DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 03/21/2022 has been entered. Claims 1, 3, 10, 12, 19-20 are currently amended. Claims 2, 11 are currently cancelled. Claims 1, 3-10, 12-20 are pending in the application.
The objection of claim 15 due to informalities has been withdrawn in light of applicant’s amendment to the claim. See updated Claim Objections.
The rejection of claims 19-20 under 35 USC 112(b) due to insufficient antecedent basis has been withdrawn in light of applicant’s amendment to the claims.
Applicant’s filed and approved Terminal Disclaimer on 3/21/2022 has been acknowledged. Therefore, the rejection of claims on the ground of nonstatutory double patenting has been withdrawn.
Examiner note: Claim 16 is marked as “Currently Amended” but has not been amended.
Response to Arguments
Applicant’s argument, see pages 9-10 of the Remarks filed 3/21/2022 regarding claims 1-15 has been fully considered. Applicant amended independent claims 1, 10 by including previously identified allowable subject matter from original claims 2, 11 (now cancelled) respectively. Upon updated search, examiner believes claims 1, 3-10, 12-15 recite allowable subject matter(s). Therefore, applicant’s argument (regarding these claims) is moot.
Applicant’s argument, see pages 10-11 of the Remarks filed 3/21/2022 regarding claims 16-20 rejected under 35 USC 103 over prior arts of record have been fully considered and asserted not persuasive due to following reason. 
Regarding independent 16 claim, applicant argued, 
“Claim 16 recites that "a challenge as plaintext [A] and an encrypted message [B]" are obtained "from a client device." (Letters included as an aid to understanding and forming no part of the claimed invention.) Further, the secure component uses "a key associated with a first challenge type to generate an integrity code as a challenge response to the challenge based on (i) the challenge corresponding to the first challenge type and (ii) the extracted challenge matching the challenge obtained as plaintext from the client device." That is, the secure component uses both [A] and [B], both of which are "from a client device," in the process of generating the challenge response. In contrast, as stated in the Office Action, Reynolds teaches that the "challenge token [is] obtained from IVM server 300A," not the client device 200A cited in the Office Action at p. 26. That is, any comparison between the challenge token from IVM server 300A an the decrypted challenge token of Reynolds cannot correspond to a comparison between "the extracted challenge" and "the challenge obtained as plaintext," each of which are obtained from the client device as recited in claim 16”. (See pages 10-11 of the Remarks)

Examiner respectively disagrees with applicant. Under the guidance of BRI, claim limitation “obtain, from a client device, a challenge as plaintext and an encrypted message, the encrypted message comprising the challenge” can be interpreted as: obtain from client device an encrypted message wherein the encrypted message comprises a (the) challenge, i.e. the message incudes the challenge in encrypted form. The claim in nowhere clearly indicates or suggests the message comprises other element(s) that is/are to be used in the following limitation(s), such as “cause the secure component to use a key associated with a first challenge type to …”. Using applicant analogue of [A] and [B] to plaintext and encrypted message, the claim suggests the secure component uses [A] which is included in [B], instead of both [A] and [B].
Applicant’s further argument concerns Reynold’s teaching for both [A] and [B] are “from a client device”. Applicant’s argument seems to suggest both plaintext and encrypted message are generated by the client device. However, the claim recites “obtain, from a client device, a challenge …”, i.e. the challenge is not necessarily generated by the client device. Meanwhile, Reynold teaches arbitrary client device 200A (i.e. client device) provide proximate challenge request to mobile client device 200B (i.e. wireless token), i.e. the message (the proximate challenge request) is from the client device, or provided by the client device (see Fig. 5, and para [80] of Reynold).
Applicant is suggested to further incorporate innovative features into independent claims to advance the case.
Claim Objections
Claims 3, 12 are objected to because of the following informalities:  
Claim 3 lines 1-2, “The token of claim 1, the the first size …” should read “The token of claim 1, the 
Similarly, claim 12 lines 1-2, “wherein the the first …” should read “wherein the 
Allowable Subject Matter
Claims 1, 4-10, 13-15 are allowed.
Claims 3, 12 are objected to as shown above but would be allowable if rewritten in form resolving of the outstanding informalities.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a). 
The following is a statement of reasons for the indication of allowable subject matter:  
The present invention is directed to a short-range wireless token and method of using the token to facilitate authentication of a client device by using a plurality of challenges and determining the challenge type and generating challenge response with key associated with the challenge and provide the challenge response to the client device for authentication of the client device. 
Claim 1 (similarly claim 10) recites unique features “a secure component comprising memory configured to store keys associated with multiple challenge types, the multiple challenge types comprising (i) a first challenge type that satisfies one or more first format criteria and (ii) a second challenge type that satisfies one or more second format criteria different from the one or more first format criteria; obtain a challenge from a client device; determine a challenge type to which the challenge corresponds such that (i) the challenge is determined to correspond to the first challenge type in response to the challenge satisfying the one or more first format criteria and (ii) the challenge is determined to correspond to the second challenge type in response to the challenge satisfying the one or more second format criteria; cause the secure component to generate a challenge response for the challenge by (i) using a first key associated with the first challenge type in response to the challenge being determined to correspond to the first challenge type and (ii) using a second key associated with the second challenge type in response to the challenge being determined to correspond to the second challenge type; and provide the challenge response to the client device, wherein the one or more first format criteria comprises a first size or position criterion, and the one or more second format criteria comprises a second size or position criterion different from the first size or position criterion such that (i) the challenge is determined to correspond to the first challenge type in response to the challenge having a length satisfying the first size or position criterion and (ii) the challenge is determined to correspond to the second challenge type in response to the challenge having a length satisfying the second size or position criterion”.
The closest prior art, Reynolds, Godse, Patel, either singularly or in combination, fail to anticipate or render obvious the claimed limitations of claims as shown above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 16-17, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Reynolds (US20170279798A1-IDS by applicant, hereinafter, "Reynolds"), in view of Mennes et al (US20170012951A1, hereinafter, “Mennes”).
Regarding claim 16, Reynolds teaches:
A short-range wireless token for facilitating authentication, the token comprising: a secure component comprising memory configured to store one or more keys (Reynolds, [0072] mobile client device 200B (i.e. wireless token) may store the token sets and associated expiration dates and/or encryption keys in memory 205); 
and one or more processors programmed with computer program instructions (Reynolds, Fig. 2, Central processing unit 203, Computer-readable storage medium 230) that, when executed, cause the token to: 
obtain, from a client device, a challenge as plaintext and an encrypted message, Page 334850-3292-2297.vlPATENTAttorney Docket No.: 034259-0510640the encrypted message comprising the challenge (Reynolds, Fig. 5 step 533 Proximate challenge request, and [0080] Arbitrary client device 200A (i.e. client device) may process 528 challenge request 525 and provide a proximate challenge request 530 to mobile client device 200B. And [0066] The executable instructions provided to mobile client device 200B may (1) cause the mobile client device to provide an authentication prompt, e.g. via display 215B, identifying the URI of merchant service 325B and (2) require a manual response to the authentication prompt, e.g. obtained via user input 213. And [0080] Proximate challenge request may include the encrypted challenge token (i.e. encrypted message comprising the challenge)); 
cause the secure component to decrypt the encrypted message to extract the challenge as plaintext from the encrypted message (Reynolds, Fig. 5, [0081] Mobile client device 200B may process 533 proximate challenge request 530.  For example, mobile client device may: decrypt the encrypted challenge token using the private encryption key); 
cause the secure component to use a key associated with a first challenge type to generate [an integrity code] as a challenge response to the challenge based on (i) the challenge corresponding to the first challenge type and (ii) the extracted challenge matching the challenge obtained as plaintext from the client device (Reynolds, [0081] compare the decrypted challenge token to the challenge token obtained from IVM server 300A; and, if the challenge tokens match, encrypt the verification token (or the manual verification token) using the private encryption key and provide a proximate challenge response 535 to arbitrary client device 200A including the encrypted verification token (or the encrypted manual verification token). Proximate challenge response 535 is provided over PAN 105); 
and provide the [integrity code] to the client device (Reynolds, See Fig. 5 step 535 [0081] … provide a proximate challenge response 535 to arbitrary client device 200A…). 
		While Reynolds teaches generate a challenge response to the challenge, but does not explicitly teach the integrity code, however in the same field of endeavor Mennes teaches: 
[cause the secure component to use a key associated with a first challenge type to generate] (limitation in bracket taught by Reynolds sown above) an integrity code as a challenge response to the challenge (Mennes, discloses strong authentication token supporting multiple instances associated with different users and protected by a user identity verification mechanism, see [Abstract]. And [0169] If the received credential generation message comprises a challenge then the token may generate a response.  If the received credential generation message comprises transaction data then the token may generate a signature over these transaction data. And [0177] the dynamic credentials generated by the strong authentication token may comprise for example one-time passwords and/or electronic signatures (i.e. integrity code) over for example transaction data and/or responses to challenges).
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mennes in the multi-factor authentication system of Reynolds by using strong authentication token comprising password or electronic signature as challenge response as user identity verification mechanism for secure remote access to computers and applications. This would have been obvious because the person having ordinary skill in the art would have been motivated to use electronic signature as integrity code for strong user authentication (Mennes, [Abstract], [0177]).

		Regarding claim 17, Reynolds-Mennes combination further teaches:
The token of claim 16, wherein the token is caused to: cause the challenge to be presented as plaintext on a display of the token (Reynolds, [0066] The executable instructions provided to mobile client device 200B may (1) cause the mobile client device to provide an authentication prompt, e.g. via display 215B, identifying the URI of merchant service 325B); and obtain, subsequent to the challenge being presented on the display of the token, a user confirmation of validity of the challenge (Reynolds, [0066] and (2) require a manual response to the authentication prompt, e.g. obtained via user input 213 (i.e. user input in response to plaintext display recognizable by user). Upon obtaining the manual response, mobile client device 200B may return the manual verification token provided by IVM service 325A to browser application 225A via PAN 105), wherein the secure component is caused to decrypt the encrypted message based on the user confirmation of the validity of the challenge (Reynolds, [0081] decrypt the encrypted challenge token using the private encryption key; compare the decrypted challenge token to the challenge token obtained from IVM server 300A; and, if the challenge tokens match, encrypt the verification token (or the manual verification token) using the private encryption key and provide a proximate challenge response 535 to arbitrary client device 200A including the encrypted verification token (or the encrypted manual verification token)).  

Regarding claim 20, Reynolds-Mennes combination further teaches:
The token of claim 16, wherein the token is caused to: use, prior to decrypting the encrypted message to extract the challenge, the challenge obtained as plaintext to generate a request for user confirmation of validity of the challenge (Reynolds, [0066] (1) cause the mobile client device to provide an authentication prompt, e.g. via display 215B, identifying the URI of merchant service 325B); obtain the user confirmation of the validity of the challenge (Reynolds, [0066] and (2) require a manual response to the authentication prompt, e.g. obtained via user input 213 (i.e. user input in response to plaintext display recognizable by user). Upon obtaining the manual response, mobile client device 200B may return the manual verification token provided by IVM service 325A to browser application 225A via PAN 105), and wherein the secure component is caused to decrypt the encrypted message based on the user confirmation of the validity of the challenge (Reynolds, Fig. 5, [0081] Mobile client device 200B may process 533 proximate challenge request 530.  For example, mobile client device may: decrypt the encrypted challenge token using the private encryption key; … if the challenge tokens match, encrypt … (or the manual verification token (i.e. user confirmation of the validity of the challenge)) … provide a proximate challenge response 535 to arbitrary client device 200A).

Claims 18, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Reynolds-Mennes combination as applied above to claim 16, further in view of Walrath et al (US20080184355A1-IDS by Applicant, hereinafter, “Walrath”).
Regarding claim 18, Reynolds-Mennes combination teaches:
The token of claim 16, wherein the token is caused to: cause the challenge to be presented as plaintext on a display of the token; obtain, subsequent to the challenge being presented on the display of the token, a user confirmation of validity of the challenge (Reynolds, [0066] The executable instructions provided to mobile client device 200B may (1) cause the mobile client device to provide an authentication prompt, e.g. via display 215B, identifying the URI of merchant service 325B and (2) require a manual response (i.e. user confirmation) to the authentication prompt, e.g. obtained via user input 213. And [0080] Proximate challenge request may include the encrypted challenge token (i.e. first challenge) and is provided over PAN 105); [and power or increase power to the secure component based on the user confirmation of the validity of the challenge, wherein, subsequent to the powering or increasing of power to the secure component] (see Walrath below), the secure component is caused to decrypt the encrypted message to extract the challenge as plaintext from the encrypted message (Reynolds, Fig. 5, [0081] Mobile client device 200B may process 533 proximate challenge request 530.  For example, mobile client device may: decrypt the encrypted challenge token using the private encryption key. … if the challenge tokens match, encrypt … (or the manual verification token (i.e. user confirmation of the validity of the challenge)) … provide a proximate challenge response 535 to arbitrary client device 200A).  
		While the combination of Reynolds-Mennes does not explicitly teach the following limitation(s), however in the same field of endeavor Walrath teaches: 
		and power or increase power to the secure component based on the user confirmation of the validity of the challenge (Walrath, referring to Fig. 2, the security token is activated based on the determined validity of token at steps 202 to 203, power on device at step 210);
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Walrath in the multi-factor authentication system of Reynolds-Mennes by using wireless security authentication system configured to determine validity of user credential before powering up the token device. This would have been obvious because the person having ordinary skill in the art would have been motivated to validate the token device first to power up the token device for security authentication to prevent unauthorized user to modify the power-on process and also preserve computer resources (Walrath, [Abstract], [0001], [0005]).

		Regarding claim 19, Reynolds-Mennes combination teaches:
The token of claim 16, wherein the token is caused to: use, prior to decrypting the encrypted message to extract the challenge, the challenge obtained as plaintext to generate a request for user confirmation of validity of the challenge (Reynolds, [0066] (1) cause the mobile client device to provide an authentication prompt, e.g. via display 215B, identifying the URI of merchant service 325B); obtain the user confirmation of the validity of the challenge (Reynolds, [0066] Upon obtaining the manual response (i.e. user confirmation of validity of the challenge), mobile client device 200B may return the manual verification token provided by IVM service 325A to browser application 225A via PAN 105); 
Examiner notes that limitation “prior to decrypting the encrypted message to extract the challenge” is inherent to “plaintext challenge”, i.e. without decrypting the encrypted message, which is referring to the plaintext. Reynolds teaches displaying the authentication prompt so that user can response, therefore the message is plaintext.
		While the combination of Reynolds-Mennes does not explicitly teach the following limitation(s), however in the same field of endeavor Walrath teaches: 
		and Page 344850-3292-2297.v1PATENTAttorney Docket No.: 034259-0510640power or increase power to the secure component based on the user confirmation of the validity of the challenge (Walrath, referring to Fig. 2, the security token is activated based on the determined validity of token at steps 202 to 203, power on device at step 210);
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Walrath in the multi-factor authentication system of Reynolds-Mennes by using wireless security authentication system configured to determine validity of user credential before powering up the token device. This would have been obvious because the person having ordinary skill in the art would have been motivated to validate the token device first to power up the token device for security authentication to prevent unauthorized user to modify the power-on process and preserve computer resources (Walrath, [Abstract], [0001], [0005]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Schrecker (US20130268767A1) discloses authentication of a computing device based on authentication data provided from short range wireless token.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436