Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 03/21/2022.
In the instant Amendment, no claims have been added or cancelled; claims 1, 3-4,  7-8, 11-12 have been amended; and claims 1, 8, and 11 are independent claims. Claims 1-14 have been examined and are pending. This Action is made Final
Response to Arguments
Applicants’ arguments with respect to claims 1-14 have been considered but are moot in view of the new grounds of rejection, which were necessitated by amendment. 
The rejection of claims 1-2, 4, 8 and 11 under 35 USC. 102 is withdrawn as the claims have been amended.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 8 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Avetisov et al. (U.S Publication US 20200067907 A1; Hereinafter "Avetisov") in view of Nguyen (U.S. Publication 10725768 B1; Hereinafter "Nguyen").
	Regarding claim 1, Avetisov teaches a computer-implemented method for use in managing user identities, the method comprising: after receiving the API call request for the credential, authenticating, by the communication device, the user (Avetisov: Para [0197] “the user may be prompted to authenticate with the mobile device 101, such as by providing user credential values processed within the TEE to determine an authentication result for the user within the TEE”);
after authentication of the user, generating, by the communication device, via the SDK, a private-public key pair and storing the private key in memory of the communication device (Avetisov: Para [00229] “in response to a request for a secure session, the TEE 103 may generate a private and public key, and pass the public key to the authentication application 120 by which the application 120 may encrypt a generated identifier 221 to pass to the TEE 103”, ”para [0211] “ a private key stored within the TEE” );
compiling, by the communication device, via the SDK, a credential packet including the public key and identity data associated with the user (Avetisov: Para [0235] figure 3 “The authentication application 120 receives data output from the TEE 103, which may include representations of credentials, signed data corresponding to those representations, and signature key (e.g., a public key) for verifying signed data output by the TEE 103”);and	transmitting the credential packet to the relying party (Avetisov: Para [0235] & Para [0237] “The data and signed data are provided to the authentication application 120, which transmits the data and signed data to a server for authentication”) whereby the relying party is registered to the SDK to request assertions from the SDK of an identity of the user (Avetisov: Para[0081], [0196] “An example SDK may be used by application 225 developers to incorporate functionality (e.g., similar to that of an authentication application) affording interoperability with the identity management system within the application. Such functionality may include one or more modules or computer program code for exchanging data with a TEE of a mobile device 101 over a secure channel,”).
Avetisov does not explicitly teach based on an interaction between a browser of a communication device and a website of a relying party, receiving, at a software development kit (SDK) in the communication device, an application programing interface (API) call request for a credential of a user from a computing device of the relying party, the communication device including an application of an application provider, the application incorporating the SDK a software development kit (SDK), the user associated with the communication device and identified in the API call requests the application different from the browser, and the application provider separate and different than the relying party.
However, in an analogous art, Nguyen teaches based on an interaction between a browser of a communication device (device 100) and a website of a relying party (vendor’s server 106) (Nguyen: fig. 1, column 4 line 47-55 , “For data security between the client application and the Vendor's server, the Vendor's server is a secured web server that only allows secured connection from the client application, the Update Process 102.”), receiving, at a software development kit (SDK) in the communication device, an application programing interface (API) call request for a credential of a user from a computing device of the relying party , the communication device including an application (application 101) of an application provider, the application incorporating the SDK a software development kit (SDK), the user associated with the communication device and identified in the API call requests the application different from the browser, and the application provider separate and different than the relying party (Nguyen: column 6 line 32-54“a user invokes an application in a mobile device, on a separated thread, an Update Process start up to automatically check for new software update, in step 175. The Update Process retrieves all available network connections in a mobile device, in step 176. Then, it would retrieve signal strengths of all available networks in a mobile device, in step 177. For example, in a Window mobile device, available network adapters can be determine by using GetAdaptersInfo function in IPHelper APIs of Window Mobile SDK.”, “The Update Process can use RegistryNotifyCallback function in Windows Mobile SDK to get notified when the registry value change and to retrieve the values from different connected network.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, for the application of Avetisov to have been updated in the manner described in Ngyuen in order to ensure that installed applications are up to date with fixes as suggested by Ngyuen (Col. 1, lines 12-14). 
	Regarding claim 2, Avetisov in view of Nguyen teaches the independent claim 1. Avetisov additionally teaches authenticating the user includes: soliciting, by the communication device, a biometric from the user (Avetisov: Para [0211] “In response to obtaining a notification for processing, an authentication application 220 may interface with a TEE of the mobile device 101 to prompt the user to authenticate with the mobile device 101, such as by biometric authentication or entering credential values like a passcode, pin, or other values.);
and verifying, by the communication device, a captured biometric for the user to a reference biometric associated with the user (Para[0211 “the TEE may analyze the biometric values supplied by the user to determine whether the supplied biometric values are indicative of the user who established representations of those values within the TEE”). 
Regarding claim 4, Avetisov in view of Nguyen teaches the independent claim 1. Avetisov teaches after transmitting the credential packet: receiving, at the communication device, from the relying party, an API call request for an assertion of the identity of the user (Avetisov :Para [0259]-[0261] “In some cases, the process 600 is executed by one or more computing nodes 100 of the decentralized data store or a server 155, 245, though embodiments are not limited to that implementation,” “the process 600 includes receiving, with one or more processors, an authentication request 602 to verify based on on-blockchain records. On-blockchain records may include user identity records and authentication records”  “An example request may include one or more credentials, which may be representations of credentials, identifiers of records to access, which may be addresses of those records, and signed data as proof of secret knowledge for asserting ownership of a Net ID, such as a net ID established by a user identity record on a blockchain.”);
after receiving the API call request for the assertion, authenticating, by the communication device, the user (Avetisov :Para[0157], [0263] “a notification may be generated and transmitted to the user to provide additional credentials satisfying the criteria, which may be obtained 610 and verified against the criteria 606” );
after authentication of the user, compiling, by the communication device, via the SDK, an assertion packet including another attestation from the SDK regarding authentication of the user, wherein the assertion packet is signed with the private key stored in the memory of the communication device (Avetisov :Para [0263], [0265] “the process may continue to step 616, which may include the publication of a record of the authentication result for the request and the criteria by which the request was authenticated. In some embodiments, a token is generated and included in the authentication record” “For example, the signed data may include a token of the prior authentication record signed by a private key of the user and verifiable by a public key of the user.”); and
transmitting the assertion packet to the relying party, whereby the assertion packet permits the relying party to [[of]] verify the identity of the user (Avetisov :Para[0265] “Step 616 may also include a return of authorization of the authentication request, which may be provided as authentication results for publication or other result response, depending on the embodiment.” Para [0267] “a relying party server may permit a client device access to a secure asset based on those results derived from user authentication”).
Regarding claim 8, Claim 8 is rejected under the same rational as claim 1.
Regarding claim 11, claim 11 is rejected under similar rational as claim 4 

Claims 3 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Avetisov et al. (U.S Publication US 20200067907 A1) in view of Nguyen (U.S. Publication 10725768 B1; Hereinafter "Nguyen"), and further in view of Raleigh et al. (W.O. Publication 2013112642 A2; Hereinafter "Raleigh").
Regarding claim 3, Avetisov in view of Nguyen teaches the dependent claim 2.
Avetisov additionally teaches wherein the credential packet further includes an attestation of the Identity user from the SDK (Para [0235] “the authentication application 120 receives data output from the TEE 103, which may include representations of credentials, signed data corresponding to those representations, and signature key (e.g., a public key) for verifying signed data output by the TEE 103”);
Avetisov in view of Nguyen does not explicitly teach wherein the credential packet is signed by the private key.
However, in an analogous art, Raleigh teaches wherein the credential packet is signed by the private key (Raleigh: Para[ 001808 -001813] “each MCC/MNC pair uniquely identifying the mobile operator and which the mobile operator then uses along with a device serial number (and/or other unique device or user identifying information) to create an IMSI. The mobile operator associates the IMSI with a private key and a private key algorithm definition created (or selected) by the mobile operator”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, for the credential packet of Avetisov to have been updated in the manner described in Raleigh in order to improve the security of the system and protect it from tampering activities (Raleigh: para [01349]).
Regarding claim 9, claim 9 is rejected under similar rational as claim 3.
Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over  Avetisov et al. (U.S Publication US 20200067907 A1; Hereinafter "Avetisov"),  in view of Nguyen (U.S. Publication 10725768 B1; Hereinafter "Nguyen"),  and further in view of Neuman et al. (U.S. Publication US 9742763 B2; Hereinafter "Neuman").
Regarding claim 5, Avetisov in view of Nguyen teaches the dependent claim 4. 
Avetisov in view of Nguyen does not explicitly teach wherein the assertion packet further includes the identity data associated with the user.
However, in an analogous art, Neuman teaches wherein the assertion packet further includes the identity data associated with the user (Neuman: column 22 line 25-37 “The Qapp then sends the full authentication packet back to the Qserver 306. Including: The Qsid—The session ID. The user id, Qid, is embedded in the communication certificate and can be obtained by the Qserver based on the client-authenticated SSL connection. In different embodiments, the Qid could be unique per user/Provider pair or could be unique per Qapp installation. The Qsid and Qliveness signed by the User's certificate for the specific Provider. The raw biometric data (for example the jpg image of their face or hand)”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, for the assertion package of Avetisov to have been updated in the manner described in Neuman in order to improve the security of the system and protect it from phishing attacks (Neuman: Column 16 line 13-16).
	Regarding claim 6, Avetisov in view of Nguyen teaches the independent claim 1. 
Avetisov in view of Nguyen does not explicitly teach wherein the identity data includes at least a name and an address associated with the user; and wherein the API call request for the credential includes a phone number associated with the communication device.
However, in an analogous art, Neuman teaches wherein the identity data includes at least a name and an address associated with the user (Neuman: Column 24 line 18- 21 “The present invention allows the user to create one or more "Identities", for example business and personnel identities 806. Each Identity has a set of data for example name, e-mail address, mailing address, etc.”); and
wherein the API call request for the credential includes a phone number associated with the communication device (Neuman: Column 13 line 10-25 “An identifier 902 is supplied to the browser and uniquely identifies the mobile device's software application. The identifier could be a unique value per user like a phone number or user name.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, for the identity of data of Avetisov to have been updated in the manner described in Neuman in order to improve the security of the system and protect it from phishing attacks (Neuman: Column 16 line 13-16).
Claims 7 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over  Avetisov et al. (U.S Publication US 20200067907 A1; Hereinafter "Avetisov") in view of Nguyen (U.S. Publication 10725768 B1; Hereinafter "Nguyen"), and further in view of Gailloux et al. (U.S. Publication US 10791461 B1; Hereinafter "Gailloux").
	Regarding claim 7, Avetisov in view of Nguyen teaches the independent claim 1. 
Avetisov in view of Nguyen does not explicitly teach wherein the application provider is a banking institution; wherein the application includes a banking application; and wherein the user is associated with an account issued by the banking institution, whereby the application is usable to access information about the account; 
However, in an analogous art, Gailloux teaches wherein the application provider is a banking institution (Gailloux: column 13 line 42- 46 “The third party may be a server computer that executes an application related to the third party, for example a web server that mediates access to confidential information or provides an interface to complete financial transactions such as payment transactions or banking transactions.”);
wherein the application includes a banking application (Gailloux: Column 4 line 58-61  “The authenticator server application is configured to provide an application programming interface (API) that can be invoked by third parties such as electronic commerce payment brokers, financial institutions such as banks, healthcare or medical providers”); and 
wherein the user is associated with an account issued by the banking institution, whereby the application is usable to access information about the account (Gailloux: Column 13 line 11-21 “for example requesting the user to input further corroborating information. …..For example, like authenticator processes can be supported for banking account transactions, for example for looking at bank balances, for depositing checks, for transferring money between accounts.”);
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, for the application provider of Avetisov to have been updated in the manner described in Gailloux in order to secure access to confidential information associated with electronic commerce (Gailloux: column 13 line 16-18).
Regarding claim 12, claim 12 is rejected under similar rational as claim 7.
Regarding claim 13, Avetisov in view of Nguyen, and further in view of Gailloux teaches the dependent claim 12.
Avetisov additionally teaches wherein the executable instructions, when executed by the at least one processor, further cause the at least one processor to: solicit a biometric from the user; (Para [0211] “In response to obtaining a notification for processing, an authentication application 220 may interface with a TEE of the mobile device 101 to prompt the user to authenticate with the mobile device 101, such as by biometric authentication or entering credential values like a passcode, pin, or other values.); and
verify a captured biometric for the user to a reference biometric associated with the user (Para[0211 “the TEE may analyze the biometric values supplied by the user to determine whether the supplied biometric values are indicative of the user who established representations of those values within the TEE”). 
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over  Avetisov et al. (U.S Publication US 20200067907 A1; Hereinafter "Avetisov"),  in view of Nguyen (U.S. Publication 10725768 B1; Hereinafter "Nguyen"),  in view of Raleigh et al. (W.O. Publication 2013112642 A2; Hereinafter "Raleigh") and further in view of Neuman et al. (U.S. Publication US 9742763 B2; Hereinafter "Neuman").
Regarding claim 10, Avetisov in view of Nguyen, and further in view of Raleigh teaches the dependent claim 9. 
Avetisov in view of Nguyen, and further in view of Raleigh does not explicitly teach wherein the identity data includes at least a name and an address associated with the user; and wherein the API call request for the credential includes a phone number associated with the communication device.
However, in an analogous art, Neuman teaches wherein the identity data includes at least a name and an address associated with the user (Neuman:	Column 24 line 18- 21 “The present invention allows the user to create one or more "Identities", for example business and personnel identities 806. Each Identity has a set of data for example name, e-mail address, mailing address, etc.”); and
wherein the API call request for the credential includes a phone number associated with the communication device (Neuman: Column 13 line 10-25 “An identifier 902 is supplied to the browser and uniquely identifies the mobile device's software application. The identifier could be a unique value per user like a phone number or user name.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, for the identity of data of Avetisov to have been updated in the manner described in Neuman in order to improve the security of the system and protect it from phishing attacks (Neuman: Column 16 line 13-16).
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Avetisov et al. (U.S Publication US 20200067907 A1; Hereinafter "Avetisov") in view of Nguyen (U.S. Publication 10725768 B1; Hereinafter "Nguyen"), in view of Gailloux et al. (U.S. Publication US 10791461 B1; Hereinafter "Gailloux") and further in view of Neuman et al. (U.S. Publication US 9742763 B2; Hereinafter "Neuman").
Regarding claim 14, Avetisov in view of Nguyen and further in view of Gailloux teaches the dependent claim 13.
Avetisov in view of Nguyen and further in view of Gailloux does not explicitly teach wherein the assertion packet further includes the identity data associated with the user.
However, in an analogous art, Neuman teaches wherein the assertion packet further includes the identity data associated with the user (Neuman: column 22 line 25-37 “The Qapp then sends the full authentication packet back to the Qserver 306. Including: The Qsid—The session ID. The user id, Qid, is embedded in the communication certificate and can be obtained by the Qserver based on the client-authenticated SSL connection. In different embodiments, the Qid could be unique per user/Provider pair or could be unique per Qapp installation. The Qsid and Qliveness signed by the User's certificate for the specific Provider. The raw biometric data (for example the jpg image of their face or hand)”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, for the assertion packet of Avetisov to have been updated in the manner described in Neuman in order to improve the security of the system and protect it from phishing attacks (Neuman: Column 16 line 13-16).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LYDIA L NOEL whose telephone number is (571)272-1628. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272 - 4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/L.L.N./
Examiner, Art Unit 2437                                                                                                                                                                                            

/BENJAMIN E LANIER/Primary Examiner, Art Unit 2437