Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
	This application claims priority to a Finnish application # FI20155924 dated 12/07/2015.
DETAILED ACTION
	This office action is in response to an amendment application received on 03/11/2022. In the amendment, applicant has amended claims 1, 5 and 10. Claims 2-4 and 6-9 remain original. 
For this office action, claims 1-10 have been received for consideration and have been
examined. 
Response to Arguments
Claim Rejections – 35 USC § 103
Applicant’s arguments, filed 03/11/2022, with respect to the rejections of claims under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the independent claims.





Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5 and 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang et al., (US20170118638A1) in view of Schroeder et al., (US20130288644A1) in view of Ahmavaara et al., (US20040066769A1) and further in view of Non-Patent Literature (NPL) titled “Mobile Certificate Based Network Services” dated July 2013 hereinafter referred as NPL # 1.
Regarding claim 1, Zhang discloses: 
	A method for determining an access right of a user terminal to a first network, the user terminal including a subscription of a second network, the method comprising:
	identifying, by the user terminal (i.e., the Wi-Fi-enabled device), that the first network supports a server inquiry-based authentication mechanism (i.e., see list of supported authentication types in [0003]), the identifying being performed by the user terminal based on an identifier (i.e., received by the Wi-Fi enabled device a response ANQP query message listing supported authentication types sent from the server through the access point) sent by an access point of the first network ([0003] Having entered the communication range of the wireless access point, the Wi-Fi-enabled device can receive, from the wireless access point, a beacon message indicating that the wireless access point is configured to support Hotspot 2.0. If the Wi-Fi-enabled device is also configured to support Hotspot 2.0, then the Wi-Fi-enabled device can send, using the Access Network Query Protocol (ANQP) defined in the IEEE 802.11u standard, an ANQP query message to the wireless access point to determine what authentication types and/or protocols are supported within the Wi-Fi network; [0004] In response to the ANQP query message, the ANQP server can provide, in an ANQP response message, a list of supported authentication types and/or protocols to the wireless access point, which can forward the list of supported authentication types and/or protocols to the Wi-Fi-enabled device); 
generating, by the user terminal, an access request message in accordance with the identified server inquiry-based authentication mechanism ([0005] Once the Wi-Fi-enabled device is associated with the wireless access point, the Wi-Fi-enabled device can initiate the EAP by sending an EAP-Start message to the wireless access point. In response to the EAP-Start message, the wireless access point can request the Wi-Fi-enabled device to identify itself by sending an EAP-Request/Identity message to the Wi-Fi-enabled device).
Zhang fails to disclose:
	receiving, in an access server from the access point, the access request message originated from the user terminal requesting access to the first network through the access point, the access request message comprising a data record for a user name and a data record for a password; determining, by the access server, that the data record for the user name and the data record for the password are in a predetermined format and that at least one of the data records comprises data from which a subscriber identity for the second network is derivable; generating, by the access server, an authentication request message from the access server to a server configured to perform authentication-related tasks in the second network based on subscriber information in response to a positive outcome of the determination, the authentication request message comprising the subscriber identity derived at least partly from at least one data record in the access request message; in response to a receipt of the authentication request message from the access server, generating, by the server configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code from the user by the user terminal to initiate access to a secure element of the subscriber module residing in the user terminal; receiving the identification request message at the user terminal, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal by the server configured to perform authentication-related tasks; responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code; determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal; generating, at the user terminal, an identification confirmation message when the requested access code is determined to match the stored access code, the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message; receiving, at the server configured to perform authentication-related tasks from the user terminal, the identification confirmation message, when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal; receiving, in the access server, from the server configured to perform authentication-related tasks, information on a positive outcome of the authentication of the subscriber in the second network; and generating, in response to receiving the positive outcome of the authentication, an acknowledgement to the user terminal, the acknowledgement indicating right to access to the first network.
However, Schroeder discloses:
receiving, in an access server (See FIG. 1; i.e. SAMOG Wireless Access Gateway (WAG) 16) from the access point, the access request message (i.e. Request Identity frame (202)) originated from the user terminal requesting access to the first network through the access point, the access request message comprising a data record for a user name and a data record for a password ([0046] In some examples, subscriber database 26 obtains mobility information (e.g., IMSI/MSISDN values) for subscribers from HLR 24 and associates respective mobility information with subscriber credentials (e.g., usernames/passwords); [0049] The example of FIG. 2 illustrates operation of User Equipment (UE) (e.g., an instance of wireless device 4 having a SIM card), a WLAN (e.g., alternate access network 10, in particular, access point 32), SaMOG WAG 16, AAA server 40, HLR 24, and GGSN 22; [0051] Initially, access point 32 requests wireless device 4 identify itself with an EAP over LAN (EAPoL) Request Identity frame (202). Wireless device 4 response with an EAP Response Identity frame containing an identifier for wireless device 4 (e.g., a username) (204)); 
determining, by the access server, that the data record for the user name and the data record for the password are in a predetermined format (see [0053] i.e. mapping of username/password to MSISDN) and that at least one of the data records comprises data from which a subscriber identity for the second network is derivable ([0053] Subscriber database 26 maps the username to a password (together, the “subscriber credentials”), and subscriber 26 maps the subscriber credentials to a “virtual” IMSI/MSISDN, which may or may not represent the IMSI/MSISDN for the true subscriber associated with the subscriber credentials (218). Subscriber database 26 returns the virtual IMSI/MSISDN and optionally an APN to AAA server 40 (220), which forwards them to SaMOG WAG 16);
receiving, at the server configured to perform authentication-related tasks from the user terminal, the identification confirmation message (i.e. response message to complete the connection and establish IP connectivity) ([0055] Wireless device 4 may then obtain the IP address assigned by GGSN 22. In this example, wireless device 4 issues a Dynamic Host Configuration Protocol (DHCP)-Discover message using the UE MAC address to SaMOG WAG 16 (236), which reads the stored association between the UE MAC address and the IP address returned in the Create PDP-Context Response message and returns the IP address to wireless device 4. SaMOG WAG 16 and wireless device 4 complete the DHCP process to complete the connection and establish IP connectivity (240)). 
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Zhang reference and include mobile authentication methods using username and password besides verifying MAC address and IP address to establish authenticated connectivity between a mobile service provider gateway and a wireless device, as disclosed by Schroeder.
The motivation to include mobile authentication through username and password is to add extra layer of security for the user of the mobile device besides checking the MAC address and IP address when that user is trying to access the subscriber network.
The combination of Zhang and Schroeder fails to disclose:
generating, by the access server, an authentication request message from the access server to a server configured to perform authentication-related tasks in the second network based on subscriber information in response to a positive outcome of the determination, the authentication request message comprising the subscriber identity derived at least9Docket No. 7744-0124 Appln. No. 15/370,413partly from at least one data record in the access request message; in response to a receipt of the authentication request message from the access server, generating, by the server configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code from the user by the user terminal to initiate access to a secure element of the subscriber module residing in the user terminal; receiving the identification request message at the user terminal, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal; responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code; determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal; generating, at the user terminal, an identification confirmation message when the requested access code is10Docket No. 7744-0124 Appln. No. 15/370,413determined to match the stored access code, the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message; when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal; receiving, in the access server, from the server configured to perform authentication-related tasks, information on a positive outcome of the authentication of the subscriber in the second network; and generating, in response to receiving the positive outcome of the authentication, an acknowledgement to the user terminal, the acknowledgement indicating right to access to the first network.
However, Ahmavaara discloses:
generating, by the access server, an authentication request message from the access server to a server (See FIG. 2; i.e. authentication server 50) configured to perform authentication-related tasks in the second network based on subscriber information in response to a positive outcome of the determination, the authentication request message comprising the subscriber identity derived at least partly from at least one data record in the access request message ([0043] the WLAN comprises a WLAN access server 40 for establishing a connection to external networks such as the home network 100 or another packet-switched network, e.g. the Internet or an operator or company intranet. The home network 100 may be a GPRS network or a WLAN backbone network and comprises an authentication server 50, with an allocated authentication server database 55 in which subscriber information such as service profile information of each connected terminal device or UE are stored; [0048] When the home authentication server 50 is authenticating the user it checks from the authentication server database 55 whether the user is subscribed to home network services; [0049] If the user is subscribed to home network services, the authentication server 50 waits for APN information from the WLAN UE 10. The WLAN UE 10 may inform a desired APN in the EAP-SIM Response message. APN information consists of APN, and optionally username and password for the APN);
receiving, in the access server, from the server configured to perform authentication-related tasks (i.e. account/authentication server 24), information on a positive outcome of the authentication of the subscriber in the second network (FIG. 4; [0064] In successful cases, the authentication server 50 receives a RADIUS Access Accept message from the RADIUS server 130); and
generating, in response to receiving the positive outcome of the authentication, an acknowledgement to the user terminal, the acknowledgement indicating right to access to the first network ([0094] The authentication server 50 adds to the RADIUS Access Accept message an EAP Success message and session keys, and forwards the RADIUS Access Accept message to the WLAN access server 40. In response thereto, the WLAN access server 40 forwards a RADIUS Access Accept message comprising the EAP Success message to the WLAN access point 20 which extracts the EAP Success message and forwards it to the WLAN UE 10).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Zhang and Schroeder and include a notification of successful authentication as disclosed by Ahmavaara. 
The motivation to include successful notification is to inform the user through user terminal whether access to WLAN network was successful or not.
The combination of Zhang, Schroeder and Ahmavaara fails to disclose:
in response to a receipt of the authentication request message from the access server, generating, by the server configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code from the user by the user terminal to initiate access to a secure element of the subscriber module residing in the user terminal; receiving the identification request message at the user terminal, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal; responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code; determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal; generating, at the user terminal, an identification confirmation message when the requested access code is determined to match the stored access code, the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message; when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal.
However, NPL # 1 discloses:
	in response to a receipt of the authentication request message from the access server (i.e. AE (Acquire Entity)), generating, by the server (i.e. AP (Application Provider) Server ) configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code (i.e. Spam Prevention Code (SPC) code) from the user by the user terminal to initiate access to a secure element of the subscriber module (i.e. SIM Card) residing in the user terminal (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 1. The user establishes a connection to AP’s server. The user wants to access a service or sign an electronic text or document. Therefore the AP server asks the user for information such as mobile phone number and spam prevention code (SPC); NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 5. The AE makes sure that the information, which was requested, is in accordance with the service agreement. Afterwards the AE sends the message to the user’s HMSSP, which is the user’s operator. The HMSSP invokes the user’s mobile phone for signature request if the user’s SPC is correct; NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 6. The user gets a signature request, which also shows the same event number that was shown in the AP server interface and therefore the user has to ensure that both correspond to each other. Afterwards the user can sign the event by inputting the given PIN code); 
	receiving the identification request message (See FIG. 4; i.e. generation of an event number/event ID by the AP server) at the user terminal, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal to the subscriber module upon receipt of the identification request message at the user terminal by the server configured to perform authentication-related tasks (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 2 The AP server displays the event number in the current business channel that identifies the  signature event and guides the user to look on the device (mobile phone); Also see Page # 13; Figure A2; Web page showing an inserted mobile phone number and a created event ID [which is construed as an identification request message]);
	responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 6; The user gets a signature request, which also shows the same event number that was shown in the AP server interface and therefore the user has to ensure that both correspond to each other. Afterwards the user can sign the event by inputting the given PIN code; Also see Page # 14; Figure; A5; the user’s mobile phone receives a third pop-op SMS message for insertion of the PIN code for the private mobile certificate key stored in the user’s SIM/USIM card);
determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal (See Page # 14; Figure A6; After insertion of the correct PIN code and OK acknowledgement of the received third pop-up SMS message the user is authenticated for a web page); 
generating, at the user terminal, an identification confirmation message (See Figure. A6; You have been verified) when the requested access code is determined to match the stored access code (see Page # 14; Figure A6; After insertion of the correct PIN code and OK acknowledgement of the received third pop-up SMS message the user is authenticated for a web page), 
the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message (NPL # 1, Page # 15, After OK acknowledgement of the received second pop-up SMS message, the user’s mobile phone receives a third pop-op SMS message for insertion of the PIN code for the private mobile certificate key stored in the user’s SIM/USIM card (see Figure A11)), 
when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal (NPL # 1, Page # 16, After insertion of the correct PIN code and OK acknowledgement of the received pop-up SMS message the user is authenticated for a web page in which is shown the insert text to be signed together with the base64 encoded signature; also see Figure A12; A web page showing the insert text to be signed together with the base64 encoded signature).
It would have been obvious to one of the ordinary skilled in the art before the effective filing date of the claimed invention to modify the Zhang, Schroeder and Ahmavaara references and authenticate a user through stored access code (such as PIN code) on the subscriber identity module (SIM) to access requested service, as disclosed by NPL # 1.
The motivation to authenticate the user through stored access code is to ensure legitimate user is accessing the requested service by enforcing the user to authenticate through stored PIN code on the SIM card.
Regarding claim 2, the combination of Zhang, Schroeder, Ahmavaara & NPL # 1 discloses:
The method of claim 1, wherein the determining that the at least one of the data records comprises data from which the subscriber identity for the second network is derivable comprises deriving of a Mobile Station International Subscriber Directory Number (MSISDN) from at least one data record in the access request message (Schroeder: [0049] Sequence diagram 200 illustrates the techniques when subscriber database 26 maps subscriber credentials, in this case a username and password, to a virtual IMSI/MSISDN pair for use in GTP-C signaling; [0053] Subscriber database 26 maps the username to a password (together, the “subscriber credentials”), and subscriber 26 maps the subscriber credentials to a “virtual” IMSI/MSISDN).
Regarding claim 3, the combination of Zhang, Schroeder, Ahmavaara & NPL # 1 discloses:
The method of claim 1, wherein the determining that the at least one of the data records comprises data from which the subscriber identity for the second network is derivable comprises deriving comprises deriving a Mobile Station International Subscriber Directory Number (MSISDN) or predefined user alias by inquiring it from a predetermined location accessible by the access server based on the information in the at least one data record in the access request message (Schroeder: [0049] Sequence diagram 200 illustrates the techniques when subscriber database 26 maps subscriber credentials, in this case a username and password, to a virtual IMSI/MSISDN pair for use in GTP-C signaling; [0053] Subscriber database 26 maps the username to a password (together, the “subscriber credentials”), and subscriber 26 maps the subscriber credentials to a “virtual” IMSI/MSISDN).
Regarding claim 5, Zhang discloses:
A system for determining an access right of a user terminal to a first network, the user terminal including a subscription of a second network, the system comprising:
	an access server (i.e., ANQP server) comprising one or more hardware processors configured to:
	receive an message, by the user terminal (i.e., the Wi-Fi enabled device), identify, that the first network supports a server inquiry-based authentication mechanism, the identifying being performed by the user terminal based on an identifier sent by an access point (i.e., the wireless access point) of the first network ([0003] Having entered the communication range of the wireless access point, the Wi-Fi-enabled device can receive, from the wireless access point, a beacon message indicating that the wireless access point is configured to support Hotspot 2.0. If the Wi-Fi-enabled device is also configured to support Hotspot 2.0, then the Wi-Fi-enabled device can send, using the Access Network Query Protocol (ANQP) defined in the IEEE 802.11u standard, an ANQP query message to the wireless access point to determine what authentication types and/or protocols are supported within the Wi-Fi network; [0004] In response to the ANQP query message, the ANQP server can provide, in an ANQP response message, a list of supported authentication types and/or protocols to the wireless access point, which can forward the list of supported authentication types and/or protocols to the Wi-Fi-enabled device);  
	receive by the access server, an access request message, generated by the user terminal, in accordance with the identified server inquiry-based authentication mechanism ([0005] Once the Wi-Fi-enabled device is associated with the wireless access point, the Wi-Fi-enabled device can initiate the EAP by sending an EAP-Start message to the wireless access point. In response to the EAP-Start message, the wireless access point can request the Wi-Fi-enabled device to identify itself by sending an EAP-Request/Identity message to the Wi-Fi-enabled device).
Zhang fails to disclose:
	receiving, in an access server from the access point, the access request message originated from the user terminal requesting access to the first network through the access point, the access request message comprising a data record for a user name and a data record for a password; determining, by the access server, that the data record for the user name and the data record for the password are in a predetermined format and that at least one of the data records comprises data from which a subscriber identity for the second network is derivable; generating, by the access server, an authentication request message from the access server to a server configured to perform authentication-related tasks in the second network based on subscriber information in response to a positive outcome of the determination, the authentication request message comprising the subscriber identity derived at least partly from at least one data record in the access request message; in response to a receipt of the authentication request message from the access server, generating, by the server configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code from the user by the user terminal to initiate access to a secure element of the subscriber module residing in the user terminal; receiving the identification request message at the user terminal, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal by the server configured to perform authentication-related tasks; responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code; determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal; generating, at the user terminal, an identification confirmation message when the requested access code is determined to match the stored access code, the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message; receiving, at the server configured to perform authentication-related tasks from the user terminal, the identification confirmation message, when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal; receiving, in the access server, from the server configured to perform authentication-related tasks, information on a positive outcome of the authentication of the subscriber in the second network; and generating, in response to receiving the positive outcome of the authentication, an acknowledgement to the user terminal, the acknowledgement indicating right to access to the first network.
However, Schroeder discloses:
receiving, in an access server (See FIG. 1; i.e. SAMOG Wireless Access Gateway (WAG) 16) from the access point, the access request message (i.e. Request Identity frame (202)) originated from the user terminal requesting access to the first network through the access point, the access request message comprising a data record for a user name and a data record for a password ([0046] In some examples, subscriber database 26 obtains mobility information (e.g., IMSI/MSISDN values) for subscribers from HLR 24 and associates respective mobility information with subscriber credentials (e.g., usernames/passwords); [0049] The example of FIG. 2 illustrates operation of User Equipment (UE) (e.g., an instance of wireless device 4 having a SIM card), a WLAN (e.g., alternate access network 10, in particular, access point 32), SaMOG WAG 16, AAA server 40, HLR 24, and GGSN 22; [0051] Initially, access point 32 requests wireless device 4 identify itself with an EAP over LAN (EAPoL) Request Identity frame (202). Wireless device 4 response with an EAP Response Identity frame containing an identifier for wireless device 4 (e.g., a username) (204)); 
determining, by the access server, that the data record for the user name and the data record for the password are in a predetermined format (see [0053] i.e. mapping of username/password to MSISDN) and that at least one of the data records comprises data from which a subscriber identity for the second network is derivable ([0053] Subscriber database 26 maps the username to a password (together, the “subscriber credentials”), and subscriber 26 maps the subscriber credentials to a “virtual” IMSI/MSISDN, which may or may not represent the IMSI/MSISDN for the true subscriber associated with the subscriber credentials (218). Subscriber database 26 returns the virtual IMSI/MSISDN and optionally an APN to AAA server 40 (220), which forwards them to SaMOG WAG 16);
receiving, at the server configured to perform authentication-related tasks from the user terminal, the identification confirmation message (i.e. response message to complete the connection and establish IP connectivity) ([0055] Wireless device 4 may then obtain the IP address assigned by GGSN 22. In this example, wireless device 4 issues a Dynamic Host Configuration Protocol (DHCP)-Discover message using the UE MAC address to SaMOG WAG 16 (236), which reads the stored association between the UE MAC address and the IP address returned in the Create PDP-Context Response message and returns the IP address to wireless device 4. SaMOG WAG 16 and wireless device 4 complete the DHCP process to complete the connection and establish IP connectivity (240)). 
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Zhang reference and include mobile authentication methods using username and password besides verifying MAC address and IP address to establish authenticated connectivity between a mobile service provider gateway and a wireless device, as disclosed by Schroeder.
The motivation to include mobile authentication through username and password is to add extra layer of security for the user of the mobile device besides checking the MAC address and IP address when that user is trying to access the subscriber network.
The combination of Zhang and Schroeder fails to disclose:
	generating, by the access server, an authentication request message from the access server to a server configured to perform authentication-related tasks in the second network based on subscriber information in response to a positive outcome of the determination, the authentication request message comprising the subscriber identity derived at least9Docket No. 7744-0124 Appln. No. 15/370,413partly from at least one data record in the access request message; in response to a receipt of the authentication request message from the access server, generating, by the server configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code from the user by the user terminal to initiate access to a secure element of the subscriber module residing in the user terminal; receiving the identification request message at the user terminal, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal; responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code; determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal; generating, at the user terminal, an identification confirmation message when the requested access code is10Docket No. 7744-0124 Appln. No. 15/370,413determined to match the stored access code, the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message; when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal; receiving, in the access server, from the server configured to perform authentication-related tasks, information on a positive outcome of the authentication of the subscriber in the second network; and generating, in response to receiving the positive outcome of the authentication, an acknowledgement to the user terminal, the acknowledgement indicating right to access to the first network.
However, Ahmavaara discloses:
generating, by the access server, an authentication request message from the access server to a server (See FIG. 2; i.e. authentication server 50) configured to perform authentication-related tasks in the second network based on subscriber information in response to a positive outcome of the determination, the authentication request message comprising the subscriber identity derived at least partly from at least one data record in the access request message ([0043] the WLAN comprises a WLAN access server 40 for establishing a connection to external networks such as the home network 100 or another packet-switched network, e.g. the Internet or an operator or company intranet. The home network 100 may be a GPRS network or a WLAN backbone network and comprises an authentication server 50, with an allocated authentication server database 55 in which subscriber information such as service profile information of each connected terminal device or UE are stored; [0048] When the home authentication server 50 is authenticating the user it checks from the authentication server database 55 whether the user is subscribed to home network services; [0049] If the user is subscribed to home network services, the authentication server 50 waits for APN information from the WLAN UE 10. The WLAN UE 10 may inform a desired APN in the EAP-SIM Response message. APN information consists of APN, and optionally username and password for the APN);
receiving, in the access server, from the server configured to perform authentication-related tasks (i.e. account/authentication server 24), information on a positive outcome of the authentication of the subscriber in the second network (FIG. 4; [0064] In successful cases, the authentication server 50 receives a RADIUS Access Accept message from the RADIUS server 130); and
generating, in response to receiving the positive outcome of the authentication, an acknowledgement to the user terminal, the acknowledgement indicating right to access to the first network ([0094] The authentication server 50 adds to the RADIUS Access Accept message an EAP Success message and session keys, and forwards the RADIUS Access Accept message to the WLAN access server 40. In response thereto, the WLAN access server 40 forwards a RADIUS Access Accept message comprising the EAP Success message to the WLAN access point 20 which extracts the EAP Success message and forwards it to the WLAN UE 10).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Zhang and Schroeder and include a notification of successful authentication as disclosed by Ahmavaara. 
The motivation to include successful notification is to inform the user through user terminal whether access to WLAN network was successful or not.
The combination of Zhang, Schroeder and Ahmavaara fails to disclose:
in response to a receipt of the authentication request message from the access server, generating, by the server configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code from the user by the user terminal to initiate access to a secure element of the subscriber module residing in the user terminal; receiving the identification request message at the user terminal, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal; responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code; determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal; generating, at the user terminal, an identification confirmation message when the requested access code is determined to match the stored access code, the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message; when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal.
However, NPL # 1 discloses:
	in response to a receipt of the authentication request message from the access server (i.e. AE (Acquire Entity)), generating, by the server (i.e. AP (Application Provider) Server ) configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code (i.e. Spam Prevention Code (SPC) code) from the user by the user terminal to initiate access to a secure element of the subscriber module (i.e. SIM Card) residing in the user terminal (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 1. The user establishes a connection to AP’s server. The user wants to access a service or sign an electronic text or document. Therefore the AP server asks the user for information such as mobile phone number and spam prevention code (SPC); NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 5. The AE makes sure that the information, which was requested, is in accordance with the service agreement. Afterwards the AE sends the message to the user’s HMSSP, which is the user’s operator. The HMSSP invokes the user’s mobile phone for signature request if the user’s SPC is correct; NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 6. The user gets a signature request, which also shows the same event number that was shown in the AP server interface and therefore the user has to ensure that both correspond to each other. Afterwards the user can sign the event by inputting the given PIN code); 
	receiving the identification request message (See FIG. 4; i.e. generation of an event number/event ID by the AP server) at the user terminal, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal to the subscriber module upon receipt of the identification request message at the user terminal by the server configured to perform authentication-related tasks (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 2 The AP server displays the event number in the current business channel that identifies the  signature event and guides the user to look on the device (mobile phone); Also see Page # 13; Figure A2; Web page showing an inserted mobile phone number and a created event ID [which is construed as an identification request message]);
	responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 6; The user gets a signature request, which also shows the same event number that was shown in the AP server interface and therefore the user has to ensure that both correspond to each other. Afterwards the user can sign the event by inputting the given PIN code; Also see Page # 14; Figure; A5; the user’s mobile phone receives a third pop-op SMS message for insertion of the PIN code for the private mobile certificate key stored in the user’s SIM/USIM card);
determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal (See Page # 14; Figure A6; After insertion of the correct PIN code and OK acknowledgement of the received third pop-up SMS message the user is authenticated for a web page); 
generating, at the user terminal, an identification confirmation message (See Figure. A6; You have been verified) when the requested access code is determined to match the stored access code (see Page # 14; Figure A6; After insertion of the correct PIN code and OK acknowledgement of the received third pop-up SMS message the user is authenticated for a web page), 
the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message (NPL # 1, Page # 15, After OK acknowledgement of the received second pop-up SMS message, the user’s mobile phone receives a third pop-op SMS message for insertion of the PIN code for the private mobile certificate key stored in the user’s SIM/USIM card (see Figure A11)), 
when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal (NPL # 1, Page # 16, After insertion of the correct PIN code and OK acknowledgement of the received pop-up SMS message the user is authenticated for a web page in which is shown the insert text to be signed together with the base64 encoded signature; also see Figure A12; A web page showing the insert text to be signed together with the base64 encoded signature).
It would have been obvious to one of the ordinary skilled in the art before the effective filing date of the claimed invention to modify the Zhang, Schroeder and Ahmavaara references and authenticate a user through stored access code (such as PIN code) on the subscriber identity module (SIM) to access requested service, as disclosed by NPL # 1.
The motivation to authenticate the user through stored access code is to ensure legitimate user is accessing the requested service by enforcing the user to authenticate through stored PIN code on the SIM card.
Regarding claim 8, the combination of Zhang, Schroeder, Ahmavaara & NPL # 1 discloses:
The method of claim 1, wherein, the user terminal initiates the requesting access to the first network by generating and transmitting the access request message to the access server (Schroeder: [0007] When in the presence of a WLAN, a user may wish to transition the data services of the wireless to the WLAN so as to accelerate data transmissions, reduce costs, and avoid any delays associated with the mobile service provider network; see [0034] In some situations, a subscriber associated with wireless device 4 may wish to receive data services via alternate access network 10 instead cellular network 6 of SP network 8; also see [0046] when wireless device 4 attempts to authenticate with subscriber credentials to SaMOG WAG 16, AAA server 40 uses the subscriber credentials to look up the mobility information).
Regarding claim 9, the combination of Zhang, Schroeder, Ahmavaara & NPL # 1 discloses:
	The method of claim 1, wherein the identification request message generated by the server configured to perform authentication-related tasks is in a predetermined format and is transmitted from the server configured to perform authentication-related tasks directly to the user terminal (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 1. The user establishes a connection to AP’s server. The user wants to access a service or sign an electronic text or document. Therefore the AP server asks the user for information such as mobile phone number and spam prevention code (SPC); NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 5. The AE makes sure that the information, which was requested, is in accordance with the service agreement. Afterwards the AE sends the message to the user’s HMSSP, which is the user’s operator. The HMSSP invokes the user’s mobile phone for signature request if the user’s SPC is correct; NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 6. The user gets a signature request, which also shows the same event number that was shown in the AP server interface and therefore the user has to ensure that both correspond to each other. Afterwards the user can sign the event by inputting the given PIN code).
Regarding claim 10, Zhang discloses:
A method for determining an access right of a user terminal to a first network, the user terminal including a subscription of a second network, the method comprising: 
identifying, by the user terminal (i.e., the Wi-Fi-enabled device), that the first network supports a server inquiry-based authentication mechanism (i.e., see list of supported authentication types in [0003]), the identifying being performed by the user terminal based on an identifier (i.e., received by the Wi-Fi enabled device a response ANQP query message listing supported authentication types sent from the server through the access point) sent by an access point of the first network ([0003] Having entered the communication range of the wireless access point, the Wi-Fi-enabled device can receive, from the wireless access point, a beacon message indicating that the wireless access point is configured to support Hotspot 2.0. If the Wi-Fi-enabled device is also configured to support Hotspot 2.0, then the Wi-Fi-enabled device can send, using the Access Network Query Protocol (ANQP) defined in the IEEE 802.11u standard, an ANQP query message to the wireless access point to determine what authentication types and/or protocols are supported within the Wi-Fi network; [0004] In response to the ANQP query message, the ANQP server can provide, in an ANQP response message, a list of supported authentication types and/or protocols to the wireless access point, which can forward the list of supported authentication types and/or protocols to the Wi-Fi-enabled device); 
generating, by the user terminal, an access request message in accordance with the identified server inquiry-based authentication mechanism ([0005] Once the Wi-Fi-enabled device is associated with the wireless access point, the Wi-Fi-enabled device can initiate the EAP by sending an EAP-Start message to the wireless access point. In response to the EAP-Start message, the wireless access point can request the Wi-Fi-enabled device to identify itself by sending an EAP-Request/Identity message to the Wi-Fi-enabled device).
Zhang fails to disclose:
	receiving, in an access server from the access point, the access request message originated from the user terminal requesting access to the first network through the access point, the access request message comprising a data record for a user name and a data record for a password; determining, by the access server, that the data record for the user name and the data record for the password are in a predetermined format and that at least one of the data records comprises data from which a subscriber identity for the second network is derivable; receiving, at the server configured to perform authentication-related tasks from the user terminal, the identification confirmation message; generating, by the access server, an authentication request message from the access server to a server configured to perform authentication-related tasks in the second network based on subscriber information in response to a positive outcome of the determination, the authentication request message comprising the subscriber identity derived at least partly from at least one data record in the access request message; in response to a receipt of the authentication request message from the access server, generating, by the server configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code from the user by the user terminal to initiate access to a secure element of the subscriber module residing in the user terminal; receiving the identification request message at the user terminal, the identification request message comprising at least an authentication digest, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal; responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code; determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal; generating, at the user terminal, an identification confirmation message when the requested access code is determined to match the stored access code, the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message, the secure element of the subscriber module digitally signing the authentication digest, the digitally signed authentication digest being provided in the identification confirmation message; when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal; receiving, in the access server, from the server configured to perform authentication-related tasks, information on a positive outcome of the authentication of the subscriber in the second network; and generating, in response to receiving the positive outcome of the authentication, an acknowledgement to the user terminal, the acknowledgement indicating right to access to the first network.
However, Schroeder discloses:
receiving, in an access server (See FIG. 1; i.e. SAMOG Wireless Access Gateway (WAG) 16) from the access point, the access request message (i.e. Request Identity frame (202)) originated from the user terminal requesting access to the first network through the access point, the access request message comprising a data record for a user name and a data record for a password ([0046] In some examples, subscriber database 26 obtains mobility information (e.g., IMSI/MSISDN values) for subscribers from HLR 24 and associates respective mobility information with subscriber credentials (e.g., usernames/passwords); [0049] The example of FIG. 2 illustrates operation of User Equipment (UE) (e.g., an instance of wireless device 4 having a SIM card), a WLAN (e.g., alternate access network 10, in particular, access point 32), SaMOG WAG 16, AAA server 40, HLR 24, and GGSN 22; [0051] Initially, access point 32 requests wireless device 4 identify itself with an EAP over LAN (EAPoL) Request Identity frame (202). Wireless device 4 response with an EAP Response Identity frame containing an identifier for wireless device 4 (e.g., a username) (204)); 
determining, by the access server, that the data record for the user name and the data record for the password are in a predetermined format (see [0053] i.e. mapping of username/password to MSISDN) and that at least one of the data records comprises data from which a subscriber identity for the second network is derivable ([0053] Subscriber database 26 maps the username to a password (together, the “subscriber credentials”), and subscriber 26 maps the subscriber credentials to a “virtual” IMSI/MSISDN, which may or may not represent the IMSI/MSISDN for the true subscriber associated with the subscriber credentials (218). Subscriber database 26 returns the virtual IMSI/MSISDN and optionally an APN to AAA server 40 (220), which forwards them to SaMOG WAG 16);
receiving, at the server configured to perform authentication-related tasks from the user terminal, the identification confirmation message (i.e. response message to complete the connection and establish IP connectivity) ([0055] Wireless device 4 may then obtain the IP address assigned by GGSN 22. In this example, wireless device 4 issues a Dynamic Host Configuration Protocol (DHCP)-Discover message using the UE MAC address to SaMOG WAG 16 (236), which reads the stored association between the UE MAC address and the IP address returned in the Create PDP-Context Response message and returns the IP address to wireless device 4. SaMOG WAG 16 and wireless device 4 complete the DHCP process to complete the connection and establish IP connectivity (240)). 
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Zhang reference and include mobile authentication methods using username and password besides verifying MAC address and IP address to establish authenticated connectivity between a mobile service provider gateway and a wireless device, as disclosed by Schroeder.
The motivation to include mobile authentication through username and password is to add extra layer of security for the user of the mobile device besides checking the MAC address and IP address when that user is trying to access the subscriber network.
The combination of Zhang and Schroeder fails to disclose:
generating, by the access server, an authentication request message from the access server to a server configured to perform authentication-related tasks in the second network based on subscriber information in response to a positive outcome of the determination, the authentication request message comprising the subscriber identity derived at least9Docket No. 7744-0124 Appln. No. 15/370,413partly from at least one data record in the access request message; in response to a receipt of the authentication request message from the access server, generating, by the server configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code from the user by the user terminal to initiate access to a secure element of the subscriber module residing in the user terminal; receiving the identification request message at the user terminal, the identification request message comprising at least an authentication digest, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal; responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code; determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal; generating, at the user terminal, an identification confirmation message when the requested access code is10Docket No. 7744-0124 Appln. No. 15/370,413determined to match the stored access code, the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message, the secure element of the subscriber module digitally signing the authentication digest, the digitally signed authentication digest being provided in the identification confirmation message; when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal; receiving, in the access server, from the server configured to perform authentication-related tasks, information on a positive outcome of the authentication of the subscriber in the second network; and generating, in response to receiving the positive outcome of the authentication, an acknowledgement to the user terminal, the acknowledgement indicating right to access to the first network.
However, Ahmavaara discloses:
generating, by the access server, an authentication request message from the access server to a server (See FIG. 2; i.e. authentication server 50) configured to perform authentication-related tasks in the second network based on subscriber information in response to a positive outcome of the determination, the authentication request message comprising the subscriber identity derived at least partly from at least one data record in the access request message ([0043] the WLAN comprises a WLAN access server 40 for establishing a connection to external networks such as the home network 100 or another packet-switched network, e.g. the Internet or an operator or company intranet. The home network 100 may be a GPRS network or a WLAN backbone network and comprises an authentication server 50, with an allocated authentication server database 55 in which subscriber information such as service profile information of each connected terminal device or UE are stored; [0048] When the home authentication server 50 is authenticating the user it checks from the authentication server database 55 whether the user is subscribed to home network services; [0049] If the user is subscribed to home network services, the authentication server 50 waits for APN information from the WLAN UE 10. The WLAN UE 10 may inform a desired APN in the EAP-SIM Response message. APN information consists of APN, and optionally username and password for the APN);
receiving, in the access server, from the server configured to perform authentication-related tasks (i.e. account/authentication server 24), information on a positive outcome of the authentication of the subscriber in the second network (FIG. 4; [0064] In successful cases, the authentication server 50 receives a RADIUS Access Accept message from the RADIUS server 130); and
generating, in response to receiving the positive outcome of the authentication, an acknowledgement to the user terminal, the acknowledgement indicating right to access to the first network ([0094] The authentication server 50 adds to the RADIUS Access Accept message an EAP Success message and session keys, and forwards the RADIUS Access Accept message to the WLAN access server 40. In response thereto, the WLAN access server 40 forwards a RADIUS Access Accept message comprising the EAP Success message to the WLAN access point 20 which extracts the EAP Success message and forwards it to the WLAN UE 10).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Zhang, Schroeder and include a notification of successful authentication as disclosed by Ahmavaara. 
The motivation to include successful notification is to inform the user through user terminal whether access to WLAN network was successful or not (See Ahmavaara: [0094]).
The combination of Zhang, Schroeder and Ahmavaara fails to disclose:
	in response to a receipt of the authentication request message from the access server, generating, by the server configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code from the user by the user terminal to initiate access to a secure element of the subscriber module residing in the user terminal; receiving the identification request message at the user terminal, the identification request message comprising at least an authentication digest, and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal; responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code; determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal; generating, at the user terminal, an identification confirmation message when the requested access code is determined to match the stored access code, the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message, the secure element of the subscriber module digitally signing the authentication digest, the digitally signed authentication digest being provided in the identification confirmation message; when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal.
However, NPL # 1 discloses:
	in response to a receipt of the authentication request message from the access server (i.e. AE (Acquire Entity)), generating, by the server (i.e. AP (Application Provider) Server ) configured to perform authentication-related tasks, an identification request message to the user terminal to cause a request of an access code (i.e. Spam Prevention Code (SPC) code) from the user by the user terminal to initiate access to a secure element of the subscriber module (i.e. SIM Card) residing in the user terminal (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 1. The user establishes a connection to AP’s server. The user wants to access a service or sign an electronic text or document. Therefore the AP server asks the user for information such as mobile phone number and spam prevention code (SPC); NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 5. The AE makes sure that the information, which was requested, is in accordance with the service agreement. Afterwards the AE sends the message to the user’s HMSSP, which is the user’s operator. The HMSSP invokes the user’s mobile phone for signature request if the user’s SPC is correct; NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 6. The user gets a signature request, which also shows the same event number that was shown in the AP server interface and therefore the user has to ensure that both correspond to each other. Afterwards the user can sign the event by inputting the given PIN code); 
receiving the identification request message at the user terminal, the identification request message comprising at least an authentication digest (See FIG. 4; i.e. generation of an event number/event ID by the AP server), and initiating an access request by the user terminal to the subscriber module upon receipt of the identification request message at the user terminal (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 2 The AP server displays the event number in the current business channel that identifies the  signature event and guides the user to look on the device (mobile phone); Also see Page # 13; Figure A2; Web page showing an inserted mobile phone number and a created event ID [which is construed as an authentication digest]); 
responding to the access request, by the subscriber module residing in the user terminal, by requesting the access code from the user; receiving, at the user terminal, the requested access code (NPL # 1, Page # 5, “Asynchronous Client-Server” Mode”, Step 6; The user gets a signature request, which also shows the same event number that was shown in the AP server interface and therefore the user has to ensure that both correspond to each other. Afterwards the user can sign the event by inputting the given PIN code; Also see Page # 14; Figure; A5; the user’s mobile phone receives a third pop-op SMS message for insertion of the PIN code for the private mobile certificate key stored in the user’s SIM/USIM card); 
determining, at the user terminal, whether the requested access code matches a stored access code stored in a subscriber module residing in the user terminal (See Page # 14; Figure A6; After insertion of the correct PIN code and OK acknowledgement of the received third pop-up SMS message the user is authenticated for a web page); 
generating, at the user terminal, an identification confirmation message (See Figure. A6; You have been verified) when the requested access code is determined to match the stored access code (see Page # 14; Figure A6; After insertion of the correct PIN code and OK acknowledgement of the received third pop-up SMS message the user is authenticated for a web page), 
the received access code providing access to the secure element of the subscriber module residing in the user terminal to generate authentication data included in the generated identification confirmation message (NPL # 1, Page # 15, After OK acknowledgement of the received second pop-up SMS message, the user’s mobile phone receives a third pop-op SMS message for insertion of the PIN code for the private mobile certificate key stored in the user’s SIM/USIM card (see Figure A11)), 
the secure element of the subscriber module digitally signing the authentication digest, the digitally signed authentication digest being provided in the identification confirmation message when a receipt of the requested access code at the user terminal matches the stored access code stored in the subscriber module residing in the user terminal (NPL # 1, Page # 16, After insertion of the correct PIN code and OK acknowledgement of the received pop-up SMS message the user is authenticated for a web page in which is shown the insert text to be signed together with the base64 encoded signature; also see Figure A12; A web page showing the insert text to be signed together with the base64 encoded signature).
	It would have been obvious to one of the ordinary skilled in the art before the effective filing date of the claimed invention to modify the Zhang, Schroeder and Ahmavaara references and authenticate a user through stored access code (such as PIN code) on the subscriber identity module (SIM) to access requested service, as disclosed by NPL # 1.
	The motivation to authenticate the user through stored access code is to ensure legitimate user is accessing the requested service by enforcing the user to authenticate through stored PIN code on the SIM card.

Claims 4, and 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang et al., (US20170118638A1) in view of Schroeder et al., (US20130288644A1) in view of Ahmavaara et al., (US20040066769A1) in view of Non-Patent Literature (NPL) titled “Mobile Certificate Based Network Services” published July 2013 hereinafter referred as NPL # 1 and further in view of Carneheim et al., (US6618584B1).
Regarding claim 4, the combination of Zhang, Schroeder, Ahmavaara & NPL # 1 fails to disclose:
The method of claim 1, further comprising manipulating a timer value of a timer defining a period of time given for an authentication procedure between the user terminal, an access controller and the access server in response to a positive outcome of the determination.
However, Carneheim discloses:
	a step of manipulating a timer value of a timer defining a period of time given for the authentication procedure between the user terminal, access controller and the access server in response to a positive outcome of the determination (Col. 3, Line # 59-67 – Col. 4, Line # 1-8; Reference is now made to FIG. 1 wherein there is shown a nodal operation and flow diagram for a first embodiment timer based trigger for authentication. The subscriber terminal 10 sets a timer 16 in action 18 with a certain measured time period and executes a testing loop in action 20 to detect expiration of that time period. As one option, the set timer action 18 may choose the length of the measured time period. As another option, a resetting of the timer 16 in this scenario may then occur (as generally indicated at 34) responsive to each state transition from the suspended state to the active state (instead of resetting responsive to the expiration of the measured time period). Responsive to such time period expiration, the subscriber terminal 10 engages in an authentication transaction 22 (i.e., a message exchange and appropriate data processing action needed to authenticate the terminal) with the supporting wireless communications system 12, and returns 24 to action 18 to re-set the timer 16. Thus, the timer based trigger procedure implements an authentication transaction 22 once every certain time period as measured by the timer 16).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Zhang, Schroeder, Ahmavaara and NPL # 1 and include a timer based authentication procedure, as disclosed by Carneheim. 
	The motivation is to have an efficient authentication system in which access timer can be changed to restrict user access to electronic device. 
Regarding claim 6, the combination of Zhang, Schroeder, Ahmavaara & NPL # 1 fails to disclose:
The method of claim 2 further comprising manipulating a timer value of a timer defining a period of time given for the authentication procedure between the user terminal, access controller and the access server in response to a positive outcome of the determination.
However, Carneheim discloses:
	a step of manipulating a timer value of a timer defining a period of time given for the authentication procedure between the user terminal, access controller and the access server in response to a positive outcome of the determination (Col. 3, Line # 59-67 – Col. 4, Line # 1-8; Reference is now made to FIG. 1 wherein there is shown a nodal operation and flow diagram for a first embodiment timer based trigger for authentication. The subscriber terminal 10 sets a timer 16 in action 18 with a certain measured time period and executes a testing loop in action 20 to detect expiration of that time period. As one option, the set timer action 18 may choose the length of the measured time period. As another option, a resetting of the timer 16 in this scenario may then occur (as generally indicated at 34) responsive to each state transition from the suspended state to the active state (instead of resetting responsive to the expiration of the measured time period). Responsive to such time period expiration, the subscriber terminal 10 engages in an authentication transaction 22 (i.e., a message exchange and appropriate data processing action needed to authenticate the terminal) with the supporting wireless communications system 12, and returns 24 to action 18 to re-set the timer 16. Thus, the timer based trigger procedure implements an authentication transaction 22 once every certain time period as measured by the timer 16).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Zhang, Schroeder, Ahmavaara and NPL # 1 and include a timer based authentication procedure, as disclosed by Carneheim. 
	The motivation is to have an efficient authentication system in which access timer can be changed to restrict user access to electronic device.
Regarding claim 7, the combination of Zhang, Schroeder, Ahmavaara & NPL # 1 fails to disclose:
The method of claim 3, further comprising manipulating a timer value of a timer defining a period of time given for an authentication procedure between the user terminal, an access controller, and the access server in response to a positive outcome of the determination.
However, Carneheim discloses:
	comprising manipulating a timer value of a timer defining a period of time given for an authentication procedure between the user terminal, an access controller, and the access server in response to a positive outcome of the determination (Col. 3, Line # 59-67 – Col. 4, Line # 1-8; Reference is now made to FIG. 1 wherein there is shown a nodal operation and flow diagram for a first embodiment timer based trigger for authentication. The subscriber terminal 10 sets a timer 16 in action 18 with a certain measured time period and executes a testing loop in action 20 to detect expiration of that time period. As one option, the set timer action 18 may choose the length of the measured time period. As another option, a resetting of the timer 16 in this scenario may then occur (as generally indicated at 34) responsive to each state transition from the suspended state to the active state (instead of resetting responsive to the expiration of the measured time period). Responsive to such time period expiration, the subscriber terminal 10 engages in an authentication transaction 22 (i.e., a message exchange and appropriate data processing action needed to authenticate the terminal) with the supporting wireless communications system 12, and returns 24 to action 18 to re-set the timer 16. Thus, the timer based trigger procedure implements an authentication transaction 22 once every certain time period as measured by the timer 16).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Zhang, Schroeder, Ahmavaara and NPL # 1 and include a timer based authentication procedure, as disclosed by Carneheim. 
	The motivation is to have an efficient authentication system in which access timer can be changed to restrict user access to electronic device.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./PATENT EXAMINER, ART UNIT 2432