures 7A-C for an example of multi factor authentication flow.)
	Identifying the user (“At 744 a, the MFAP 110 consolidates the first, second, and third authentication assertions to create a consolidated assertion for multiple authentication factors. The MFAP 110 signs the consolidated assertion. The MFAP 110 may further compute an aggregate achieved assurance level and freshness level.” Shah ¶ 159. “an assertion also contain various data representing information elements that may represent, for example: specific details of the executed multi-factor authentication, the user identity that has been authenticated, or other contextual information.” Shah ¶ 126).

	A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Geupel with Shah by associating the authentication with a user account and including data that indicates a user account in the multi factor authentication of Geupel.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to associate the authentication and associated data with a user account/identifier in order for the authentication server to know which user and user account was being authenticated. 

	As to claim 2, Geupel in view of Shah discloses the CRM of claim 1 and further discloses:
wherein the short-range communication protocol is a near field communication (NFC) protocol. (“The mobile app 7 packs the transaction file into an APDU command without decrypting or processing it and forwards it to the card 9 via NFC (step SE′).
…
The card 9 generates a digital signature or cryptogram respectively, e.g. Message Authentication Code (MAC), for the transaction file pursuant to the common standards and transmits same in APDU format to the mobile app 7 (step SG′).” Geupel ¶ 44.  See also Geupel ¶ 26)

As to claim 4 Geupel in view of Shah discloses the CRM of claim 1 and further discloses:
wherein the physical token is computing hardware physically incorporated into a credit card. (“By linking NFC-enabled debit and credit cards to a customer's NFC-enabled terminal (smartphone) … It realizes a simple method for activating a signature function on bank cards for authorizing money transfers.” Geupel ¶ 17)

As to claim 5 Geupel in view of Shah discloses the CRM of claim 1 and further discloses:
wherein authenticating the identity of the user comprises logging the user into the user account on an application (“the mobile app for processing a biometric data set is formed by a biometric sensor.” Geupel ¶ 37) running on the computing device. (“The mobile app 7 establishes a mutually authenticated encrypted TLS communication channel with the online banking server 10 and sends the user authentication data over same to the online banking server 10; i.e. the result of the smartphone's internal fingerprint comparison or PIN input as saved once in the online banking server 10 (step SB′).” Geupel ¶ 44. “the authentication factors can be performed locally or they can be split such that some factors are performed locally on the UE 102 and others are performed on the IdP 106.” Shah ¶ 58)

As to claims 6 and 13 Geupel in view of Shah discloses the CRM/method of claims 1 and 11 and further discloses:
further storing instructions to cause the processor to receive and process an escalated validation request, the escalated validation request comprising a requested validation action. (Escalation being the performance of a plurality of authentications – multi-factor authentication: “the MFAS 106 determines the types and strengths of the authentication factors that can be performed to achieve the required assurance level. The MFAS 106 may further identify authentication agents that can perform the required authentications.” Shah ¶ 154. “the authentication factors can be performed locally or they can be split such that some factors are performed locally on the UE 102 and others are performed on the IdP 106.” Shah ¶ 58. See Figures 7A-C for an example of multi factor authentication flow.)

As to claims 7, 14, and 18 Geupel in view of Shah discloses the CRM/method/machine of claims 6, 13, and 17 but does not disclose:
wherein the requested validation action comprises a request to provide a security question, and the medium further storing instructions to cause the processor to: present, on a display of the computing device, the security question; receive a response to the security question; and transmit the response to the validation server.

Shah further discloses:
wherein the requested validation action comprises a request to provide a security question, and the medium further storing instructions to cause the processor to: present, on a display of the computing device, the security question; (“a banking application may request a high assurance level…. the IdP may perform a challenge-response protocol to increase the assurance level to the desired level, at the cost of inconvenience to the user. It is inconvenient to the user because the user may have to answer security questions so that the user is further verified (e.g., What is your mother's maiden name? What is the name of your first pet? Where were you born? etc.).” Shah ¶ 123) receive a response to the security question; and transmit the response to the validation server. (“The authentication carried out at 728 may involve a number of round-trip messaging, which may also include Challenge-Response messages, for example. An assertion, such as a first assertion for example, may be generated by the first authentication server 706 a upon a successful authentication.” Shah ¶ 155.  Authenticating a client via question based challenge response at a server.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Geupel in view of Shah with Shah by determining and performing sufficient authentications to achieve a desired assurance level.  A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Geupel in view of Shah with Shah in order to provide for increased security for sensitive operations, Shah ¶ 123, by obtaining a required assurance level, Shah ¶ 154.


As to claims 8, 15, and 19 Geupel in view of Shah discloses the CRM/method/machine of claims 6, 14, and 17 and further discloses:
wherein the requested validation action (“the MFAS 106 determines the types and strengths of the authentication factors that can be performed to achieve the required assurance level. The MFAS 106 may further identify authentication agents that can perform the required authentications.” Shah ¶ 154.) comprises a request to provide a biometric input, and the medium further storing instructions to cause the processor to: receive, via a biometric device of the computing device, the biometric input; (“The mobile app 7 displays the transaction data to the user, requesting the user to confirm the transaction within the framework of a fingerprint or PIN input” Geupel ¶ 44)

Geupel in view of Shah does not disclose:
and transmit the biometric input to the validation server.

Shah further discloses:
and transmit the biometric input to the validation server. (“the first authentication server 706 a may carry out an authentication. The authentication may also require input from the user 107. For example, the authentication may comprise an authentication of the user of the browser 704 (e.g., a biometric of the user)” Shah ¶ 155. “the authentication factors can be performed locally or they can be split such that some factors are performed locally on the UE 102 and others are performed on the IdP 106.” Shah ¶ 58. See Figures 7A-C for an example of multi factor authentication flow.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Geupel in view of Shah with Shah by performing a biometric authentication at an authentication server, i.e. the biometric authentication of Geupel or an additional biometric.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Geupel in view of Shah with Shah in order to provide for increased security for sensitive operations, Shah ¶ 123, by obtaining a required assurance level, Shah ¶ 154.

Claims 3 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Geupel, US 2018/0276647 (filed 2017-03), in view of Shah et al., US 2016/0087957 (filed 2014-04), and Hammad et al., US 2012/0018506 (filed 2011-05). 
As to claims 3, 12 Geupel in view of Shah discloses the CRM/method of claim 1 and 11 but does not disclose:
wherein the code is a counter stored on the physical token that is incremented each time the code is read from the physical token.

Hammad discloses: 
wherein the code is a counter stored on the physical token (“Portable consumer devices encompass credit cards, charge cards, debit cards, bank cards” Hammad ¶ 33) that is incremented each time the code is read from the physical token. (“The variable datum may comprise, or may be accompanied by, a counter value that indicates the number of times the portable consumer device has generated the variable datum; the counter value may assist the authorization entity in retrieving the variable datum from the entity's computer-readable medium, or in generating the variable datum from the algorithm.” Hammad ¶ 34. “The counter reduces the chances of a fraudster guessing the cryptogram value.” Hammad ¶ 61. See also Hammad ¶ 112)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Geupel in view of Shah with Hammad by providing a counter value in the transaction file and transaction signature of Geupel.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Geupel in view of Shah with Hammad in order to use an incremented counter value to reduce the change of a fraudster guessing the value of the signature of Geupel, Hammad ¶ 61. 

Claims 9, 10, 16, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Geupel, US 2018/0276647 (filed 2017-03), in view of Shah et al., US 2016/0087957 (filed 2014-04), and Drolshagen et al., US 2017/0019400 (filed 2015-06). 
As to claims 9, 16, and 20 Geupel in view of Shah discloses the CRM/method/machine of claims 6, 14, and 17 but does not disclose:
wherein the requested validation action comprises a request to provide a photograph, and the medium further storing instructions to cause the processor to: receive the photograph from a camera of the computing device; generate a response to the escalated validation request, the response including the photograph; and transmit the response to the validation server.

Drolshagen discloses:
wherein the requested validation action comprises a request to provide a photograph, and the medium further storing instructions to cause the processor to: (“First, the User is instructed to take a picture or a short video of him/her with their mobile device (“User photo”). The User can be allowed to repeat this process until the User is satisfied with the image. The User is then given a limited number of minutes to take a photograph of their government identification card” Drolshagen ¶ 21) 
receive the photograph from a camera of the computing device; (“The User is then given a limited number of minutes to take a photograph of their government identification card (“ID Card photo”), such as, for example, a driver's license, a state ID card, a passport, a school ID, or any such identification device, which has a photograph of the User.” Drolshagen ¶ 21)
generate a response to the escalated validation request, the response including the photograph; and (“A verification engine on the server 105 isolates the User's image from the ID (“ID photo”) and isolates personal data from the text and/or bar code on the ID.” Drolshagen ¶ 64)
transmit the response to the validation server. (see Drolshagen Fig. 2, transmitting the picture to the server for validation: “A verification engine on the server 105 isolates the User's image from the ID (“ID photo”) and isolates personal data from the text and/or bar code on the ID.” Drolshagen ¶ 64. See Drolshagen Fig. 7 showing images being sent to server.).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Geupel in view of Shah with Drolshagen by performing an authentication using a drivers license and facial image of the user.  It would have been obvious to a person of ordinary skill in the art to combine Geupel in view of Shah with Drolshagen in order to confirm the liveliness of the user, i.e. not a spoofed biometric, Drolshagen ¶ 65. 

As to claim 10 Geupel in view of Shah and Drolshagen discloses the CRM of claim 9 and further discloses:
wherein the photograph is a picture of an identification associated with the user. (“The User is then given a limited number of minutes to take a photograph of their government identification card (“ID Card photo”), such as, for example, a driver's license, a state ID card, a passport, a school ID, or any such identification device, which has a photograph of the User.” Drolshagen ¶ 21)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Masiero et al., US 2018/0234411, discloses authenticating a user using a companion device and QR code scanning. 
Drake, US 2017/0346851, discloses validating a user using a token.
Mitra et al., US 2016/0267486, discloses a universal smartcard for payment that is controlled via a mobile device.  
Hoyos, US 2014/0337221, discloses a mobile device asssisted authentication for an ATM transaction.
Safak et al., US 2019/0385160, discloses a software card on a mobile device.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/Examiner, Art Unit 2492