Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-44 are presented for examination. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-43 rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Regarding claim 1, the claimed invention is directed to an abstract without significantly more. The claims recite(s) receiving an access request, authenticating a user based on user credential, and establishing a service session between user device and service provider.
The limitation of receiving an access request, authenticating a user based on user credential, and establishing a service session between user device and service provider as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “service provider” and “user device” nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “service provider” and “user device” language, “receiving an access request, authenticating a user based on user credential, and establishing a service session between user device and service provider” in the context of this claim encompasses the user manually receives and authenticates the user’s credential like photo ID.
This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – using a “service provider” and “user device” to perform the steps of “receiving an access request, authenticating a user based on user credential, and establishing a service session between user device and service provider”. The “service provider” and “user device” is recited at a high level of generality (i.e., as a generic “service provider” and “user device” performing a generic computer network function) such that it amounts no more than mere instructions to apply the execution using a generic computer network component. The authenticating step is also recited at a high level of generality (i.e., as a general means authenticating a user based on unique photo ID associated with user by the service provider), which is a form of insignificant extra-solution activity. Accordingly the additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into practical application, the additional element of using “service provider” and “user device” to perform “receiving an access request, authenticating a user based on user credential, and establishing a service session between user device and service provider” steps amounts to no more than mere instructions to apply the exception using a generic computing device. Mere instructions to apply an exception using a generic computing network device cannot provide an inventive concept. The claim is not patent eligible.

3.         Claims 42-43 are rejected under 35 U.S.C. 101 because the claim invention is directed to non-statutory subject matter. These are “system” claims without showing any tangible or hardware elements in the body of the claims. Therefore, it is evidentiary that these “system” claims do not comprises any tangible components or hardware elements. For example, “receiving a request” and “create a unique user credential” are just software module, not any hardware or tangible module. Hence, the “system” is reasonably interpreted by one of ordinary skill as just software, it is a system of software, per se. The function of the system is just software not any hardware. Warmerdam, 33 F.3d at 1361, 31 USPQ2d at 1760 (claim to a data structure per se held nonstatutory).  Such claimed data structures do not define any structural and functional interrelationships between the data structure and other claimed aspects of the invention which permit the data structure’s functionality to be realized. Similarly, computer programs module claimed as computer instructions per se, i.e., the descriptions or expressions of the programs, are not physical “things.” They are neither computer components nor statutory processes, as they are not “acts” being performed. Such claimed computer programs modules do not define any structural and functional interrelationships between the computer program and other claimed elements of a computer which permit the computer program’s functionality to be realized. Accordingly, it is important to distinguish claims that define descriptive material per se from claims that define statutory inventions.  So, it does not appear that a claim reciting software module with functional descriptive material falls within any of the categories of patentable subject matter set forth in § 101.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-44 is/are rejected under 35 U.S.C. 102[(a)(2) as being anticipated by Achhra et al hereafter Achhra (US pat. App. Pub. 20160307196).
1. As per claim 1, Achhra discloses an electronic method of authenticating a user to establish a service session the method comprising the steps of: receiving an access request at a service provider device from a user device, authenticating a user based on a unique user credential associated with the user, by the service provider, establishing a service session between the user device and the service device (paragraphs: 22-26, and 54-61; wherein it emphasizes that a service provider receives an access request from client devices comprises with client credential and service provider authenticating the client based on the valid client’s credentials and establishing service session based on authentication between service provider and client device).
5. As per claim 2, Achhra discloses an electronic method of authenticating a user, wherein the unique user credential is a unique ID certificate associated with the user, wherein the ID certificate is a data object defining at least a user identity and a user credential issuer identity (paragraphs: 25, 38).
6. As per claim 3, Achhra discloses an electronic method of authenticating a user, wherein the unique user credential is issued by a user credential issuer, wherein the user credential issuer is authorized by the service provider (paragraphs: 41, 54).
7. As per claim 4, Achhra discloses an electronic method of authenticating a user, wherein the method comprises the additional steps of: receiving a response data packet comprising at least a user credential identifier from the user device, by the service provider, determine a user credential that corresponds to the user credential identifier (paragraphs: 42, 55).
8. As per claim 5, Achhra discloses an electronic method of authenticating a user, wherein the step of authenticating a user comprises the additional step of: querying the credential issuer device with the user credential identifier, receiving a user credential corresponding to the user credential identifier, checking the received user credential corresponds to the user credential identifier (paragraphs: 39, 53, 67).
9. As per claim 6, Achhra discloses an electronic method of authenticating a user, wherein the step of authenticating a user comprises the additional step of establishing a service session, by the service provider device, if the received user credential from the credential issuer device corresponds to or matches the user credential identifier received in the response data packet from the user device (paragraphs: 27, 61, 96).
10. As per claim 7, Achhra discloses an electronic method of authenticating a user, wherein the method comprises the additional steps of: generating a session token by the service provider, that corresponds to a session, encoding the session token with authorization criteria (paragraphs: 52, 64).
11. As per claim 8, Achhra discloses an electronic method of authenticating a user, wherein the session token is a data object that comprises one or more of an ID of the session data field and an authorization criteria data field (paragraphs: 48, 62).
12. As per claim 9, Achhra discloses an electronic method of authenticating a user, wherein the authorization criteria comprises at least an accepted user credential issuer data field that defines the user credential issuer that will be accepted by the service provider in order to authenticate the user (paragraphs: 50, 66).
13. As per claim 10, Achhra discloses an electronic method of authenticating a user, wherein the method comprises the additional step of: providing a visual code to the user device, by the service provider device, wherein the visual code comprises the session token (paragraphs: 60, 73).
14. As per claim 11, Achhra discloses an electronic method of authenticating a user, wherein the visual code is a machine readable optical code that is configured to be read or scanned by the user device to extract information from the visual code (paragraphs: 35, 47).
15. As per claim 12, Achhra discloses an electronic method of authenticating a user, wherein the visual code is one of a one dimensional barcode or a two dimensional code (paragraphs: 76, 79).
16. As per claim 13, Achhra discloses an electronic method of authenticating a user, wherein the method comprises the additional steps of: receiving the visual code by the receiver device from the service provider device, decoding the visual code to extract the session token from the visual code, processing the session token to extract a user credential identifier (paragraphs: 95, 116, 119).
17. As per claim 14, Achhra discloses an electronic method of authenticating a user, wherein the step of processing the session token comprises the additional steps of: identifying a user credential issuer from the user credential issuer data field of the session token, identifying a user credential that corresponds to the user credential issuer, identify a user credential identifier based on the identified user credential (paragraphs: 23, 31).
18. As per claim 15, Achhra discloses an electronic method of authenticating a user, wherein the method comprises the additional steps of: generating the response data packet comprising the user credential identifier, signing the response data packet with at least a private key using an asymmetric cryptographic process (paragraphs: 49, 51, 56).
19. As per claim 16, Achhra discloses an electronic method of authenticating a user, wherein the method comprises the additional step of verifying the response data packet by a public key located in the user credential received from the user credential issuer, and the received user credential is considered to match if the public key corresponds to the private key used to sign the response data packet (paragraphs: 45, 57).
20. As per claim 17, Achhra discloses an electronic method of authenticating a user, wherein the step of processing the session token comprises the additional steps of: querying a user database of user credentials to identify a user credential that corresponds to a received user credential issuer, the user database storing a list of one or more user credentials that correspond to each user credential issuer, the user database being populated by a computer implemented registration process, identifying the user credential that corresponds to the user credential issuer listed in the session token (paragraphs: 24, 33, 70).
21. As per claim 18, Achhra discloses an electronic method of authenticating a user, wherein the computer implemented registration process comprises the steps of: receiving a request for a unique user credential from a user device by a user credential issuer, create a unique user credential associated with the user based on a verified identity of the user, delivering the user credential to the user device, storing the user credential in a user database (paragraphs: 29, 43, 104).
22. As per claim 19, Achhra discloses an electronic method of authenticating a user, wherein the step of storing the user credential in a user database comprises the additional steps of: generating a key pair of a private key and a public key by the user device, associating the received user credential with the generated key pair, providing the public key of the key pair associated with the user credential to the user credential issuer for storing by the user credential issuer (paragraphs: 26, 32, 36).
23. As per claim 20, Achhra discloses an electronic method of registration for registering a user with a user credential issuer comprising the steps of: receiving a request for a unique user credential from a user device by a user credential issuer, create a unique user credential associated with the user based on a verified identity of the user, delivering the user credential to the user device, storing the user credential in a user database device (paragraphs: 24-27, 34-38, and 54-61).
24. As per claim 21, Achhra discloses an electronic method of registration, wherein the step of storing the user credential in a user database comprises the additional steps of: generating a key pair of a private key and a public key by the user device, associating the received user credential with the generated key pair, providing the public key of the key pair associated with the user credential to the user credential issuer for storing by the user credential issuer (paragraphs: 26, 32, 36). 
25. As per claim 22, Achhra discloses a system for authenticating a user to establish a service session, the system comprising: a service provider device in electronic communication with a user device, the service provider device and user device configured for two way communication with each other via a communication network, the service provider device associated with a service provider and the user device associated with a user (22-26, and 54-61), the service provider device configured to receive an access request from the user device, the service provider device configured to authenticate a user based on a unique user credential associated with the user, wherein the user credential being issued by an authorized user credential issuer that is trusted by the service provider the service provider configured to establish a service session between the user device and the service device to allow the user to use a service provided by the service provider (paragraphs: 29-33, and 36-44).
26. As per claim 23, Achhra discloses an electronic method of registration for registering a user, wherein the unique user credential is a unique ID certificate associated with the user, wherein the ID certificate is a data object defining at least a user identity and a user credential issuer identity (paragraphs: 25, 38).
27. As per claim 24, Achhra discloses an electronic method of registration for registering a user, wherein the system comprises a user credential issuer device associated with a user credential issuer and configured for two way communication with the service provider device and the user device, the user credential issuer device is configured to issue the unique user credential to a user, and wherein the user credential issuer is authorized by the service provider as an accepted user credential issuer (paragraphs: 41, 54). 
28. As per claim 25, Achhra discloses an electronic method of registration for registering a user, wherein the service provider device being configured to: receive a response data packet comprising at least a user credential identifier from the user device, by the service provider, determine a user credential that corresponds to the user credential identifier (paragraphs: 42, 55). 
29. As per claim 26, Achhra discloses an electronic method of registration for registering a user, wherein the service provider device is configured to query the credential issuer device with the received user credential identifier, the user credential issuer device configured to transmit a user credential corresponding to the user credential identifier, the service provider device configured to receive the user credential corresponding to the user credential identifier, and the service provider configured to check the received user credential corresponds to the received user credential identifier (paragraphs: 39, 53, 67).
30. As per claim 27, Achhra discloses an electronic method of registration for registering a user, wherein the service provider device establishes a service session if the received user credential from the credential issuer device corresponds to the user credential identifier received by the service provider device, as part of the response data packet transmitted by the user device (paragraphs: 27, 61, 96).
31. As per claim 28, Achhra discloses an electronic method of registration for registering a user, wherein the service provider device is further configured to generate a session token that corresponds to a session, and the service provider device is configured to encode the session token with an authorization criteria (paragraphs: 52, 64).
32. As per claim 29, Achhra discloses an electronic method of registration for registering a user, wherein the session token is a data object that comprises one or more of an ID of the session data field and an authorization criteria data field (paragraphs: 48, 62).
33. As per claim 30, Achhra discloses an electronic method of registration for registering a user, wherein the authorization criteria comprises at least an accepted user credential issuer data field that defines the user credential issuer that will be accepted by the service provider in order to authenticate the user (paragraphs: 50, 66).
34. As per claim 31, Achhra discloses an electronic method of registration for registering a user, wherein the service provider device is configured to provide a visual code to the user device, wherein the visual code comprises the session token (paragraphs: 60, 73).
35. As per claim 32, Achhra discloses an electronic method of registration for registering a user, wherein the visual code is a machine readable optical code that is configured to be read or scanned by the user device to extract information from the visual code (paragraphs: 35, 47).
36. As per claim 33, Achhra discloses an electronic method of registration for registering a user, wherein the visual code is one of a one dimensional barcode or a two dimensional code (paragraphs: 76, 79). 
37. As per claim 34, Achhra discloses an electronic method of registration for registering a user, wherein the user device receives the visual code from the service provider in response to a use request, the user device is configured to decode the visual code to extract the session token from the visual code, and the user device is configured to process the session token to extract a user credential identifier (paragraphs: 95, 116, 119).
38. As per claim 35, Achhra discloses an electronic method of registration for registering a user, wherein the user device is further configured to identify a user credential issuer from the user credential issuer data field in of the session token, the user device is configured to identify a user credential issuer from the user credential issuer data field of the session token, the user device configured to identify a user credential that corresponds to the user credential issuer, and; the user device configured to identify the user credential identifier based on the identified user credential (paragraphs: 23, 31).
39. As per claim 36, Achhra discloses an electronic method of registration for registering a user, wherein the user device is configured to generate the response data packet comprising the user credential identifier and the user device is configured to sign the response data packet with at least a private key using an asymmetric cryptographic process (paragraphs: 49, 51, 56).
40. As per claim 37, Achhra discloses an electronic method of registration for registering a user, wherein the system comprises a key generator, the user device configured to obtain a key pair from the key generator, wherein the key pair comprises a public key and a private key, and wherein the user device comprises the key generator and the key generator being controlled by the user device (paragraphs: 74, 101). 
41. As per claim 38, Achhra discloses an electronic method of registration for registering a user, wherein, wherein the service provider device is configured to verify the response data by a public key located in the user credential received from the user credential issuer device, and the service provider device is configured to determine a user credential is a match if the public key corresponds to the private key used to sign the response data packet (paragraphs: 45, 57).
42. As per claim 39, Achhra discloses an electronic method of registration for registering a user, wherein the user device is configured to query a user database of user credentials to identify a user credential that corresponds to a received user credential issuer defined in a user credential issuer data field within the received session token, the user database comprising a list of one or more user credentials issued by each user credential issuer, the database relating each user credential with the user credential issuer that issued the user credential, the database being populated by an electronic registration process, and; wherein the user device is configured to identify the user credential that corresponds to the user credential issuer listed in the session token (paragraphs: 24, 33, 70). 
43. As per claim 40, Achhra discloses an electronic method of registration for registering a user, wherein the electronic registration process is implemented by the system for authenticating a user wherein the user credential issuer is configured to receive a request for a unique user credential from the user device, the user credential issuer configured to create a unique user credential associated with the user based on a verified identity of the user, the identity of the user being verified by the user credential issuer, the user credential issuer device configured to transmit the user credential to the user device, and the user device configured to receive and store the user credential from the user credential issuer device in the user database (paragraphs: 29, 43, 104).
44. As per claim 41, Achhra discloses an electronic method of registration for registering a user, wherein the user device is further configured to generate a key pair of a private key and a public key, the user device configured to associated the received user credential with the generated key pair, and the user device is configured to provide the public key of the key pair associated with the user credential to the user credential issuer device for storing by the user credential issuer device (paragraphs: 26, 32, 36).
45. As per claim 42, Achhra discloses a system for registering a user with a user credential issuer comprising; receiving a request fora unique user credential from a user device by a user credential issuer, create a unique user credential associated with the user based on a verified identity of the user, delivering the user credential to the user device, storing the user credential in a user database (paragraphs: 24-27, 34-38, and 54-61).
46. As per claim 43, Achhra discloses a system for registering a user with a user credential issuer in accordance with claim 42, wherein the step of storing the user credential in a user database comprises the additional steps of: generating a key pair of a private key and a public key by the user device, associating the received user credential with the generated key pair, providing the public key of the key pair associated with the user credential to the user credential issuer for storing by the user credential issuer (paragraphs: 26, 32, 36).
47. As per claim 44, Achhra discloses a computer implemented method of authentication of a user comprising the steps of: providing a use request to a service provider device from a user device, receiving the use request by the service provider device, generating a session token by the service provider device, wherein the session token is a data object that comprises one or more of an ID of the session data field and an authorization criteria data field, wherein the authorization criteria comprises at least an accepted user credential issuer data field that defines the user credential issuer that will be accepted by the service provider in order to authenticate the user, providing a visual code to the user device by the service provider device, wherein the visual code comprises the session token generated by the service provider device (paragraphs: 22-26, and 54-61), the visual code is a machine readable optical code that is configured to be read or scanned by the user device to extract information from the visual code, wherein the visual code is a machine readable code is a barcode, decoding the visual code to extract the session token from the visual code, processing the session token to extract a user credential issuer from the user credential issuer data field of the session token, querying a user database of user credentials to identify a user credential that corresponds to a received user credential issuer, the user database storing a list of one or more user credentials that correspond to each user credential issuer, the user database being populated by a computer implemented registration process (paragraphs: 41, 49, 60-62, and 119), identifying the user credential that corresponds to the user credential issuer listed in the session token, generating a response data packet comprising the user credential identifier, signing the response data packet with a private key using an asymmetric cryptographic process, a challenge data field of the response data packet being signed by the private key, and verifying the response data packet by a public key located in the user credential received from the user credential issuer, and the received user credential is considered to match if the public key corresponds to the private key used to sign the response data packet (paragraphs: 71-76, and 86).
 Citation of References
48. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action: 
Meshkati et al (US pat. app. Pub. 20160012432): discusses credential-based electronic payment processing involves a credential processing server receiving from a mobile communications device a payment initiation request for initiating payment with a payment terminal, and providing the mobile communications device with a mode authorization for an authorized communications mode for the mobile communications device to provide the payment terminal with a payment pre-authorization credential. The payment pre-authorization credential is uniquely associated with a financial account and pre-authorizes electronic payment from the financial account. The credential processing server receives from the payment terminal a payment clearing request that identifies a payment amount and includes the payment pre-authorization credential.  
Graham, III et al (US pat. App. Pub. 20150312233): elaborates that A central server configured with an Attribute Authority (“AA”) acting as a Trusted Third Party mediating service provider and using X.509-compatible PKI and PMI, VPN technology, device-side thin client applications, security hardware (HSM, Network), cloud hosting, authentication, Active Directory and other solutions. This ecosystem results in real time management of credentials, identity profiles, communication lines, and keys. It is not centrally managed, rather distributes rights to users. Using its Inviter-Invitee protocol suite, Inviters vouch for the identity of Invitees who successfully complete the protocol establishing communication lines. Users establish and respond to authorization requests and other real-time verifications pertaining to accessing each communication line.  
Conclusion
49.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD W REZA whose telephone number is (571)272-6590.  The examiner can normally be reached on Monday-Friday 8:30-5:30 ET.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
/MOHAMMAD W REZA/Primary Examiner, Art Unit 2436