otice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-19 have been examined.

Priority
Acknowledgment is made of applicant's claim for priority based on the US provisional application 62/945,712 filed on 12/9/19.

Information Disclosure Statement
The examiner reviewed IDS document(s) on 6/3/21 and 5/12/21, carefully considering the art cited within the document(s).

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 

Claim(s) 2-6 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
The limitations are replete with the phrases “is to further” which introduces the element of ambiguity.  For example, reading the limitation of claim 3:
“… where to receive the first piece of data the processor is to further: receive a phone number as the first piece of data from a user device requesting access to the transaction processing system” 
leaves a reader guessing whether the phrase “is to further” should be treated as “comprising” or whether the limitation requires “… receiving phone number …” and, if so, how does the receipt of the first piece of data the processor further receive a phone number …, which raises the issue of essential elements/step missing in the claim.
Reviewing applicant’s specification and claims 17-18, it appears that the term is used as equivalent to “comprising”.  However, applicant should clarify the claim language.  Note that once understood, the limitations may be subject to the 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph rejection (e.g. missing essential steps/elements) and/or 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph rejection (written description).

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


This rejection under 35 U.S.C. 103 might be overcome by: (1) a showing under 37 CFR 1.130(a) that the subject matter disclosed in the reference was obtained directly or indirectly from the inventor or a joint inventor of this application and is thus not prior art in accordance with  35 U.S.C. 102(b)(2)(A); (2) a showing under 37 CFR 1.130(b) of a prior public disclosure under 35 U.S.C. 102(b)(2)(B); or (3) a statement pursuant to 35 U.S.C. 102(b)(2)(C) establishing that, not later than the effective filing date of the claimed invention, the subject matter disclosed and the claimed invention were either owned by the same person or subject to an obligation of assignment to the same person or subject to a joint research agreement.  See generally MPEP § 706.02(l)(1) and § 706.02(l)(2).  

Claim(s) 1-2, 5-6, 8-9 and 19-20 is/are rejected under 35 U.S.C. 103 unpatentable over Wallace (USPUB 20180337917) in view of Sim (USPUB 20200026939).
As per claims 1-2, 5 and 19-20, Wallace teaches an adaptive user authentication system, comprising: one or more data storage devices, the one or more data storage devices to storing user authentication data, and one or more processors, the one or more processors executing machine-readable instructions stored in the at least one storage device medium (see Fig. 1 and the associated text) to: receive a user authentication signal for initiating an adaptive user authentication process, the user authentication process enabling a user employing a user device to access a transaction processing system upon authentication (in response to an access request from a user the user provided with authentication requirements specifying verification information, para 40), trigger a first authentication step, the first authentication step triggered based on the user authentication signal, the first authentication step being from a sequence of authentication steps to be executed during the adaptive user authentication process; request a first piece of data from the user as part of the first authentication step; the first piece of data comprising the user identifier, verify the first piece of data received from the user (The initial request results in the authentication of the user credentials (where the user provides login/password) in an initial authentication, para 73); determine that at least a second authentication step from the sequence of authentication steps is to be executed for authenticating the user, where determining that at least the second authentication step from the sequence of authentication steps to be executed is based on at least on the authentication of the user at the first authentication step; execute the second authentication step, where the second authentication step includes: receiving an image of the user, the image of the user captured at a time of execution of the second authentication step; determining that the received image is captured at the time of execution of the second authentication step including determining a time of image capture; and determine if the time of image capture coincides with the time of the execution of the second authentication step as obtained from temporal data of a user device (identification image/the liveness identification image… capture time when the verified identification image and the liveness identification image were capture by the user system, the authentication requirement include a required time period.  The authentication requirements are met when the verified identification image and the liveness identification image are both captured at the time that falls within the required time period, e.g. within 5 min after the user has required authentication, para 14, 41, 54, 72-73 etc.); compare the received image with a known image of an authenticated user retrieved from the user authentication data (verification of identification image and/or the liveness identification image, para 43), the image being a still or live video (the identification image could be photo or a video, para 71) and providing a result of the second authentication step based at least on the determining that the received image is captured at the time of execution of the second authentication step (the user biometric (information from the verification identification image and/or the liveness identification image) may be compared to other use information that the organization has in order to authenticate the user, para 41-43). 
The difference between Wallace and the claim language is that the prior art stops at the second authentication step (biometric authentication).  The biometric authentication is not followed by another, a third authentication step when the last user authentication fails (user is not authenticated at the second/biometric authentication step). However, a skilled in the art would readily appreciate that such solution, if not implicit (e.g. computing systems routinely permit another authentication attempt in case where the initial failure of authentication occurs), it would have been obvious to one of ordinary skill in the art before the effective filling date of the invention as illustrated by Sim (the system may offer various biometric authentication, e.g. fingerprint, voice, iris, etc.  Different biometric authentication executed in case the first biometric authentication failure para 123, 128-129, etc.), and it would have been obvious to include known solutions as discussed above to Wallace invention given the predicable benefit of customization and usability.
Allowing the user to access the transaction processing system upon successful execution of the third authentication step would have been implicit.  Clearly, there would be no point of authentication if the user was prevented from access in case of successful authentication.
Claim(s) 3-4 is/are rejected under 35 U.S.C. 103 unpatentable over Wallace (USPUB 20180337917) in view of Sim (USPUB 20200026939) and further in view of Cambell (USPUB 20080307220) and further in view of Timmins (USPUB 20040058710) and Mumm (USPUB 20090025071)
Wallace as modified teaches the first authentication followed by the second authentication, the first authentication including the user login/identifier.
Wallace as modified does not teach user’s login/identifier being a phone number.  However, Timmins suggests such solution (e.g. para 113).  Furthermore, even if a particular type of login/identifier was needed it is noted that the difference would only be found in the nonfunctional descriptive material and are not functionally involved in the steps recited.  The authentication would be performed the same regardless of the data identifier of the user.   Thus, this descriptive material will not distinguish the claimed invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filling date of the invention to use any type of data, including known type of data such as a phone number taught by Timmins given because the particular type of login/identifier would not patentably distinguish the claimed invention while offering the predictable benefit of customization.
However, Wallace as modified does not teach the failure of the first authentication, that clearly would be a result of incorrect match of the first authentication data, including the user login/identifier such as phone number, being followed by the second authentication.  However, such solution would have been obvious to one of ordinary skill in the art before the effective filling date of the invention as illustrated by Mumm (if the first authentication fails the user will be informed about the failure after the second authentication that the user would still have to go through to ensure limited feedback to potential attackers, para 58) given the benefit of increased security.
Claim(s) 13 and 15-16, 18 is/are rejected under 35 U.S.C. 103 unpatentable over Wallace (USPUB 20180337917) in view of Sim (USPUB 20200026939), Cambell (USPUB 20080307220) or, in the alternative Griffin (USPN 10154029) and further in view of Timmins (USPUB 20040058710).
Wallace as modified teaches triggering an adaptive authentication process for authenticating the user access a transaction processing system as discussed above.
Wallace as modified does not teach the authentication is based on calculating a risk score associated with a request received from a user to access transaction receiving a request from the user. However, in related art Cambell (if token times out or expires the user may be prompted to enter a user name/password, para 60) or Griffin (an authenticator receives a user identifier and a message. The authentication uses the user identifier to determine if the claimed identity of the message sender is one that requires authentication, col. 13 lines 8-10) teaches such solution.  It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to include known solutions as taught by Cambell or Griffin given the benefit of usability and increased security.
As per claim 15, Wallace teaches the first authentication include the authentication using a login and password; thus, evaluating the result of the authentication indicating failure as a result of comparing them with stored predetermined value would have been implicit.  Even if Wallace did not contemplate such solution, Official Notice is taken that comparing user login/identifier and password to stored predetermined/registered value would have been old and well known in the art of computing before the effective filing date of the invention while providing the predictable benefit of customization and securing access to resources.  As per term “clear”, given no specific limited definition of the term, the examiner equates the term to completion of the first authentication step and, as a result, determining whether there is match ending the authentication step would meet the limitation of “clear[ring]” the authentication step.
As per claim 16, in the broadest reasonable interpretation the password provided with the user identification would meet the limitation of PIN.  However, Official Notice is also taken that using credentials that includes PIN would have been old and well known in the art of computing before the effective filing date of the invention while providing the predictable benefit of customization and securing access to resources.
Similarly, as noted above in regard to claim 3, using a phone number as a user login/identifier would have been obvious well-known variant to one of ordinary skill in the art before the effective filling date of the invention offering the benefit of customization.
Furthermore, even if a particular type of identifier or credentials provided with the identifier was needed it is noted that these differences would only be found in the nonfunctional descriptive material and are not functionally involved in the steps recited.  The authentication would be performed the same regardless of the data identifier or type of passcode (password/PIN) of the user.   Thus, this descriptive material will not distinguish the claimed invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994). 
As per claim 18, allowing or preventing user access based on the success/failure of the third authentication would have been implicit.  As per generating an alert in case of failure, the examiner asserts that the limitation if not inherent, would have been at least implicit.  Applicant did not provide any restricted definition of the alert and clearly the process terminating sending the result of the authentication to other processes could be interpreted as an alert.  Furthermore, Official Notice is taken that generating an alert (when considering a different type of interpretation) based on the failure of authentication would have been old and well-known obvious variant in the art of computer security before the effective filling date of the invention (e.g. user notification of authentication failure, logging the failure in a log or alert sent to an administrator) while offering the predictable benefit of initiating the proper response.
Claim(s) 17 is/are rejected under 35 U.S.C. 103 unpatentable over Wallace (USPUB 20180337917) in view of Sim (USPUB 20200026939) and Cambell (USPUB 20080307220) or, in the alternative Griffin (USPN 10154029), and further in view of Mumm (USPUB 20090025071).
Wallace as modified does not teach the failure of the first authentication, that clearly would be a result of incorrect match of the first authentication data, including the user login/identifier such as phone number, being followed by the second authentication.  However, such solution would have been obvious to one of ordinary skill in the art before the effective filling date of the invention as illustrated by Mumm (if the first authentication fails the user will be informed about the failure after the second authentication that the user would still have to go through to ensure limited feedback to potential attackers, para 58) given the benefit of increased security.

Conclusion

Allowable Subject Matter
Claims 10-12 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peter Poltorak whose telephone number is (571) 272-3840.  The examiner can normally be reached Monday through Thursday from 9:00 a.m. to 5:00 p.m. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/PIOTR POLTORAK/Primary Examiner, Art Unit 2433