Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Instant application is a continuation of 15/878445, now U.S. Patent 10885220. In a preliminary amendment dated 11/30/2020, claims 1-12 were canceled. Claims 13-32 were newly added. Claims 13-32 have been examined.

Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 10/19/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


4.	Claims 17 and 29 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 17 and 29 recite the limitation "the second database".  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 13, 15-18, 21, 23, 25, 27 and 29-30 are rejected under 35 U.S.C. 103 as being unpatentable over Ito et al. (U.S. Patent Application Publication 2016/0261585; hereafter “Ito”), and further in view of Sharma et al. (U.S. Patent Application Publication 2013/0087620; hereafter “Sharma”), and further in view of Kayyidavazhiyil et al. (U.S. Patent 9,805,182; hereafter “Kayyidavazhiyil”).
	For claim 13, Ito teaches a method for authorizing access by a user to a digital asset of a first entity (note paragraph [0038], online service site), comprising:
	storing a unique device identifier indicative of a mobile device of the user in a database of a second entity (note paragraph [0036], S209, telephone number of authorized device is stored) that is independent from the first entity (note paragraph [0025], authenticating unit may be implemented in a separate server from authentication information management server);
	storing key data from an authentication key of an authentication tag in the database of the second entity (note paragraph [0026], S102 authentication information of random pattern on membership card is stored in the database), the authentication key including a first dataset comprised of a random distribution of elements, the authentication key uniquely identifying the user (note paragraph [0026], random pattern on membership card);
	providing the user with a physical object having the authentication tag (note paragraph [0026], membership card is delivered to the user) and authorizing only the mobile device having the unique device identifier to read the authentication key of the authentication tag (note paragraph [0042], only mobile device having terminal identification that is associated with authentication information is allowed to login);
	and
	determining if the scanned key data read by the mobile device matches the key data stored in the database of the second entity, and allowing access by the user to the digital asset only if the scanned key data read by the mobile device matches the key data stored in the database of the second entity (note paragraph [0042], authentication unit 24 uses authentication checking unit 24a to check authentication information and terminal checking unit 24b to check terminal identification; paragraph [0044], S304-S306, determination if authentication information and telephone number match stored values; login is allowed if information matches).

	Ito differs from the claimed invention in that they fail to teach:
	the authentication key including a first dataset comprised of a random distribution of three-dimensional elements and a second dataset comprised of machine-readable data elements

	Sharma teaches:
	the authentication key (note paragraphs [0030]-[0031], authentication of object) including a first dataset comprised of a random distribution of three-dimensional elements (note paragraph [0029], step 100 random distribution of three-dimensional elements on label) and a second dataset comprised of machine-readable data elements (note paragraph [0029], step 106, two-dimensional symbol encoded with address)


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the server login with a membership card of Ito and the label with two datasets of Sharma. It would have been obvious because a simple substitution of one known element (label with random 3D elements and 2D address code of Sharma) for another (card with random pattern of Ito) would yield the predictable results of a membership card used for user login (Ito) that has a label containing random 3D elements and a 2D code used as address (Sharma) where the user scans the label and sends the scan with their device ID for authentication.

	The combination of Ito and Sharma differs from the claimed invention in that they fail to teach:
	reading a session identification code provided by the first entity using the mobile device in response to the user requesting access to the digital asset , the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data;

	Kayyidavazhiyil teaches:
	reading a session identification code provided by the first entity using the mobile device (note column 6, lines 25-33, user scans pattern and extracts session identifier) in response to the user requesting access to the digital asset (note column 6, lines 8-18, server returns bar code encoded with session identifier), the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data (note column 6, lines 25-39, user to prompted to generate authentication key);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Ito and Sharma and the authentication session identifier of Kayyidavazhiyil to form a system that generates a session identification code (Kayyidavazhiyil) which prompts the user to create an authentication key message generated by scanning a membership card (Ito). One of ordinary skill would have been motivated to combine Ito, Sharma and Kayyidavazhiyil because it would allow the server to avoid confusing one authentication session with another and prevent a fraudster from gaining access to the protected resource by trying to time an access attempt with the access attempt of a legitimate user (note column 7, lines 10-20 of Kayyidavazhiyil).


	For claim 23, the combination of Ito, Sharma and Kayyidavazhiyil teaches a system for authorizing access by a user to a digital asset, the user utilizing a mobile device with a unique device identifier, comprising:
	a first entity possessing the digital asset (note paragraph [0038] of Ito, online service site);
	a second entity independent from the first entity (note paragraph [0025] of Ito, authenticating unit may be implemented in a separate server from authentication information management server) that stores the unique device identifier of the mobile device (note paragraph [0036] of Ito, S209, telephone number of authorized device is stored) and stores key data from an authentication key of an authentication tag in a database (note paragraph [0026] of Ito, S102 authentication information of random pattern on membership card is stored in the database), the authentication key including a first dataset comprised of a random distribution of three-dimensional elements (note paragraph [0029] of Sharma, step 100 random distribution of three-dimensional elements on label) and a second dataset comprised of machine-readable data elements (note paragraph [0029] of Sharma, step 106, two-dimensional symbol encoded with address), the authentication key uniquely identifying the user (note paragraph [0026] of Ito, random pattern on membership card);
	a physical object having the authentication tag with the authentication key (note paragraph [0026], membership card is delivered to the user), the authentication key capable of only being read by the mobile device having the unique device identifier (note paragraph [0042] of Ito, only mobile device having terminal identification that is associated with authentication information is allowed to login); and
	a computing device independent from the mobile device (note column 5, lines 48-50 of Kayyidavazhiyil, client device), the computing device displaying a session identification code provided by the first entity in response to the user requesting access to the digital asset through the computing device (note column 6, lines 8-18 of Kayyidavazhiyil, server returns bar code encoded with session identifier), the first entity prompting the user to read the authentication key to generate scanned key data (note paragraph [0043] of Ito, S301 camera captures random pattern image for login operation) upon the mobile device reading the session identification code (note column 6, lines 25-39 of Kayyidavazhiyil, user to prompted to generate authentication key), the first entity allowing access by the user to the digital asset only if the scanned key data read by the mobile device matches the key data stored in the database of the second entity (note paragraph [0042] of Ito, authentication unit 24 uses authentication checking unit 24a to check authentication information and terminal checking unit 24b to check terminal identification; paragraph [0044], S304-S306, determination if authentication information and telephone number match stored values; login is allowed if information matches).


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the server login with a membership card of Ito and the label with two datasets of Sharma. It would have been obvious because a simple substitution of one known element (label with random 3D elements and 2D address code of Sharma) for another (card with random pattern of Ito) would yield the predictable results of a membership card used for user login (Ito) that has a label containing random 3D elements and a 2D code used as address (Sharma) where the user scans the label and sends the scan with their device ID for authentication.

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Ito and Sharma and the authentication session identifier of Kayyidavazhiyil to form a system that generates a session identification code (Kayyidavazhiyil) which prompts the user to create an authentication key message generated by scanning a membership card (Ito). One of ordinary skill would have been motivated to combine Ito, Sharma and Kayyidavazhiyil because it would allow the server to avoid confusing one authentication session with another and prevent a fraudster from gaining access to the protected resource by trying to time an access attempt with the access attempt of a legitimate user (note column 7, lines 10-20 of Kayyidavazhiyil).

	
	For claims 15 and 25, the combination of Ito, Sharma and Kayyidavazhiyil teaches claims 13 and 23, wherein the reading the authentication key of the authentication tag is performed by configuring the mobile device as a portable, handheld, image capture device (note paragraphs [0023] and [0031] of Ito, portable personal computer camera; paragraph [0025] of Sharma, portable image capture device), and by aiming the image capture device at the authentication tag to capture return light from the three-dimensional elements (note paragraph [0042] of Sharma, capture return light from 3D elements).

	For claim 16, the combination of Ito, Sharma and Kayyidavazhiyil teaches claim 13, further comprising: registering a name of the user with the first entity when the scanned key data matches the key data stored in the database (note paragraph [0042] of Ito, when authentication information matches, user is logged in to the online service site, i.e. registering a name of the user).

	For claims 17 and 29, the combination of Ito, Sharma and Kayyidavazhiyil teaches claims 13 and 23, wherein the mobile device is authorized to read the authentication key of the authentication tag by comparing a device identifier of the mobile device with the unique device identifier stored in the second database upon the mobile device reading the session identification code (note paragraphs [0020] and [0029] of Sharma, authentication pattern is stored in a remote database where second dataset serves as an address identifier).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the server login with a membership card of Ito and the label with two datasets of Sharma. It would have been obvious because combining prior art elements (authentication with a membership card of Ito; label with two datasets of Sharma) according to known methods would yield the predictable results of a membership card used for user login (Ito) that has a label containing random 3D elements and a 2D code used as address (Sharma) where the user scans the label and sends the scan with their device ID for authentication.


	For claims 18 and 30, the combination of Ito, Sharma and Kayyidavazhiyil teaches claims 13 and 23, wherein the machine-readable data elements of the second dataset are encoded in at least one Radio Frequency Identification (RFID) chip (note paragraph [0024] of Sharma, RFID tag).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the server login with a membership card of Ito and the label with two datasets of Sharma. It would have been obvious because combining prior art elements (authentication with a membership card of Ito; RFID label with two datasets of Sharma) according to known methods would yield the predictable results of a membership card used for user login (Ito) that has an RFID label containing random 3D elements and a 2D code used as address (Sharma) where the user scans the label and sends the scan with their device ID for authentication.


	For claims 21 and 27, the combination of Ito, Sharma and Kayyidavazhiyil teaches claims 13 and 23, wherein the session identification code includes a plurality of session parameters that are captured by the mobile device in response to an access request (note column 6, lines 8-18 of Kayyidavazhiyil, server returns bar code encoded with user identifier, session identifier and other data).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Ito and Sharma and the authentication session identifier of Kayyidavazhiyil to form a system that generates a session identification code (Kayyidavazhiyil) which prompts the user to create an authentication key message generated by scanning a membership card (Ito). One of ordinary skill would have been motivated to combine Ito, Sharma and Kayyidavazhiyil because it would allow the server to avoid confusing one authentication session with another and prevent a fraudster from gaining access to the protected resource by trying to time an access attempt with the access attempt of a legitimate user (note column 7, lines 10-20 of Kayyidavazhiyil).


6.	Claims 14 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Ito, Sharma and Kayyidavazhiyil as applied to claims 13 and 23 above, and further in view of Cha et al. (U.S. Patent Application Publication 2013/0174241; hereafter “Cha”).
	For claims 14 and 24, the combination of Ito, Sharma and Kayyidavazhiyil teaches claims 13 and 23, further comprising: receiving, from the user, a user name to the first entity prior to the first entity providing the session identification code to the user (note column 5, line 65 through column 6, line 2 of Kayyidavazhiyil, user provides user identifier to the server).

	The combination of Ito, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	receiving, from the user, a user name and password to the first entity.

	Cha teaches:
	receiving, from the user, a user name and password to the first entity (note paragraph [0048], user provides user credentials including user identifier and password).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Ito, Sharma and Kayyidavazhiyil and the receiving user credentials including user identifier and password before redirection to another server of Cha. It would have been obvious because combining prior art elements (user provides identifier to receive session identification of Kayyidavazhiyil; user provides user identifier and password before redirection and a session of Cha) according to known methods would yield the predictable results of a membership card used for user login (Ito) where the user provides user credentials to the asset server to receive a session identifier (Kayyidavazhiyil) where the user credentials include both a user identifier and password (Cha).



7.	Claims 19 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Ito, Sharma and Kayyidavazhiyil as applied to claims 13 and 23 above, and further in view of Nolan (U.S. Patent 10,026,078).
	For claim 19, the combination of Ito, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	further comprising: displaying a plurality of icons indicative of at least one of a card, a service, an asset on the mobile device, and activating a selected icon when the scanned key data matches the key data stored in the database of the second entity.

	Nolan teaches:
	further comprising: displaying a plurality of icons indicative of at least one of a card, a service, an asset on the mobile device, and activating a selected icon when the scanned key data matches the key data stored in the database of the second entity (note column 4, lines 36-44, selection buttons for different accounts after user authentication).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Ito, Sharma and Kayyidavazhiyil and the account icons of Nolan. It would have been obvious because a simple substitution of one known element (allowing authorized user to access icons for different accounts of Nolan) for another (allowing authorized user to online service of Ito) would yield the predictable results of allowing authorized users to access to their private data.


	For claim 26, the combination of Ito, Sharma, Kayyidavazhiyil and Nolan teaches claim 23, wherein the physical object comprises a storage medium  that stores the authentication key (note column 3, lines 44-56 of Nolan, user card has memory that stores user data) that can only being accessed by the mobile device having the unique device identifier (note column 4, lines 26-29 and column 14, lines 49-55 of Nolan, card functions only work when user’s mobile device, i.e. unique device identifier, is in proximity).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Ito, Sharma and Kayyidavazhiyil and user card with storage for private user data of Nolan. It would have been obvious because combining prior art elements (user authentication using card encoded with key of Ito and Kayyidavazhiyil; user data stored in a memory of a card of Nolan) according to known methods would yield the predictable results of a membership card with an authentication key used for user login (Ito and Kayyidavazhiyil) where the key is retrieved from card memory when the user mobile device is in proximity (Nolan).



8.	Claims 20 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Ito, Sharma and Kayyidavazhiyil as applied to claims 13 and 23 above, and further in view of Tuukkanen (U.S. Patent Application Publication 2016/0286396).
	For claims 20 and 31, the combination of Ito, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	further comprising: storing a second unique device identifier indicative of a second mobile device of a second user in the database and determining if the scanned key data read by both the mobile device and the second mobile device matches the key data stored in the database of the second entity; and allowing the user to access the digital asset only if the scanned key data read by both the mobile device and the second mobile device matches the key data stored in the database of the second entity.

	Tuukkanen teaches:
	further comprising: storing a second unique device identifier indicative of a second mobile device of a second user in the database (note paragraphs [0031]-[0032], at least two user devices are required for a security operation) and determining if the scanned key data read by both the mobile device and the second mobile device matches the key data stored in the database of the second entity (note paragraphs [0034], [0041], [0043] and [0050], at least two devices provide security information); and allowing the user to access the digital asset only if the scanned key data read by both the mobile device and the second mobile device matches the key data stored in the database of the second entity (note paragraphs [0034], [0041], [0043] and [0050], authentication is granted when at least two devices provide security information).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Ito, Sharma and Kayyidavazhiyil and the additional device providing authentication information of Tuukkanen. It would have been obvious because combining prior art elements (authentication using scan code and device ID of the combination of Ito, Sharma and Kayyidavazhiyil and authentication requiring at least two devices of Tuukkanen) according to known methods would yield the predictable results of requiring two user devices (Tuukkanen) to scan the authentication key and provide the code and their device ID for authentication (the combination of Ito, Sharma and Kayyidavazhiyil).


9.	Claims 22 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Ito, Sharma and Kayyidavazhiyil as applied to claims 21 and 27 above, and further in view of Arceo (U.S. Patent Application Publication 2012/0330769).


	For claims 22 and 28, the combination of Ito, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	wherein at least one of the plurality of session parameters comprises geolocation coordinates of the mobile device.

	Arceo teaches:
	wherein at least one of the plurality of session parameters comprises geolocation coordinates of the mobile device (note paragraphs [0251]-[0259] and [0268]-[0272], transaction identifier is only valid in certain location and during certain times).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Ito, Sharma and Kayyidavazhiyil and transaction identifier (i.e. session code) with time and geographic expirations of Arceo. One of ordinary skill would have been motivated to combine Ito, Sharma, Kayyidavazhiyil and Arceo because having expirations for the session codes would reduce fraud/theft (note paragraph [0251] of Arceo).


10.	Claim 32 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Ito, Sharma and Kayyidavazhiyil as applied to claim 23 above, and further in view of Wu et al. (U.S. Patent Application Publication 2004/0035925; hereafter “Wu”).
	For claim 32, the combination of Ito, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	wherein additional key data from an additional authentication key of the authentication tag that uniquely identifies the physical object is stored in the database, the first entity allowing access by the user to the digital asset only if scanned additional key data read by the mobile device matches the additional key data stored in the database.

	Wu teaches:
	wherein additional key data from an additional authentication key of the authentication tag that uniquely identifies the physical object (note paragraphs [0022] and [0024], multiple barcodes are used) is stored in the database (note paragraph [0011], data is stored in log file and image file), the first entity allowing access by the user to the digital asset only if scanned additional key data read by the mobile device matches the additional key data stored in the database (note Fig. 6 and paragraph [0028], barcodes are scanned and validated).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Ito, Sharma and Kayyidavazhiyil and the multiple barcodes of Wu. It would have been obvious because combining prior art elements (authentication using scan code and device ID of the combination of Ito, Sharma and Kayyidavazhiyil and scanning multiple codes of Wu) according to known methods would yield the predictable results of requiring multiple codes to be scanned (Wu) to provide multiple codes and their device IDs for authentication (the combination of Ito, Sharma and Kayyidavazhiyil).


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

11.	Claims 13-32 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-10 of U.S. Patent No. 10,192,084 in view of Ito, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu. 
	For claim 13, 10,192,084 teaches a method for authorizing access by a user to a digital asset of a first entity, comprising:
	storing key data from an authentication key of an authentication tag in the database of the second entity (note claim 1, “storing key data…”), the authentication key including a first dataset comprised of a random distribution of three-dimensional elements and a second dataset comprised of machine-readable data elements, the authentication key uniquely identifying the user (note claim 1, “configuring each tag…”);
	providing the user with a physical object having the authentication tag and authorizing only the mobile device having the unique device identifier to read the authentication key of the authentication tag;
	reading a session identification code provided by the first entity using the mobile device in response to the user requesting access to the digital asset, the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data (note claim 1, “reading the datasets…”); and
	determining if the scanned key data read by the mobile device matches the key data stored in the database of the second entity, and allowing access by the user to the digital asset only if the scanned key data read by the mobile device matches the key data stored in the database of the second entity (note claim 1, “determining…”).

10,192,084 differs from the claimed invention in that they fail to teach: 
	storing a unique device identifier indicative of a mobile device of the user in a database of a second entity that is independent from the first entity;

	Ito teaches:
	storing a unique device identifier indicative of a mobile device of the user in a database of a second entity that is independent from the first entity	(note paragraph [0036], S209, telephone number of authorized device is stored)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication method of 10,192,084 and the stored device IDs of Ito. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of identifying authorized devices for reading authentication keys.

	The combination of 10,192,084 and Ito differs from the claimed invention in that they fail to teach:
	reading a session identification code provided by the first entity using the mobile device in response to the user requesting access to the digital asset , the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data;

	Kayyidavazhiyil teaches:
	reading a session identification code provided by the first entity using the mobile device (note column 6, lines 25-33, user scans pattern and extracts session identifier) in response to the user requesting access to the digital asset (note column 6, lines 8-18, server returns bar code encoded with session identifier), the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data (note column 6, lines 25-39, user to prompted to generate authentication key);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of 10,192,084 and Ito and the authentication session identifier of Kayyidavazhiyil to form a system that generates a session identification code (Kayyidavazhiyil) which prompts the user to create an authentication key message generated by scanning a membership card (Ito). One of ordinary skill would have been motivated to combine 10,192,084 and Ito and Kayyidavazhiyil because it would allow the server to avoid confusing one authentication session with another and prevent a fraudster from gaining access to the protected resource by trying to time an access attempt with the access attempt of a legitimate user (note column 7, lines 10-20 of Kayyidavazhiyil).

For claims 14-32, 10,192,084 similarly teaches authentication tags and where 10,192,084 fails to disclose the details, Ito, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu teach the claims as shown above.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication method of 10,192,084 and the stored device IDs of Ito, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of identifying authorized devices for reading authentication keys.


12.	Claims 13-32 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-10 of U.S. Patent No. 10,885,220 in view of Ito, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu. 
	For claim 13, 10,885,220 teaches a method for authorizing access by a user to a digital asset of a first entity, comprising:
	storing a unique device identifier indicative of a mobile device of the user in a database of a second entity that is independent from the first entity (note claim 1, “…wherein the hardware identifier indicative of the mobile device is previously stored in the database of the authentication server…”;
	storing key data from an authentication key of an authentication tag in the database of the second entity (note claim 1, “…wherein the key data indicative of the authentication tag and the user is previously stored in a database of an authentication server…”, the authentication key including a first dataset comprised of a random distribution of three-dimensional elements and a second dataset comprised of machine-readable data elements, the authentication key uniquely identifying the user (note claim 1, “…the authentication tag being configured with a first dataset comprised of a random distribution of three-dimensional elements and with a second dataset comprised of machine-readable data elements, the first and second datasets together comprising an authentication key…”;
	providing the user with a physical object having the authentication tag (note claim 1, “…an authentication tag associated with the user and applied to a physical object accessible to the user…”) and authorizing only the mobile device having the unique device identifier to read the authentication key of the authentication tag (note claim 1, “…the authorized mobile device to read the authentication key with the reading device in response to a prompt; communicating, by the app, the read authentication key, the read session ID, and the hardware identifier to the authentication server…”);
	reading a session identification code provided by the first entity using the mobile device in response to the user requesting access to the digital asset (note claim 1, “…the webpage displaying a machine-readable code corresponding to a unique session ID…”, the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data (note claim 1, “…accessing a reading device of the mobile device associated with the user…”; and
	determining if the scanned key data read by the mobile device matches the key data stored in the database of the second entity (note claim 1, “…based on the authentication server determining that the read authentication key matches the stored key data and that the sent hardware identifier matches the stored hardware identifier…”), and allowing access by the user to the digital asset only if the scanned key data read by the mobile device matches the key data stored in the database of the second entity (note claim 1, “…accessing the website, in the browser, as a logged-in user based on browser redirection by the webpage with a token corresponding to the information selected by the user…”).

For claims 14-32, 10,885,220 similarly teaches authentication tags and where 10,192,084 fails to disclose the details, Ito, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu teach the claims as shown above.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication method of 10,885,220 and the stored device IDs of Ito, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of identifying authorized devices for reading authentication keys.

Conclusion
13.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hon et al. (U.S. Patent Application Publication 2017/0324729) teaches a session ID (note paragraph [0128]) and scanning a QR code (note paragraph [0142]).

14.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID J PEARSON whose telephone number is (571)272-0711. The examiner can normally be reached 6:00 - 5:30 pm; Monday through Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/David J Pearson/Primary Examiner, Art Unit 2438