DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Examiner contacted the Applicant’s representative, Ian G. DiBernardo (Registration No. 40,991) to conduct compact prosecution.  No agreement was reached.
An amendment was filed on 1/28/2022 by the Applicant.  Claims 1-7, 9-12, and 14 have been amended, and Claims 8 and 15 has been canceled because Claims 8 and 15 were part of Group 2, claims 8-11, and 15.  The Applicant previously elected Group 1, claims 1-7, and 12.  The Applicant changed the dependency of claims 9-11, they are now dependent on claim 7, and claims 9-11 have been examined.   This action is Final.  

Respond to Amendments

Applicant's arguments filed 1/28/2022 have been fully considered but they are not persuasive. 
On page 7, the claim objections on claims 1-11 and 14 have been withdrawn due to the Applicant amendments.
On pages 7-8, the 101 rejection has been withdrawn, due to the Applicant pointing out the hardware element in the body of the claim, which is the processor-based controller, paragraph 40, states the CPU-based controller.  
On pages 8-9, the 112(b) rejection has been withdrawn due to the Applicant amending the claims to overcome the 112(b) rejection.
On page 9 of the Applicant’s arguments the Applicant states that the prior art of, “Tremlet does not disclose sending a first challenge and, in response to the first challenge is correct, sending a second, subsequent challenge, wherein the first and second challenges are based on different information and sent via different channels to different, independently accessible parts of the mobile terminal”.
(A). First, Tremlet was relied upon for the limitations, “sending a first challenge and, in response to the first challenge is correct, sending a second, subsequent challenge”, Tremlet discloses sending a first challenge (Tremlet: See Fig. 1B), the trusted entity sends the first challenge, and the electronic device receives the challenge, and responds (Tremlet: See Fig. 1A), the response is confirmed by the trusted entity (Tremlet: See Fig. 1A and 1B).  Further, Tremlet further discloses in Figure 2 a plurality of challenges and responses, thus Tremlet discloses a first challenge, and first response, and a second challenge and second response (Tremlet: See Fig. 2).  Also, Tremlet discloses a processor based PUF, which the Examiner asserts is the processor-based controller of the electronic device, that responds to the challenge and provides the unique input, which the Examiner asserts is the identifier of the processor based PUF (Tremlet: para. 0026-0027, and 0038-0039).  Further, Tremlet discloses a confirmation signal is issued to the electronic device upon authentication of the response, thus the Examiner asserts that for each response of a challenge, the challenge is confirmed (Tremlet: para. 0014, 0029, 0052).  Further, Tremlet discloses that multiple challenge-response increases the level of security (Tremlet: para. 0027).
(B).  On pages 11-12 of the Applicant’s arguments the Applicant argues, Tremlet does not disclose a first channel and second channel.  Tremlet was not relied upon for a first and second channel which are different.  Watson was relied upon for challenge being sent to a secure element, the response includes the secure element identifier, the Examiner asserts that the secure element is the PIM-SIM application (Watson: para. 0024-0025).  Furthermore, Watson discloses a first channel and second channel, which is SMS and TCP/IP, Watson discloses “may also” take the form of TCP/IP, which means in addition to, not “or” as the Applicant argues (Watson: para. 0024).
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
On page 13, the Applicant is arguing the motivation to use two different channels for challenge responses.  Both Tremlet and Watson are analogous in the art of challenge-response, the reason two have two different channels is that the SMS is an efficient manner of transmission and consume fewer resources, than using TCP/IP messaging, this is an efficient security measure in challenge response to have two different channels of Watson for the multiple challenge-response of Tremlet.
On page 13 of the Applicant’s argument, it appears the Applicant is arguing the cited art of Ibrahim for not disclosing “two different channels for respective challenge responses”.  If so, the Examiner did not rely on the prior art of Ibrahim for “two different channels for respective challenge responses”.  Thus, the Applicant’s argument is moot.
  If the Applicant is not referring to the argument on page 13 for the prior art of Ibrahim, the Examiner is unclear of the Applicant’s position.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.


Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

Claims 1-7, and 9-11 are interpreted under 35 U.S.C. 112(f) or Pre-AIA  35 U.S.C. 112, sixth paragraph, as reciting means-plus functions.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as "configured to" or "so that"; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are:  “the authentication system is configured… to send, and determination recited in claim 1.    
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claims 2-7, and 9-11 invoke 112 (f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because they depend from claim 1 that invokes 112 (f).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Tremlet (2014/0279532) in view of Watson et al (2012/0149330), in view of Landrok (2017/0364911), and further in view of Ibrahim (2017/0085558).
As per claim 1, Tremlet discloses an authentication system comprising: at least one processor, wherein the authentication system is configured, in response to receiving a request to authenticate a transaction (Tremlet: para. 0011, and 0044, in response to receiving a request, an electronic device sends a request to the trusted entity to authenticate (i.e. approve) a transaction): 
to send a first challenge comprised in a mobile terminal (Tremlet: See Fig. 1B, para. 0027, 0036,  trusted entity #110 sends a first challenge to an electronic device #100, which is a mobile terminal, Tremlet discloses mobile device/terminal, such as a laptop computer, tablet, and cellular phone), and, in response to receiving a first response to the first challenge (Tremlet: See Figs. 1A-1B illustrates the electronic device #100 sending a response to the trusted entity #110, and  para. 0027, the trusted entity receives the first response to the first challenge from the electronic device (i.e. mobile terminal)), to determine whether the first response is correct (Tremlet: para. 0027, 0029, determine whether the first response is correct, is performed by the trusted entity, the trusted entity determines whether the first response is verified (i.e. correct)); 
in response to a determination that the first response is correct, to send a second challenge to a processor-based controller comprised in the mobile terminal (Tremlet: para. 0026-0027, 0038-0039,  See Fig. 2 illustrates Challenge 2, which is a second challenge, discloses the trusted entity may repeat the sequence of challenge-response authentication multiple times, the Examiner asserts this would include a second challenge; and the trusted entity sending a second challenge to a processor-based controller (i.e. processor-based PUF (physically unclonable functions), which the Examiner asserts the PUF is the controller, the PUF provides the processor with a unique input, and then a plurality of responses are generated by the processor in response to a plurality of challenges based on the unique input provided by the PUF), and, in response to receiving a second response to the second challenge from the processor-based controller (Tremlet: See Fig. 1A, Figure 2, and para. 0026-0027, 0038-0039, discloses the challenge-response can be repeated multiple times, which would include a second response to the second challenge, the second response is from the processor-based controller (i.e. processor-based PUF), and it is received by the trusted entity), and discloses each multiple challenge, and each challenge can be associated with at least one response, thus this would include a second response from a second challenge; a plurality of responses which includes a second response is generated by the processor in response to plurality of challenges, thus including a second challenge based on the input of the PUF (i.e. controller), to determine whether the second response is correct (Tremlet: para. 0027, 0029, 0052, challenge-response can be repeated multiple times, which would include a second response, and determining whether the second response is verified by the trusted entity); and 
in dependence upon the first and second responses being correct, to signal that the transaction is authenticated (Tremlet: para. 0041, 0050, 0052, discloses challenge-response authentication process can be repeated several times, this includes a first and second responses, because Tremlet discloses multiple challenge-responses, the first and second responses being corrected verified (i.e. verification process as disclosed in Tremlet) by the trusted entity, to signal the transaction is authenticated/approved, which can be a financial transaction, the transaction is authenticated by the authenticating the electronic device using several multiple challenge-responses, thereby if the if the multiple challenge responses are verified, the financial transaction is authenticated by because the electronic device has been verified). 
Tremlet does not explicitly disclose sending a first challenge to a secure element in a mobile terminal and the secure element in the mobile terminal responding; the first challenge is based on a secure element identifier uniquely identifying the secure element, and does not explicitly disclose a first and second channel, where the second channel is different.
However, in analogous art Watson et al. discloses sending a first challenge to a secure element in a mobile terminal (Watson: para. 0024-0025, the P-SIM server sends the challenge to a secure element (i.e. P-SIM application residing in the protected memory on the SIM card), the first challenge is based on a secure element identifier identifying the secure element of the mobile terminal (Watson: para. 0024-0025, 0033, first challenge initiated by the P-SIM server, the P-SIM application will respond by commutating with the mobile device’s operating system in order to obtain specific information which includes PLMN, MCC, MNC, these are secure element identifiers such as IMSI);  and the secure element in the mobile terminal responding (Watson: para. 0010, 0024-0025, secure element (i.e. P-SIM application) in the mobile terminal (i.e. mobile device) responds to the challenge); and disclose a first and second channel (Watson: para. 0024, SMS messaging and TCP/IP based message).
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to include sending a first challenge to a secure element in a mobile terminal; the first challenge is based on a secure element identifier identifying the secure element of the mobile terminal, and the secure element in the mobile terminal responding of Watson with the system of Tremlet, the motivation is that the secure element (i.e. P-SIM application) receiving the first challenge and responding is a protective measure in that the P-SIM application resides on and is executed from memory on the SIM card in which messages emanating from devices other than the network operator cannot reach or penetrate the protected memory space unless they are routed through a message filter at the network operator (Watson: para. 0027).  
Further, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include a first and second channel, wherein the second channel is different of Watson with the system of Tremlet, the motivation is the SMS channel in which SMS messages are sent is an efficient manner of transmission, because SMS messages utilize fewer resources than the second channel which uses TCP/IP messaging (Watson: para. 0024).
Further, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include a processor-based controller that is independently accessible of Watson with the system of Tremlet that includes a secure element, the motivation is that this is a security measure in which the processor-based controller resides in memory that walls-of and protects the memory of the mobile terminal (Watson: para. 0027).
Tremlet and Watson does not explicitly disclose a hardware identifier uniquely identifying the hardware of the mobile terminal.
However, analogous art of Landrok discloses challenge-response; and a hardware identifier uniquely identifying the hardware of the mobile terminal (Landrok: para. 0027, 0090, device ID (i.e. hardware identifier).
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to include a hardware identifier uniquely identifying the hardware of the mobile terminal of Landrok with the system/method of Tremlet and Watson, the motivation is that the using a hardware identifier insures that the correct user device is verified based on the unique ID associated with the user device, thus this a protective measure of the user device (Landrok: para. 0042).
Tremlet, Watson, nor Landrok explicitly disclose the challenge is based on the terminal fingerprint and information relating to the transaction.
However, analogous art of Ibrahim discloses a challenge, the challenge is based on a terminal fingerprint/device fingerprint and information relating to the transaction, which the Examiner asserts is the OTP, the one-time password is information relating to the transaction, and is used one time for a transaction (Ibrahim: para. 0024-0026, device fingerprint and OTP (i.e. information relating to the transaction).
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to include challenge is based on the terminal fingerprint and information relating to the transaction of the system/method of Ibrahim with Tremlet, Watson, and Landrok, the motivation is that this establishes possession of a known device when used in communication (Ibrahim: para. 0023).
     As per claim 2, Tremlet, Watson, Landrok, and Ibrahim disclose the authentication system according to claim 1.     
     Watson further discloses wherein the first channel comprises a mobile phone network operator channel used to communicate securely with the secure element in the mobile terminal (Watson: para. 0024-0025, first channel comprises a mobile phone network operator channel, because the Examiner asserts that SMS requires a cellular network (i.e. mobile phone network operator) to perform SMS messaging (i.e. SMS), using SMS with the P-SIM application (secure element) in the mobile terminal (i.e. mobile device)).
     Same Motivation as claim 1 above. 
     As per claim 3, Tremlet, Watson, Landrok, and Ibrahim disclose the authentication system according to claim 1.  
     Watson further discloses wherein the second channel comprises the Internet (Watson: para. 0024, discloses message can take the form of TCP/IP based message, states “may also”, which the Examiner interprets to mean in addition to, which would include a second channel.  The Examiner asserts that the Internet works by using a protocol called TCP/IP, thus the second channel that uses TCP/IP is the Internet). 
     Same Motivation as claim 1 above.
     As per claim 4, Tremlet, Watson, Landrok, and Ibrahim disclose the authentication system according to claim 1. 
     Watson further discloses which is further configured, in relation to the first challenge: to retrieve a secure element identifier uniquely identifying the secure element in the mobile terminal (Watson: para. 0024-0025, 0033, in relation to the first challenge initiated by the P-SIM server, the P-SIM application will respond by communicating with the mobile device’s operating system in order to obtain specific information relating to the mobile device’s environment, which includes PLMN (public land mobile network) identifier code, MCC (mobile country code), and MNC (mobile network code) stored on the SIM card (i.e. secure element), these are secure element identifiers, IMSI); and to transmit the first challenge to the secure element via the first channel (Watson: para. 0024-0025, P-SIM server transmit the first challenge to the secure element (i.e. P-SIM application) via the first channel (i.e. SMS)).
          It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include which is configured, in relation to the first challenge: to retrieve a secure element identifier uniquely identifying the secure element in the mobile terminal; and to transmit the first challenge to the secure element via the first channel of Watson with the system of Tremlet, the motivation is only an authorized software application will be able to access the mobile phone’s based on the identifier that is unique to the mobile terminal, thus (Watson: 0019-0020).
     Tremlet and Watson do not explicitly disclose retrieve a hardware identifier uniquely identifying the hardware of the mobile terminal, and wherein the first response includes a terminal fingerprint and/or a password, wherein the terminal fingerprint includes the secure element identifier and the hardware identifier is generated in dependence on the secure element identifier and the hardware identifier, wherein the authentication system is further configured: to determine whether the received terminal fingerprint is correct in dependence upon the retrieved secure element identifier and hardware identifier and/or to determine whether the received password is correct in dependence upon a locally-generated or locally-held password.
     However, the analogous art of Landrok et al. discloses wherein retrieve a hardware identifier uniquely identifying the hardware of the mobile terminal (Landrok: para. 0090, 0096, 0113, 0140, retrieve a hardware identifier (i.e. device ID) to identify the hardware of the computing device, the device ID can be used retrieved in order to perform transactions) the first response includes a terminal fingerprint and/or a password (Landrok: para. 0042, the claim states “and/or” which the Examiner interprets as either one or both fingerprint and password, or fingerprint or password, Landrok discloses password, because Landrok discloses the first reply is a password (i.e. passcode/one-time password), the passcode is generated in response to the authentication challenge), wherein the terminal fingerprint includes the secure element identifier and the hardware identifier is generated in dependence on the secure element identifier and the hardware identifier, wherein the authentication system is further configured: to determine whether the received terminal fingerprint is correct in dependence upon the retrieved secure element identifier and hardware identifier and/or to determine whether the received password is correct in dependence upon a locally-generated or locally-held password (Landrok: para. 0042, 0102, determine if the passcodes/one-time password match, comparing the received passcode with the sent passcode, the server has the passcode stored in order to verify the response, thus the passcode is locally-held by the server). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include wherein retrieve a hardware identifier uniquely identifying the hardware of the mobile terminal; the first response includes a terminal fingerprint and/or a password; and wherein the terminal fingerprint includes the secure element identifier and the hardware identifier is generated in dependence on the secure element identifier and the hardware identifier, wherein the authentication system is further configured: to determine whether the received terminal fingerprint is correct in dependence upon the retrieved secure element identifier and hardware identifier and/or to determine whether the received password is correct in dependence upon a locally-generated or locally-held password of Landrok with Tremlet-Watson-Ibrahim, the motivation is that the system of Landrok is used to verify that the authentication challenge has been received by the correct user device (Landrok: para. 0042).           As per claim 5, Tremlet, Watson, and Landrok, and Ibrahim discloses the authentication system according to claim 1.
Tremlet further discloses the second challenge, and second response (Tremlet: See Fig. 2 illustrates Challenge 2, which is a second challenge, and second response, discloses the trusted entity may repeat the sequence of challenge-response authentication multiple times, the Examiner asserts this would include a second challenge, and second response).  
Tremlet, Watson, and Landrok do not explicitly disclose to transmit information relating to the transaction; wherein the response includes a password generated in dependence on a terminal fingerprint and at least some of the information relating to the transaction, and wherein the authentication system is further configured: to determine whether the received password is correct in dependence upon a locally-generated or locally-held password.
However, in analogous art of Ibrahim discloses to transmit information relating to the transaction (Ibrahim: para. 0024,  transmit information relating to the transaction, the seed OTP); wherein the response includes a password generated in dependence on a terminal fingerprint and at least some of the information relating to the transaction (Ibrahim: para. 0024-0026, response includes OTP generated in dependence of device fingerprint and seed OTP), and wherein the authentication system is configured: to determine whether the received password is correct in dependence upon a locally-generated or locally-held password (Ibrahim: para. 0028, backend (i.e. authentication system) determines if the received/response OTP is correct in dependence of the locally generated OTP).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include to transmit information relating to the transaction; wherein the response includes a password generated in dependence on a terminal fingerprint and at least some of the information relating to the transaction, and wherein the authentication system is configured: to determine whether the received password is correct in dependence upon a locally-generated or locally-held password of Ibrahim with the system of Tremlet, Watson, and Landrok, the motivation is that the system of Ibrahim improves user experience and increases security (Ibrahim: para. 0003-0004).
     As per claim 12, Tremlet discloses a mobile terminal for use in authenticating a transaction comprising a processor-based controller configured (Tremlet: See Fig. 1A, para. 0011, and 0044, an electronic device sends a request using a processor-based PUF (i.e. processor-based controller) to the trusted entity to authenticate (i.e. approve) a transaction): 
     in response to receiving a first challenge from an authentication system (Tremlet: See Fig. 1B, para. 0027, 0036, trusted entity #110 (i.e. authentication system) sends a first challenge to an electronic device #100, which is a mobile terminal, Tremlet discloses mobile device/terminal, such as a laptop computer, tablet, and cellular phone), to generate and transmit a first response to the authentication system (Tremlet: See para. 0027, Fig. 1B illustrates the electronic device #100 generates a response, and  sending a response to the trusted entity #110 (i.e. an authentication system), and the trusted entity receives the first response to the first challenge from the electronic device that generates the response (i.e. mobile terminal)); and 
     the processor-based controller configured: in response to receiving a second challenge from the authentication system (Tremlet: See Fig. 2 illustrates Challenge 2, which is a second challenge, and para. 0027, 0038-0039, discloses the trusted entity (i.e. authentication system) may repeat the sequence of challenge-response authentication multiple times, the Examiner asserts this would include a second challenge; and the trusted entity (i.e. authentication system) sending a second challenge to a processor-based controller (i.e. processor-based PUF (physically unclonable functions), which the Examiner asserts the PUF is the controller, the PUF provides the processor with a unique input, and then a plurality of responses are generated by the processor in response to a plurality of challenges based on the unique input provided by the PUF), to generate and transmit a second response to the authentication system (Tremlet: See Fig. 1A, and para. 0027, 0038-0039, discloses the challenge-response can be repeated multiple times, which would include a second response to the second challenge, which is generated, the second response is from the processor-based controller (i.e. processor-based PUF), and it is received by the trusted entity(i.e. authentication system), and discloses each multiple challenge, and each challenge can be associated with at least one response, thus this would include a second response from a second challenge; a plurality of responses which includes a second response is generated by the processor in response to plurality of challenges, thus including a second challenge based on the input of the PUF (i.e. controller); wherein the second challenge is sent in response to a determination by the authentication system that the first response is correct (Tremlet: para. 0014, 0029, 0052, a confirmation signal is issued to the electronic device upon authentication of the response, thus the Examiner asserts that for each response of a challenge, the challenge is confirmed).   
     Tremlet does not explicitly disclose secure element configured in response to receiving a first challenge from an authentication system, and secure element generate and transmit a first response to the authentication system; wherein the first challenge is based on a secure element identifier uniquely identifying the secure element; and a first and second channel, where the second channel is different.  
     However, in analogous art Watson et al. discloses secure element configured in response to receiving a first challenge from an authentication system (Watson: para. 0024-0025, the P-SIM server (i.e. authentication system) sends the challenge to a secure element (i.e. P-SIM application residing in the protected memory on the SIM card), first challenge is based on a secure element identifier uniquely identifying the secure element (Watson: para. 0024-0025, 0033, first challenge initiated by the P-SIM server, the P-SIM application will respond by commutating with the mobile device’s operating system in order to obtain specific information which includes PLMN, MCC, MNC, these are secure element identifiers such as IMSI), and secure element generate and transmit and first response to the authentication system (Watson: para. 0010, 0024-0025, secure element (i.e. P-SIM application) in the mobile terminal (i.e. mobile device) generates and responds to the challenge); and disclose a first and second channel, and the second channel is different (Watson: para. 0024, SMS messaging and TCP/IP based message).
    	 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include secure element configured in response to receiving a first challenge from an authentication system, the first challenge is based on a secure element identifier uniquely identifying the secure element, and secure element generate and transmit and first response to the authentication system of Watson with the system of Tremlet, Landrok, and Ibrahim, the motivation is that the secure element (i.e. P-SIM application) receiving the first challenge and responding is a protective measure in that the P-SIM application resides on and is executed from memory on the SIM card in which messages emanating from devices other than the network operator cannot reach or penetrate the protected memory space unless they are routed through a message filter at the network operator (Watson: para. 0027).  
Further, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to include a first and second channel, wherein the second channel is different of Watson with the system of Tremlet, Landrok, and Ibrahim, the motivation is the SMS channel in which SMS messages are sent is an efficient manner of transmission, because SMS messages utilize fewer resources than the second channel which uses TCP/IP messaging (Watson: para. 0024).
Further, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include a processor-based controller that is independently accessible of Watson with the system of Tremlet that includes a secure element, the motivation is that this is a security measure in which the processor-based controller resides in memory that walls-of and protects the memory of the mobile terminal (Watson: para. 0027).
Tremlet and Watson do not explicitly disclose a hardware identifier uniquely identifying the hardware of the mobile terminal.
However, analogous art of Landrok discloses challenge-response; and a hardware identifier uniquely identifying the hardware of the mobile terminal (Landrok: para. 0027, 0090, device ID (i.e. hardware identifier).
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to include a hardware identifier uniquely identifying the hardware of the mobile terminal of Landrok with the system/method of Tremlet and Watson, the motivation is that the using a hardware identifier insures that the correct user device is verified based on the unique ID associated with the user device, thus this a protective measure of the user device (Landrok: para. 0042).
Tremlet, Watson, nor Landrok does not explicitly disclose the challenge is based on the terminal fingerprint and information relating to the transaction.
However, analogous art of Ibrahim discloses a challenge, the challenge is based on a terminal fingerprint/device fingerprint and information relating to the transaction, which the Examiner asserts is the OTP, the one-time password is information relating to the transaction, and is used one time for a transaction (Ibrahim: para. 0024-0026, device fingerprint and OTP (i.e. information relating to the transaction).
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to include challenge is based on the terminal fingerprint and information relating to the transaction of the system/method of Ibrahim with Tremlet, Watson, and Landrok, the motivation is that this establishes possession of a known device when used in communication (Ibrahim: para. 0023).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Tremlet (2014/0279532) in view of Watson et al (2012/0149330) in view of Landrok (2017/0364911), in view of Ibrahim (2017/0085558), and further in view of Teuwen et al. (2012/0131340).
As per claim 6, Tremlet, Watson, Landrok, and Ibrahim disclose the authentication system according to claim 1.
Tremlet, Watson, Landrok, and Ibrahim do not explicitly disclose wherein the second response is signed or encrypted with a key.
However, in the analogous art of Teuwen discloses wherein the second response is signed or encrypted with a key (Teuwen: para. 0004, 0020, the second response is encrypted with a key).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include wherein the second response is encrypted with a key of Teuwen with the system Tremlet, Watson, Landrok, and Ibrahim, the motivation is that the device can implement security by implementing encryption to protect the second response (Teuwen: para. 0024).

Claims 7, 10, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Tremlet (2014/0279532) in view of Watson et al (2012/0149330), in view of Landrok (2017/0364911), in view of Ibrahim (2017/0085558), and further in view of Brand et al (2011/0086616).     As per claim 7, Tremlet, Watson, Landrok, and Ibrahim disclose the authentication system according to claim 1.    
     Tremlet, Landrok, and Ibrahim do not explicitly disclose in an enrolment phase: to exchange data with the mobile terminal via the second channel to receive a terminal fingerprint of the mobile terminal via the second channel; and to exchange data with the mobile terminal via the first channel to determine the secure element identifier and the hardware identifier of the mobile terminal via the first channel.
     However, in analogous art Watson discloses and configured, in an enrolment phase (Watson: para. 0019, enrolment phase (i.e. registration): to exchange data with the mobile terminal via the first channel so as to determine the secure element identifier via the first channel (Watson: para. 0019-0020, exchange data with the mobile terminal (i.e. mobile device) via the first channel, so as to determine the secure element identifier IMSI (International Mobile Subscriber Identity)(i.e. secure element identifier) via the first channel (i.e. UMTS network)).
     It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include configured, in an enrolment phase to exchange data with the mobile terminal via the first channel of Watson with system of Tremlet, Landrok, and Ibrahim, the motivation is that this is a security measure that insures that the IMSI of the mobile device is authenticated; thereby, insuring that the correct mobile device is registered (Watson: para. 0020).
    Tremlet, Watson, Landrok, and Ibrahim do not explicitly disclose exchange data with the mobile terminal so as to determine the hardware identifier of the mobile terminal; and configured, in an enrolment phase: to exchange data with the mobile terminal via the second channel so as to receive a terminal fingerprint of the mobile terminal via the second channel.
     However, in analogous art Brand discloses exchange data with the mobile terminal so as to determine the hardware identifier of the mobile terminal (Brand: para. 0027-0028, exchange data with the mobile terminal (i.e. mobile phone), data is exchanged with the server during enrolment, this includes IMEI (i.e. International Mobile Phone Equipment Identity number of the mobile phone, the Examiner asserts that the hardware identifier is the IMEI); and configured, in an enrolment phase: to exchange data with the mobile terminal via the second channel so as to receive a terminal fingerprint of the mobile terminal via the second channel (Brand: para. 0028-0030, enrolment to exchange data with the mobile phone via the second channel (i.e. GPRS) so as to receive a terminal fingerprint (i.e. digital fingerprint) of the mobile phone via the GPRS, which is the second channel).
     It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include exchange data with the mobile terminal so as to determine the hardware identifier of the mobile terminal; and configured, in an enrolment phase: to exchange data with the mobile terminal via the second channel so as to receive a terminal fingerprint of the mobile terminal via the second channel of Brand with the system of Tremlet, Watson, Landrok, and Ibrahim, the motivation is that determining a hardware identifier and enrolling a fingerprint is a security measure that insures that the digital fingerprint has a one-to-one relation between the fingerprint and the mobile phone, thus only an authorized software application will be able to access the mobile phone’s fingerprint (Brand: para. 0028, 0039).
          As per claim 10, Tremlet, Watson, Landrok, Ibrahim, and Brand disclose the authentication system according to claim 7.  Landrok further discloses to transmit a password via the first channel and to receive a copy of the password via the second channel (Landrok: para. 0123-0124, first channel (i.e. Internet), transmit a passcode and receive a copy of the passcode via the second channel (i.e. SMS)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include to transmit a password via the first channel and to receive a copy of the password via the second channel of Landrok with the system/method of Tremlet, Watson, Ibrahim, and Brand, the motivation is that the first and second channels that reduces the possibility that the connection will be intercepted or interfered with (Landrok: para. 0038).


          As per claim 14, Tremlet, Watson, Landrok, Ibrahim, and Brand disclose a mobile terminal according to claim 12.
          Tremlet, Landrok, Ibrahim, and Brand do not explicitly disclose configured, in an enrolment phase: to exchange data with the authentication system via the second channel so as to provide a terminal fingerprint of the mobile terminal to the authentication system via the second channel; and to exchange data with the authentication system via the first channel so as to provide the secure element identifier and the hardware identifier of the mobile terminal to the authentication system via the first channel.
     However, in analogous art Watson discloses and configured, in an enrolment phase (Watson: para. 0019, enrolment phase (i.e. registration): to exchange data with the authentication system via the first channel so to provide the secure element identifier of the mobile terminal to the authentication system via the first channel (Watson: para. 0019-0020, exchange data with the mobile terminal (i.e. mobile device) via the first channel, so as to determine the secure element identifier IMSI (International Mobile Subscriber Identity)(i.e. secure element identifier) via the first channel (i.e. UMTS network)).
     It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include in an enrolment phase to exchange data with the authentication system via the first channel so to provide the secure element identifier of the mobile terminal to the authentication system via the first channel of Watson with system of Tremlet, Watson, Landrok, Ibrahim, and Brand, the motivation is that this is a security measure that insures that the IMSI of the mobile device is authenticated; thereby, insuring that the correct mobile device is registered (Watson: para. 0020).
    Tremlet, Watson, Landrok, Ibrahim, and Brand do not explicitly disclose hardware identifier of the mobile terminal to the authentication system; and exchange data with the authentication system via the second channel so as to provide a terminal fingerprint of the mobile terminal to the authentication system via the second channel.
     However, in analogous art Brand discloses exchange data with the mobile terminal so as to determine the hardware identifier of the mobile terminal (Brand: para. 0027-0028, exchange data with the mobile terminal (i.e. mobile phone), data is exchanged with the server during enrolment, this includes IMEI (i.e. International Mobile Phone Equipment Identity number of the mobile phone, the Examiner asserts that the hardware identifier is the IMEI); and configured, in an enrolment phase: to exchange data with the mobile terminal via the second channel so as to receive a terminal fingerprint of the mobile terminal via the second channel (Brand: para. 0028-0030, enrolment to exchange data with the mobile phone via the second channel (i.e. GPRS) so as to receive a terminal fingerprint (i.e. digital fingerprint) of the mobile phone via the GPRS, which is the second channel).
     It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to include exchange data with the mobile terminal so as to determine the hardware identifier of the mobile terminal; and configured, in an enrolment phase: to exchange data with the mobile terminal via the second channel so as to receive a terminal fingerprint of the mobile terminal via the second channel of Brand with the system of Tremlet Watson, Landrok, and Ibrahim, the motivation is that determining a hardware identifier and enrolling a fingerprint is a security measure that insures that the digital fingerprint has a one-to-one relation between the fingerprint and the mobile phone, thus only an authorized software application will be able to access the mobile phone’s fingerprint (Brand: para. 0028, 0039).
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Tremlet (2014/0279532) in view of Watson et al (2012/0149330), in view of Landrok (2017/0364911), in view of Ibrahim (2017/0085558), and in view of Brand et al (2011/0086616), and further in view of Aabye et al (8,601,266).
As per claim 9, Tremlet, Watson, Landrok, Ibrahim, and Brand do not explicitly disclose send a key (K2) to the mobile terminal via the first channel.
Aabye discloses send a key (K2) to the mobile terminal via the first channel (Aabye: col. 3, lines 10-34, and col. 12, lines 18-28, send a session key to the consumer device/mobile device (i.e. mobile terminal) via the first channel (i.e. secure channel).
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to include send a key (K2) to the mobile terminal via the first channel of Aabye with the system of Tremlet, Watson, Landrok, Ibrahim, and Brand, the motivation is to improve the security of information transferred to and from a mobile device (Aabye: col. 1, lines 46-52).
Claim Objections
Claim 11 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791.  The examiner can normally be reached on M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
6/3/2022
/J.E.J/Examiner, Art Unit 2439                                                                                                                                                                                                        

/KARI L SCHMIDT/Primary Examiner, Art Unit 2439