DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Amendments
This communication is in response to the amendments filed on 22 May 2022:
	Claims 1 and 3 are amended.
	Claims 1-4 are pending.


Response to Arguments
In response to Applicant’s remarks filed on 22 May 2022:
a.	Applicant’s arguments that Allison does not disclose or imply a configuration for the second authentication that generates and transmits authentication information that is difficult to predict with data stored in the first device after the first authentication has passed has been fully considered but is deemed moot in view of the new grounds of rejection presented in this Office Action.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 1-4 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the application regards as the invention.

	Regarding claims 1 and 3, it is unclear due to the lack of antecedent basis for “the second user device” as to which apparatus the second user device is referring to. The claims are therefore rendered indefinite. The Examiner suggests amending “the second user device” to read “the second user apparatus.”

	Regarding claims 2 and 4, it is unclear due to similar deficiencies of the above-mentioned claims by virtue of being dependent on a rejected claim. Appropriate corrections are required. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-4 are rejected under 35 U.S.C. 103 as being unpatentable over Allinson et al. (U.S. Patent 9,887,991), hereinafter Allinson, in view of LAWRENCE et al. (U.S. PGPub. 2016/0292447), hereinafter Lawrence. 

	Regarding claim 1, Allinson teaches An authentication apparatus comprising:
	a memory (Allinson, Column 4, Lines 53 – 58, see “The server 104 may comprise one or more processors 210 that process instructions. The one or more processors 210 may optionally include a plurality of cores…and/or one or more layers of local cache memory”); and
	at least one processor (Allinson, Column 4, Lines 53 – 54, “The server 104 may comprise one or more processors 210 that process instructions”);
	the processor is configured,
	if there is a login request at a first user apparatus that does not enter a password, and a message corresponding to the login request is received at a second user apparatus that is another terminal of an user (Allinson, Abstract, see “Responsive to the user attempting to access the service through the second device, a login interface may be displayed on the first device”, where “first device” is being read as a first user apparatus and where “second device” is being read as a second user apparatus) (Allinson, Column 7, Lines 45 – 54, see “The user may register the first device by requesting a verification code from the service, such as from a service login management component associated with the service…The service login management component may send the verification code to the second device”, where “verification code” is being read as a message corresponding to the login request which is received at a second user apparatus (second device) that is another terminal of an user),
	to perform the user’s approval of the message as a first authentication that confirms that the user is occupying the second user apparatus at the time the login request is executed (Allinson, Abstract, see “Responsive to the user attempting to access the service through the second device, a login interface may be displayed on the first device. The user may confirm or deny that the user wants to log into the service on the second device, thus allowing the user to seamlessly log into the service on the second device (e.g., without entering a password) while mitigating unauthorized logins into the service from unknown devices”, where “The user may confirm or deny that the user wants to log into the service on the second device…” is being read as performing the user’s approval of the message as a first authentication that confirms that the user is occupying the second user apparatus at the time the login request is executed), and
	to perform, according to a result of the first authentication, a process of transmitting information for a second authentication to be used for the second authentication for determining the approval of the login request through the second user apparatus in response to the login request (Allinson, Column 8, Lines 38 – 50, see “The first device may display a login interface. The login interface may offer an option to authenticate the request (e.g., the user may indicate that the user wants to log the second device into the service) or deny the request (e.g., the user may indicate that the user does not want to log the second device into the service). Responsive to the user authentication the request, a login user authorization notification may be generated. The login user authorization notification may be encrypted using the encryption key to create an encrypted login user authorization notification. The encrypted login user authorization notification may be sent to the service login management component”, where “Responsive to the user authentication to the request” is being read as the result of the first authentication, where “encrypted login user authorization notification may be sent to the service login management component” is being read as transmitting an information for a second authentication to be used for the second authentication for determining the approval of the login request through the second user apparatus in response to the login request),
	wherein the user’s approval of the message for the first authentication and the information for the second authentication are not input to the first user apparatus, the information for the second authentication is not stored on the first user apparatus (Allinson, Column 8, Lines 38 – 50, see “The first device may display a login interface. The login interface may offer an option to authenticate the request (e.g., the user may indicate that the user wants to log the second device into the service) or deny the request (e.g., the user may indicate that the user does not want to log the second device into the service). Responsive to the user authenticating the request, a login user authorization notification may be generated…The encrypted login user authorization notification may be sent to the service login management component”, where “The login interface may offer an option to authenticate the request…or deny the request” is being read as the information for the first authentication, which is being outputted by the first user apparatus (not inputted) and where “The encrypted login user authorization notification” is being read as the information for the second authentication, which is outputted by the first user apparatus (not inputted) to the service login management component),
	wherein the authentication apparatus is included in the second user apparatus, or is connected to the second user apparatus (Allinson, FIG. 6A, see “SECOND DEVICE 612” which is being read as the second user apparatus and see “SERVICE LOGIN MANAGEMENT COMPONENT 610” which is being read as the authentication apparatus are connected to each other);
	
	Allinson does not teach the following limitation(s) as taught by Lawrence: wherein the information for the second authentication is generated not as information stored in the second user device, but as information that is difficult to predict through data stored in the second user device at the time of approval of the login request (Lawrence, Paragraph [0048], see “…the data service 120 may perform most or all operations on data and encryption keys (e.g., encrypting the data, assembling user keys, generating a device ID, decrypting data and data keys, etc.) without storing the data or encryption keys, for example in a separate database or memory…most or all operations may be performed on streaming data/keys, to further reduce any security breach and to reduce memory requirements of the data service 120…”) (Lawrence, Paragraph [0049], see “…one or more user keys may be generated upon registration by a client device 105, and associated with the client device 105/account in the user/device database 145. The user keys may be stored in an un-assembled or un-compiled state, such as a combination of system keys and associated ordered pairs. In this way, any breach of data security of the user/device database 145 will not yield the needed user keys that are operable to decrypt the data keys…After the system keys and the ordered pairs have been generated…an associated user key may be assembled or compiled via process 625 using the system keys and ordered pairs…one or more user keys may be generated or assembled periodically (e.g., every time the client device 105 logins into the data service 120), upon reception of a request to store or retrieve data, randomly, or in response to some other trigger event”, where “user keys” is analogous to the information for authentication being information that is difficult to predict through data stored in the user device, due to the user keys being generated or assembled through data stored (system keys and the ordered pairs) in the user device for authentication purposes). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for facilitation of service login, disclosed of Allinson, by implementing techniques for multi-layered encryption, comprising the information for the authentication being generated as information that is difficult to predict through data stored in the user device, disclosed of Lawrence.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for authentication, comprising the information for the authentication being generated as information that is difficult to predict through data stored in the user device. This allows for better security management by utilizing information that is difficult to predict through data stored in the user device for authentication purposes, which further reduces any security breach of the information. Lawrence is deemed as analogous art due to the art disclosing techniques for utilizing information that is difficult to predict through data stored in the user device for authentication purposes (Lawrence, Paragraph [0048 – [0049]). 

	Regarding claim 2, Allinson as modified by Lawrence teaches The authentication apparatus of claim 1,
	when usage information of the second user apparatus is changed by a use of the second user apparatus initiated from the second user apparatus or a use of the second user apparatus due to external factors, or the usage information is changed by combining the use of the second user apparatus initiated from the second user apparatus with the use of the second user apparatus due to the external factors, specifying the changed information according to a predetermined criterion and updates an authentication source pool by adding the changed information to the authentication source pool (Allinson, Column 12, Lines 15 – 23, see “a registration of the first device 702 (e.g., a mobile phone device) may be maintained within a key ring account for the user. Responsive to receiving a phone number change request, the registration may be modified based upon the phone number change request. In this way, the user may maintain a registration of the mobile phone device, as being registered to authenticate the user for accessing the service from another device, even though the user may change a phone number of the mobile phone device”, where “Responsive to receiving a phone number change request, the registration may be modified based upon the phone number change request” is being read as usage information of the second apparatus being changed due to external factors, where “phone number change request” is being read as the external factors and where “the registration may be modified based upon the phone number change request” is being read as specifying the changed information according to a predetermined criterion and updating the authentication source pool (registration list) by adding the changed information for the authentication source pool),
	wherein the information for the second authentication is generated based on the authentication source pool (Allinson, Column 8, Lines 38 – 50, see “The first device may display a login interface. The login interface may offer an option to authenticate the request (e.g., the user may indicate that the user wants to log the second device into the service) or deny the request (e.g., the user may indicate that the user does not want to log the second device into the service). Responsive to the user authentication the request, a login user authorization notification may be generated. The login user authorization notification may be encrypted using the encryption key to create an encrypted login user authorization notification. The encrypted login user authorization notification may be sent to the service login management component”, where “Responsive to the user authentication to the request” is being read as the result of the first authentication, where “encrypted login user authorization notification may be sent to the service login management component” is being read as the information for the second authentication, which is generated based on the authentication source pool (which is being read as a list of authorized devices that are previously registered) and can be modified and/or updated through a phone number change request),
	wherein the authentication source pool is a database that collects the changed information (Allinson, FIG. 6A, see “SERVICE LOGIN MANAGEMENT COMPONENT 610” which is being read as the authentication source pool being a database that collects the changed information), 
	and the database is in the second user apparatus, wherein the authentication apparatus is included in the second user apparatus, or is connected to the second user apparatus (Allinson, FIG. 6A, see “SECOND DEVICE 612” which is being read as the second user apparatus and see “SERVICE LOGIN MANAGEMENT COMPONENT 610” which is being read as the authentication apparatus are connected to each other). 

	Regarding claim 3, Allinson teaches An authentication method by an authentication apparatus, the method comprising:
	if there is a login request at a first user apparatus that does not enter a password, and a message corresponding to the login request is received at a second user apparatus that is another terminal of an user (Allinson, Abstract, see “Responsive to the user attempting to access the service through the second device, a login interface may be displayed on the first device”, where “first device” is being read as a first user apparatus and where “second device” is being read as a second user apparatus) (Allinson, Column 7, Lines 45 – 54, see “The user may register the first device by requesting a verification code from the service, such as from a service login management component associated with the service…The service login management component may send the verification code to the second device”, where “verification code” is being read as a message corresponding to the login request which is received at a second user apparatus (second device) that is another terminal of an user),
	performing the user’s approval of the message as a first authentication that confirms that the user is occupying the second user apparatus at the time the login request is executed (Allinson, Abstract, see “Responsive to the user attempting to access the service through the second device, a login interface may be displayed on the first device. The user may confirm or deny that the user wants to log into the service on the second device, thus allowing the user to seamlessly log into the service on the second device (e.g., without entering a password) while mitigating unauthorized logins into the service from unknown devices”, where “The user may confirm or deny that the user wants to log into the service on the second device…” is being read as performing the user’s approval of the message as a first authentication that confirms that the user is occupying the second user apparatus at the time the login request is executed), and
	performing, according to a result of the first authentication, a process of transmitting an information for a second authentication to be used for the second authentication for determining the approval of the login request through the second user apparatus in response to the login request (Allinson, Column 8, Lines 38 – 50, see “The first device may display a login interface. The login interface may offer an option to authenticate the request (e.g., the user may indicate that the user wants to log the second device into the service) or deny the request (e.g., the user may indicate that the user does not want to log the second device into the service). Responsive to the user authentication the request, a login user authorization notification may be generated. The login user authorization notification may be encrypted using the encryption key to create an encrypted login user authorization notification. The encrypted login user authorization notification may be sent to the service login management component”, where “Responsive to the user authentication to the request” is being read as the result of the first authentication, where “encrypted login user authorization notification may be sent to the service login management component” is being read as transmitting an information for a second authentication to be used for the second authentication for determining the approval of the login request through the second user apparatus in response to the login request), 
	wherein the user’s approval of the message for the first authentication and the information for the second authentication are not input to the first user apparatus (Allinson, Column 8, Lines 38 – 50, see “The first device may display a login interface. The login interface may offer an option to authenticate the request (e.g., the user may indicate that the user wants to log the second device into the service) or deny the request (e.g., the user may indicate that the user does not want to log the second device into the service). Responsive to the user authenticating the request, a login user authorization notification may be generated…The encrypted login user authorization notification may be sent to the service login management component”, where “The login interface may offer an option to authenticate the request…or deny the request” is being read as the information for the first authentication, which is being outputted by the first user apparatus (not inputted) and where “The encrypted login user authorization notification” is being read as the information for the second authentication, which is outputted by the first user apparatus (not inputted) to the service login management component), the information for the second authentication is not stored on the first user apparatus, 
	wherein the authentication apparatus is included in the second user apparatus, or is connected to the second user apparatus (Allinson, FIG. 6A, see “SECOND DEVICE 612” which is being read as the second user apparatus and see “SERVICE LOGIN MANAGEMENT COMPONENT 610” which is being read as the authentication apparatus are connected to each other),
	wherein the information for the second authentication is generated not as information stored in the second user device, but as information that is difficult to predict through data stored in the second user device at the time of approval of the login request. 
	Allinson does not teach the following limitation(s) as taught by Lawrence: wherein the information for the second authentication is generated not as information stored in the second user device, but as information that is difficult to predict through data stored in the second user device at the time of approval of the login request (Lawrence, Paragraph [0048], see “…the data service 120 may perform most or all operations on data and encryption keys (e.g., encrypting the data, assembling user keys, generating a device ID, decrypting data and data keys, etc.) without storing the data or encryption keys, for example in a separate database or memory…most or all operations may be performed on streaming data/keys, to further reduce any security breach and to reduce memory requirements of the data service 120…”) (Lawrence, Paragraph [0049], see “…one or more user keys may be generated upon registration by a client device 105, and associated with the client device 105/account in the user/device database 145. The user keys may be stored in an un-assembled or un-compiled state, such as a combination of system keys and associated ordered pairs. In this way, any breach of data security of the user/device database 145 will not yield the needed user keys that are operable to decrypt the data keys…After the system keys and the ordered pairs have been generated…an associated user key may be assembled or compiled via process 625 using the system keys and ordered pairs…one or more user keys may be generated or assembled periodically (e.g., every time the client device 105 logins into the data service 120), upon reception of a request to store or retrieve data, randomly, or in response to some other trigger event”, where “user keys” is analogous to the information for authentication being information that is difficult to predict through data stored in the user device, due to the user keys being generated or assembled through data stored (system keys and the ordered pairs) in the user device for authentication purposes). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for facilitation of service login, disclosed of Allinson, by implementing techniques for multi-layered encryption, comprising the information for the authentication being generated as information that is difficult to predict through data stored in the user device, disclosed of Lawrence.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for authentication, comprising the information for the authentication being generated as information that is difficult to predict through data stored in the user device. This allows for better security management by utilizing information that is difficult to predict through data stored in the user device for authentication purposes, which further reduces any security breach of the information. Lawrence is deemed as analogous art due to the art disclosing techniques for utilizing information that is difficult to predict through data stored in the user device for authentication purposes (Lawrence, Paragraph [0048 – [0049]). 

	Regarding claim 4, Allinson as modified by Lawrence teaches The authentication method of claim 3, the method further comprising:
	when usage information of the second user apparatus is changed by a use of the second user apparatus initiated from the second user apparatus or a use of the second user apparatus due to external factors, or the usage information is changed by combining the use of the second user apparatus initiated from the second user apparatus with the use of the second user apparatus due to the external factors, specifying the changed information according to a predetermined criterion, and updating an authentication source pool by adding the changed information to the authentication source pool (Allinson, Column 12, Lines 15 – 23, see “a registration of the first device 702 (e.g., a mobile phone device) may be maintained within a key ring account for the user. Responsive to receiving a phone number change request, the registration may be modified based upon the phone number change request. In this way, the user may maintain a registration of the mobile phone device, as being registered to authenticate the user for accessing the service from another device, even though the user may change a phone number of the mobile phone device”, where “Responsive to receiving a phone number change request, the registration may be modified based upon the phone number change request” is being read as usage information of the second apparatus being changed due to external factors, where “phone number change request” is being read as the external factors and where “the registration may be modified based upon the phone number change request” is being read as specifying the changed information according to a predetermined criterion and updating the authentication source pool (registration list) by adding the changed information for the authentication source pool),
	wherein the information for the second authentication is generated based on the authentication source pool (Allinson, Column 8, Lines 38 – 50, see “The first device may display a login interface. The login interface may offer an option to authenticate the request (e.g., the user may indicate that the user wants to log the second device into the service) or deny the request (e.g., the user may indicate that the user does not want to log the second device into the service). Responsive to the user authentication the request, a login user authorization notification may be generated. The login user authorization notification may be encrypted using the encryption key to create an encrypted login user authorization notification. The encrypted login user authorization notification may be sent to the service login management component”, where “Responsive to the user authentication to the request” is being read as the result of the first authentication, where “encrypted login user authorization notification may be sent to the service login management component” is being read as the information for the second authentication, which is generated based on the authentication source pool (which is being read as a list of authorized devices that are previously registered) and can be modified and/or updated through a phone number change request),
	wherein the authentication source pool is a database that collects the changed information (Allinson, FIG. 6A, see “SERVICE LOGIN MANAGEMENT COMPONENT 610” which is being read as the authentication source pool being a database that collects the changed information), and
	the database is in the second user apparatus, wherein the authentication apparatus is included in the second user apparatus, or is connected to the second user apparatus (Allinson, FIG. 6A, see “SECOND DEVICE 612” which is being read as the second user apparatus and see “SERVICE LOGIN MANAGEMENT COMPONENT 610” which is being read as the authentication apparatus are connected to each other).



Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office Action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
	A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on (571) 272-3951.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/R.A.M./Examiner, Art Unit 2499                                                                                                                                                                                                        /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499