Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/15/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 7-8 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 7 recites the limitation "selecting the credential ID by participating in a registration protocol with the first user device to register with the online service" in lines 2-3.  There is insufficient antecedent basis for this limitation in the claim. It is unclear what entity is “selecting” and “participating” in the registration protocol with the first user device. The “selecting” and “participating” entity is assumed to be the cloud authenticator for purposes of examination.

Claim 8 recites the limitation "receiving a signed copy of the credential ID" in line 2.  There is insufficient antecedent basis for this limitation in the claim. It is unclear what entity is “receiving” the signed copy and where the signed copy is coming from. The “receiving” entity is assumed to be the cloud authenticator and the signed copy is assumed to be sent from the first user device for purposes of examination.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-3, 5-8, 9-11 and 13-16 are rejected under 35 U.S.C. 103 as being unpatentable over Laing et al. (WO 2021/126253 A1) in view of Hayton (US Patent No. 9,628,448 B2), Gibbs et al. (US Patent No. 6,085,321) and Blinn (US Patent No. 9,871,791 B2), hereinafter Laing, Hayton, Gibbs and Blinn.

	Regarding claim 1, Laing discloses a computer-implemented method comprising: 
registering, by a cloud authenticator, (Laing, Fig. 1 #120, [0020])
a first user device with a user account of a user, (Laing, Fig. 1 #110, [0019])
the registering comprising generating a primary first credential portion retained by the first user device and (Laing, [0020] “shares of a secret authentication key”) 
a primary second credential portion retained by the cloud authenticator; (Laing, [0021] “the dealer may be one of the devices 110 that are registered to participate in authentication”, [0023] “over-provisioned share”)
registering, by the cloud authenticator, a second user device with the user account of the user, (Laing, Fig. 1 #150)
the registering comprising generating a secondary first credential portion based at least in part on the primary first credential portion and (Laing, [0031])
generating a secondary second credential portion based at least in part on the primary second credential portion; (Laing, [0023] “over-provisioned share”)
responsive to the first request, generating a first signature by participating in a first signing protocol between the cloud authenticator and the first user device, (Laing, [0022] “the partial signatures of the devices are combined to generate a full signature”)
the first signature based at least in part on the primary first credential portion, (Laing, [0020]) and
the primary second credential portion, and (Laing, [0021] and [0023])
responsive to the second request, generating a second signature by participating in a second signing protocol between the cloud authenticator and the second user device, (Laing, [0032])
the second signature based at least in part on the secondary first credential portion, (Laing, [0020]) and
the secondary second credential portion (Laing, [0021] and [0023], Also note, [0032] suggests there may be more than 1 over-provisioned share, which is being interpreted as a secondary second credential portion.)

Laing fails to disclose receiving, at the cloud authenticator and from the first user device, a first request to authenticate the user account to an online service;
the first signature based at least in part on a credential identifier (ID) for the online service;
providing, by the cloud authenticator, the first signature to a remote device associated with the online service to authenticate the user account to the online service;
receiving, at the cloud authenticator and from the second user device, a second request to authenticate the user account to the online service; and
the second signature based at least in part on the credential ID for the online service. 

Hayton teaches receiving, at the cloud authenticator and from the first user device, (Hayton, Fig. 6 “Access Gateway”) 
a first request to authenticate the user account to an online service; (Hayton, Fig. 6 #602, Col. 26 ln. 10-23)
providing, by the cloud authenticator, (Hayton, Fig. 6 “Access Gateway”)
the first signature to a remote device associated with the online service (Hayton, Fig. 6 “Auth. Service”) to authenticate the user account to the online service; (Hayton, Fig. 6 #603, Col. 26 ln. 24-39)
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Laing to incorporate the teachings of Hayton to include receiving, at the cloud authenticator and from the first user device, a first request to authenticate the user account to an online service; providing, by the cloud authenticator, the first signature to a remote device associated with the online service to authenticate the user account to the online service. Such modifications would be motivated to validate a user with a set of authentication credentials (Hayton, Col. 25 ln. 58-59).

	Gibbs teaches a signature based at least in part on a credential identifier (ID) (Gibbs, Fig. 1 #104, Col. 3 ln. 39-48)
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Laing in view of Hayton to incorporate the teachings of Gibbs to include the first and second signatures based at least in part on a credential identifier (ID). Such modification would be motivated to associate the signature with the online service or user.

Blinn teaches receiving, at the cloud authenticator and from the second user device, a second request to authenticate the user account to the online service (Blinn, Fig. 3 #310, Col. 15 ln. 37-41)
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Laing in view of Hayton and Gibbs to incorporate the teachings of Blinn to include receiving, at the cloud authenticator and from the second user device, a second request to authenticate the user account to the online service. Such modification would be motivated to address the weakness in two-factor authentication systems where two factors are entered into the same source (Blinn, Col. 3 ln. 35-39).

	Regarding claim 2, Laing in view of Hayton, Gibbs and Blinn discloses the method of claim 1 as set forth above, and wherein the first signature matches the second signature. (Laing, [0015] “An authorised subset of devices comprises any subset of devices greater than or equal to a threshold. Any authorised subset can combine partial signatures that are generated with the share of the signing key, which they possess, to produce a full signature on an authentication challenge.”) 
It is noted, an “authorized subset of devices” may comprise the first device and cloud authenticator, or the second device and cloud authenticator. Further, both instances would result in “a full signature”, referring to a singular valid signature. It is also noted, the instant specification defines “matching” as being, “similar to, matching, or the same” [0048]. In this case, the first signature and second signature would both match if the threshold of two devices participate in each signing protocol. 

	Regarding claim 3, Laing in view of Hayton, Gibbs and Blinn discloses the computer-implemented method of claim 1 as set forth above, and wherein the primary first credential portion is retained by the first user device (Laing, [0020] “shares of a secret authentication key”) and the secondary first credential portion is retained by the second user device. (Laing, [0031]).

	Regarding claim 5, Laing in view of Hayton, Gibbs and Blinn discloses the computer-implemented method of claim 1 as set forth above, and wherein the first signing protocol is a threshold signature signing protocol. (Laing, [0020] “the dealer 120 may distribute shares of signing key using a threshold signature scheme.”)

	Regarding claim 6, Laing in view of Hayton, Gibbs and Blinn discloses the computer-implemented method of claim 1 as set forth above, and wherein the generating the secondary first credential portion further comprises: participating in an enrollment protocol with the first user device to generate the secondary first credential portion based at least in part on the primary first credential portion. (Laing, [0031])

	Regarding claim 7, Laing in view of Hayton, Gibbs and Blinn discloses the computer-implemented method of claim 1 as set forth above, and further comprising:
selecting the credential ID by participating in a registration protocol with the first user device to register with the online service. (Gibbs, Col. 7 ln. 41-48)

	Regarding claim 8, Laing in view of Hayton, Gibbs, and Blinn discloses the computer-implemented method of claim 1 as set forth above, and further comprising:
receiving a signed copy of the credential ID, (Gibbs, Fig. 6, Col. 8 ln. 45-55)
wherein the generating the second signature in the second signing protocol (Laing, [0032]) comprises using the signed copy of the credential ID. (Gibbs, Fig. 1 #104, Col. 3 ln. 39-48)

	Regarding claim 9, Laing in view of Hayton, Gibbs and Blinn disclose a cloud computing device (Laing, Fig. 5) comprising: one or more processors (#510); and one or more non-transitory computer-readable media (#520) storing computer-executable instructions that (#530), when executed by the one or more processors, cause the one or more processors to ([0071]): perform the method of claim 1.
	Therefore, claim 9 is rejected over similar grounds as claim 1.

	Regarding claims 10-11, and 13-16, the computer-executable instructions of claims 10-11 and 13-16 implement the methods of claims 2-3 and 5-8 respectively. Therefore, claims 10-11 and 13-16 are rejected over similar grounds as claims 2-3 and 5-8 over Laing in view of Hayton, Gibbs, and Blinn.

Claims 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Laing in view of Hayton, Gibbs and Blinn as applied to claim 3 above, and further in view of Ranellucci et al. (US-PGPUB 2020/0153640 A1).

	Regarding claim 4, Laing in view of Hayton, Gibbs and Blinn discloses the computer-implemented method of claim 3 as set forth above, but fails to disclose  
wherein the primary first credential portion is not available to the cloud authenticator during generation of the primary first credential portion and during the first signing protocol.
However, Ranellucci teaches wherein the primary first credential portion is not available to the cloud authenticator during generation of the primary first credential portion and during the first signing protocol. (Ranellucci, Fig. 1 #120, [0022] “such a derivation key can be computed by computing the HMAC function with the key and public derivation string via MPC, so that the input and output key shares of a node are not revealed to any other node.”).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Laing in view of Hayton, Gibbs and Blinn to incorporate the teachings of Ranellucci to include wherein the primary first credential portion is not available to the cloud authenticator during generation of the primary first credential portion and during the first signing protocol. Such modification would be motivated to prevent each credential portion belonging to a party from being revealed to other parties.

	Regarding claim 12, the computer-executable instructions of claim 12 implement the method of claim 4. Therefore, claim 12 is rejected over similar grounds as claim 4 over Laing in view of Hayton, Gibbs, Blinn and Ranellucci.

Claim 17-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ranellucci et al. (US-PGPUB 2020/0153640 A1), in view of Laing.

	Regarding claim 17, Ranellucci discloses A method comprising:
communicating, by a first user device, with a cloud authenticator to generate a primary first credential portion and a primary second credential portion associated with a user account at the cloud authenticator; (Ranellucci, Fig. 1 #110, [0020-0021] “The request may be sent before transferring funds associated with the key. The nodes may be computers, servers, mobile electronic devices…”)
receiving, by the first user device, the primary first credential portion; (Ranellucci, [0022] “At the end of the MPC process, the nodes receive both the authentication information and the derivation key shares…”)
Ranellucci fails to disclose participating in a signing protocol with the cloud authenticator to generate a signature based at least in part on the primary first credential portion and the primary second credential portion; 
at least partly in response to generating the signature, accessing an online service by the first user device; and 
communicating, by the first user device, with the cloud authenticator and with a second user device to generate a secondary first credential portion and a secondary second credential portion associated with the user account at the cloud authenticator. 

Laing teaches participating in a signing protocol with the cloud authenticator to generate a signature based at least in part on the primary first credential portion and the primary second credential portion; (Laing, [0022] “the partial signatures of the devices are combined to generate a full signature”) 
at least partly in response to generating the signature, accessing an online service by the first user device; and (Laing, [0008] “Once a user's identity has been established, they may be able to gain access to services or data on the computing system or over network”; [0010] “A valid signature shows the authenticating party that someone with access to the device wants to authenticate.”)
communicating, by the first user device, with the cloud authenticator and with a second user device to generate a secondary first credential portion and a secondary second credential portion associated with the user account at the cloud authenticator. (Laing, [0027] and [0032]). 
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ranellucci to incorporate the teachings of Laing to include participating in a signing protocol with the cloud authenticator to generate a signature based at least in part on the primary first credential portion and the primary second credential portion; at least partly in response to generating the signature, accessing an online service by the first user device; and communicating, by the first user device, with the cloud authenticator and with a second user device to generate a secondary first credential portion and a secondary second credential portion associated with the user account at the cloud authenticator. Such modifications would be motivated to authenticate a user using multiple devices. (Laing, [0011])

	Regarding claim 18, Ranellucci in view of Laing discloses the method of claim 17 as set forth above, and wherein the signing protocol comprises a threshold signature signing protocol and the signature comprises a threshold signature. (Laing, [0020] “the dealer 120 may distribute shares of signing key using a threshold signature scheme.”)

Claims 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ranellucci in view of Laing as applied to claim 17 above, and further in view of Gibbs.

	Regarding claim 19, Ranellucci in view of Laing discloses the method of claim 17 as set forth above, and wherein the participating in the signing protocol further comprises generating the signature based at least in part on the primary first credential portion, (Laing, [0020]) the primary second credential portion, and (Laing, [0021] and [0023]), but fails to disclose selecting, by the first user device and with the cloud authenticator, a credential identifier (ID) for the online service, and wherein the participating in the signing protocol further comprises generating the signature based at least in part on the credential ID.
However, Gibbs teaches selecting, by the first user device and with the cloud authenticator, a credential identifier (ID) for the online service, (Gibbs, Col. 7 ln. 41-48) and wherein the participating in the signing protocol further comprises generating the signature based at least in part on the credential ID (Gibbs, Fig. 1 #104, Col. 3 ln. 39-48).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ranellucci in view of Laing to incorporate the teachings of Gibbs to include selecting, by the first user device and with the cloud authenticator, a credential identifier (ID) for the online service, and wherein the participating in the signing protocol further comprises generating the signature based at least in part on the credential ID. Such modifications would be motivated to associate the signature with the online service or user.

	Regarding claim 20, Ranellucci in view of Laing and Gibbs discloses the method of claim 19 as set forth above, and signing, by the first user device, a copy of the credential ID to create a signed credential ID; (Gibbs, Fig. 5 #516, Col. 8 ln. 1-4) and sending the signed credential ID to the cloud authenticator in association with the user account. (Gibbs, Fig. 6, Col. 8 ln. 45-55)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US Patent No. 10,848,469 B1 – Regarding dynamically authenticating multiple devices in a key network.
US-PGPUB 2018/0101850 A1 – Regarding a computing device that supports a Web Authentication (WebAuthN) application program interface (API) and is configured to substitute functionalities utilized in the EMV standard for transactions using smart payment instruments that include embedded computer chips.
US-PGPUB 2016/0294562 A1 – Regarding a method for distributed trust authentication of one or more users attempting to access one or more service providers.
US-PGPUB 2020/0353167 A1 – Regarding managing device authorization through the use of digital signature thresholds.
WO 2019/156081 A1 – Regarding a terminal registration system and method for use in a FIDO authentication system.
Balfanz, Dirk et al. “Web Authentication: An API for accessing Public Key Credentials Level 1” W3C. 4 Mar. 2019. Found on W3C.org (https://www.w3.org/TR/2019/REC-webauthn-1-20190304/) – Regarding an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.
Brand, Christiaan et al. “Client to Authenticator Protocol (CTAP)” FIDO Alliance. 30 Jan. 2019. Found on FIDOAlliance.org (https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.pdf) – Regarding an application layer protocol for communication between a roaming authenticator and another client/platform, as well as bindings of this application protocol to a variety of transport protocols using different physical media.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA NEIL GONZALES whose telephone number is (571)272-0286. The examiner can normally be reached 10:00 AM-7:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/J.N.G./Examiner, Art Unit 2496  
                                                                                                                                                                                                      /JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496