DETAILED ACTION
Acknowledgements
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in reply to the Amendment filed on February 23, 2022.
Claims 2, 4, 15, and 17 are cancelled.
Claims 21-23 are added. 
Claims 1, 3, 5-14, 16, and 18-23 are pending.
Claims 1, 3, 5-14, 16, and 18-23 are examined.
This Office Action is given Paper No. 20220606 for references purposes only.

Information Disclosure Statement
The Information Disclosure Statement filed on May 2, 2022 has been considered. An initialed copy of the Form 1449 is enclosed herewith.

Claim Rejections - 35 USC § 112, 2nd paragraph
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 

Claims 5-7 and 18-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 5 depends upon cancelled claim 4. The claim is vague and indefinite because the metes and the bounds of the claim are unclear. For purposes of applying the prior art only, Examiner will interpret as “The method of claim 1.”
 Claims 18-19 depend upon cancelled claim 17. These claims are vague and indefinite because the metes and the bounds of the claims are unclear. For purposes of applying the prior art only, Examiner will interpret as “The system of claim 14.”

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3, 5-14, 16, and 18-23 are rejected under 35 U.S.C. 103(a) as being unpatentable over Pieczul et al. (US 2012/0151568), in view of McClain (US 7,697,920), and further in view of Mahaffey et al. (US 2014/0189808). 

Claims 1, 14, 20
Pieczul discloses:
receiving, at a server (service provider, see figure 3) from a first client application (user application, see figure 3), a first application programming interface call that comprises a client access token (security token, see [0038], figure 3);
transmitting, by the server to the first client application, a transaction identifier (session cookie, see [0073]), wherein the transaction identifier is stored by the server; 
generating (generate, see [0038]), using a shared secret and the transaction identifier (attributes from the security token, see [0038]), a temporary password (attributes cookie, see [0038]), wherein the shared secret is associated with the transaction identifier and is stored by the server; 
transmitting, by the server to the messaging identifier, a message that comprises the temporary password (attributes cookie obtained from service provider, see [0039]);
receiving, at the server from a second client application, a second application programming interface call that comprises a reference transaction identifier (session cookie, see [0068, 0073]) and input (signed token, see [0068, 0073]), wherein a user provides the input to the second client application;
transmitting a success indicator (creates a session for the user, see [0039]) to the second client application based on the authentication.
Pieczul does not disclose:
Authenticating… identifier.
McClain teaches:
authenticating the user when the reference transaction identifier matches the transaction identifier stored at the server (username, see C15 L4-40) and the input matches an expected password (temporary key matches, see C24 L47-62), wherein the expected password is generated using the matching stored transaction identifier (username, see C24 L1) and a shared secret (shared secret, see C24 L11-34) stored in association with the matching stored transaction identifier.
Pieczul discloses receiving a first interface call, transmitting a transaction identifier, generating a temporary password, transmitting a message, receiving a second interface call, and transmitting a success indicator. Pieczul does not disclose authenticating when a reference transaction identifier and input match stored information, but McClain does. It would have been obvious to one of ordinary skill in the art at the time the invention was effectively filed to combine the method and system for authenticating a rich client to a cloud application of Pieczul with the authenticating when a reference transaction identifier and input match stored information of McClain because 1) a need exists for authenticating a rich client to a cloud based application (see Pieczul [0005]); and 2) a need exists for a secure, convenient, elegant and cost effective method for authentication and authorization (see McClain C2 L12-20). Having the reference transaction identifier and input match stored information ensures that the user is authenticated.
Pieczul in view of McClain discloses the limitations above. Pieczul in view of McClain does not disclose:
A messaging identifier… server.
Mahaffey teaches:
a messaging identifier (e.g. phone number or e-mail, see [0082]), wherein the messaging identifier is not persistently stored by the server (client supplies the identifier, see [0082]).
Pieczul in view of McClain discloses receiving a first interface call, transmitting a transaction identifier, generating a temporary password, transmitting a message, receiving a second interface call, authenticating the user, and transmitting a success indicator. Pieczul in view of McClain does not disclose a messaging identifier that is not stored by the server, but Mahaffey does. It would have been obvious to one of ordinary skill in the art at the time the invention was effectively filed to combine the method and system for authenticating a rich client to a cloud application of Pieczul, in view of McClain, with the messaging identifier of Mahaffey because a need exists for a comprehensive password and identity management system that provides a centralized method of user authentication that utilizes an authentication device readily available to most users (see Mahaffey [0007]). A messaging identifier that is not stored by the server allows for that information to be supplied by the client.

Claims 3, 16
Furthermore, McClain teaches:
the messaging identifier comprises an email address or a mobile phone number (cell phone number, see C5 L38-47).

Claims 5, 18
Furthermore, McClain teaches:
the transaction identifier comprises an embedded timestamp (timestamp, see C24 L1-34) associated with the first application programming interface call, and the generated temporary password is based on the shared secret, the transaction identifier, and the embedded timestamp. 

Claim 6
Furthermore, McClain teaches:
the reference transaction identifier and the matching stored transaction identifier comprise matching embedded timestamps (timestamp, see C24 L1-34).  

Claim 7
Furthermore, McClain teaches:
the expected password (temporary key, see C24 L47-62) is based on the shared secret (shared secret, see C24 L11-34) associated with the matching stored transaction identifier, the matching stored transaction identifier (username, see C24 L1), and the matching embedded timestamp (timestamp, see C24 L1-34).

Claim 8
Furthermore, Pieczul discloses:
the first application programming interface call and the second application programming interface call comprise secure REST API calls (REST calls, see [0067-0068]).  

Claim 9
Furthermore, Pieczul discloses:
the client access token (security token, see [0038], figure 3) is issued by an identity cloud management system (identity provider, see [0038], figure 3) and is used to secure communication between the server (service provider, see [0037]) and the client application (user application, see [0037]).

Claim 10
Furthermore, Pieczul discloses:
the client application is issued the client access token based on registration (username and password, see [0038]) with the identity cloud management system.  

Claims 11, 19
Furthermore, McClain teaches:
the multifactor authentication without a user footprint is achieved by the authentication of the user without persistently storing the messaging identifier (not stored, see C14 L1-5).  

Claim 12
Furthermore, McClain teaches:
the multifactor authentication without user footprint is achieved by the authentication of the user without persistently storing - 76 -ORA190386-US-N PORACLE CONFIDENTIALPATENTDocket No.: 2011-0580US01the user's personal data, wherein the user's personal data comprises the user's name and address (not stored, see C14 L1-5).  

Claim 13
Furthermore, Pieczul discloses:
the user is permitted to access a secure resource (target applications, see [0037]) based on the success indicator.  

Claims 21, 22, 23
Pieczul discloses:
the first client application is the second client application (user application, see figure 3), and the first application programming interface call is received earlier in time (see [0068-0073]) than the second application programming interface call.

Response to Arguments 
Applicant argues that the prior art does not teach the messaging identifier is not persistently stored by the server.
McClain teaches the identifier is not persistently stored by the server (identifying information is not stored at the trusted server, see C14 L1-5). However, in order to expedite prosecution, please see new mapping.

Claim Interpretation
The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure (see attached form PTO-892).
Thakkar et al. (US 2019/0386984) discloses two-factor authentication through ultrasonic audio transmissions. 
After careful review of the original specification and unless expressly noted otherwise by Examiner, Examiner concludes that Applicant is not his own lexicographer.  See MPEP § 2111.01 IV.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry of a general nature or relating to the status of this application or concerning this communication or earlier communications from Examiner should be directed to Chrystina Zelaskiewicz whose telephone number is 571.270.3940. Examiner can normally be reached on Monday-Friday, 9:30am-5:00pm. If attempts to reach the examiner by telephone are unsuccessful, the Examiner’s supervisor, Abhishek Vyas can be reached at 571-270-1836.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://portal.uspto.gov/external/portal/pair <http://pair-direct.uspto.gov>. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free).
/CHRYSTINA E ZELASKIEWICZ/Primary Examiner, Art Unit 3621