DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the communication dated on 2/9/2021.
Claims 1-20 have been canceled.
Claims 21-40 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/25/2021 and 7/16/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities: The parent application, 16/676794, has been patented, see paragraph 001 of the Applicant’s disclosure.  Therefore, it is required to update the parent application to its current status.  
Appropriate correction is required.
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 31-39 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claimed invention does not direct to any concrete thing consisting of parts or devices.  
claim 31 recites a system comprising a database and an authentication server.  The specification as originally filed fails to set forth the metes and bounds of what is meant to be encompassed by the terms “database” and “authentication server”.  As such, it is reasonable to interpret the terms “database” and “authentication server” as software per se.  Thus, the system being claimed is software per se which does not fall under any of the statutory categories defined under § 101.  Software per se is not a useful process, a machine, a manufacture, or a composition of matter.  Therefore, claim 31 and its dependent claims 32-39 are directed towards non-statutory subject matter.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21-40 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10904236.  Although the claims at issue are not identical, they are not patentably distinct from each other because both applications disclose a common subject matter such as a computer-implemented method is provided for verifying user authentication.  An authentication game may be selected for the user based on the user category.  A game result may be received from the network server device.  Based on the comparing, the authentication server may determine whether the game play results match the expected game play results. When the game play results match the expected game play results, the login request may be approved.  
Furthermore, Examiner notes that each and every limitation of the instant claims appear to be substantially anticipated by the corresponding claims of the patent application.
Therefore, Examiner respectfully submits that the instant claims and the claims of the patent application are not directed to patentably distinct inventions; thus, properly rejected on the grounds of nonstatutory double patenting, as further outlined below.

Instant Application 17156931
Patent Application 10904236
Claim 21:
A method for verifying user authentication, the method comprising: 

receiving, by an authentication server device, a login request; 






selecting, by the authentication server device, an authentication game; 

sending, by the authentication server device, the authentication game to a network server device over a network for interaction with a user; 





receiving, by the authentication server device, a game result from the network server device, wherein the game result includes data representing game play results from the interaction of the user with the authentication game including data pertaining to one or more of game play speed or reaction time; 





comparing, by the authentication server device, the data representing the game play results with one or more expected game play results; and 

based on the comparison, determining a response to the login request.
Claim 1:
A method for verifying user authentication, the method comprising: 

at an authentication server device configured to communicate with a network server device over a network, receiving from the network server device a login request that is associated with a user; assigning the user to a user category based on attributes of the user; 

selecting an authentication game for the user based on the user category; 

assigning the user to a game play cluster for the selected authentication game, wherein the cluster has one or more cluster classifiers that each represent expected game play results for the authentication game; sending the authentication game to the network server device over the network for interaction with the user; 
receiving a game result from the network server device, wherein the game result includes data representing game play results from the interaction of the user with the authentication game; comparing the data representing the game play results with a corresponding one or more of the cluster classifiers; Claim 11: The method of claim 1, wherein data representing game play results includes one or more of game play speed, accuracy, and reaction time.

based on the comparing, determining whether the game play results match the expected game play results; and 


when the determining indicates that the game play results match the expected game play results, approving the login request for the user.
Claim 40:
A method for verifying user authentication, the method comprising: 

receiving, by an authentication server device, a login request; 







receiving, by the authentication server device, information regarding the user including one or more of user demographic information, user location information, or information about a user device; 





selecting, by the authentication server device, an authentication game based on the received information; 





sending, by the authentication server device, the authentication game to a network server device over a network for interaction with a user; 

receiving, by the authentication server device, a game result from the network server device, wherein the game result includes data representing game play results from the interaction of the user with the authentication game, wherein the data representing game play results further includes data pertaining to one or more of game play speed or reaction time; 




comparing, by the authentication server device, the data representing the game play results with one or more expected game play results; and based on the comparison, determining, by the authentication server device, a response to the login request.

Claim 12:
A method for verifying user authentication, the method comprising: 

at an authentication server device configured to communicate with a network server device over a network, receiving from the network server device a login request that is associated with a user; determining whether an authentication verification should be sent to the user based on previous login attempts by the user; 
when the determining does not indicate that the authentication verification should be sent to the user: approving the login request for the user; and storing, in a database, information about the login request; and when the determining indicates that the authentication verification should be sent to the user: assigning the user to a user category based on attributes of the user; 

selecting an authentication game for the user based on the user category; assigning the user to a game play cluster for the selected authentication game, wherein the cluster has one or more cluster classifiers that each represent expected game play results for the authentication game; 
sending the authentication game to the network server device over the network for interaction with the user; 


receiving a game result from the network server device, wherein the game result includes data representing game play results from the interaction of the user with the authentication game; comparing the data representing the game play results with a corresponding one or more of the cluster classifiers; Claim 11: The method of claim 1, wherein data representing game play results includes one or more of game play speed, accuracy, and reaction time.


based on the comparing, determining whether the game play results match the expected game play results; and when the determining indicates that the game play results match the expected game play results, approving the login request for the user.
Claim 31:
A system for verifying user authentication, the system comprising: a database configured to store user data; and an authentication server in communication with the database and with a network server device over a network, and further configured to: 





receive from the network server device a login request; 



select an authentication game; 








send the authentication game to the network server device over a network for interaction with a user; 

receive a game result from the network server device, wherein the game result includes data representing game play results from the interaction of the user with the authentication game including data pertaining to one or more of game play speed or reaction time; 






compare the data representing the game play results with one or more expected game play results; and based on the comparison, determine a response to the login request.
Claim 20:
A system for verifying user authentication, the system comprising: a first memory storing a database configured to store user data; and an authentication server in communication with the database and with a network server device over a network, and the authentication server including a second memory storing instructions and a processor executing the instructions to perform operations, the operations including: 
receiving from the network server device a login request that is associated with a user; assigning the user to a user category based on attributes of the user received from the database; 
selecting an authentication game for the user based on the user category; assigning the user to a game play cluster for the selected authentication game, wherein the cluster has one or more cluster classifiers that each represent expected game play results for the authentication game; 
sending the authentication game to the network server device over the network for interaction with the user; 

receiving a game result from the network server device, wherein the game result includes data representing game play results from the interaction of the user with the authentication game; comparing the data representing the game play results with a corresponding one or more of the cluster classifiers; Claim 11: The method of claim 1, wherein data representing game play results includes one or more of game play speed, accuracy, and reaction time. 

based on the comparing, determining whether the game play results match the expected game play results; and upon determining that the game play results match the expected game play results, approving the login request for the user.


The dependent claims of the instant application recite language similar to the dependent claims of the patent application and are covered by the patent application.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 21-27, 29-34 and 36-40 are rejected under 35 U.S.C. 103 as being unpatentable over Moscicki et al. (US 20150128236) (hereinafter Moscicki) in view of Zavesky et al. (US 20200279455) (hereinafter Zavesky).
Regarding claim 21, Moscicki discloses a method for verifying user authentication (Moscicki: paragraph 0038, “Computerized CAPTCHA system 102 can implement verification process module 116 to perform various aspects of a verification process”), the method comprising: receiving, by an authentication server device, a login request (Moscicki: paragraphs 0038 and 0069-0070, “verification process module 116 can be implemented to receive a request to engage in a verification process from user computing device 104”); selecting, by the authentication server device, an authentication game (Moscicki: see figure 2 
    PNG
    media_image1.png
    750
    1047
    media_image1.png
    Greyscale
 and paragraphs 0038, 0046 and 0088, “the computerized CAPTCHA system can select a CAPTCHA challenge based on the trust score determined at (214)”); sending, by the authentication server device, the authentication game to a network server device over a network for interaction with a user (Moscicki: paragraph 0091, “At (218) the user computing device can receive the CAPTCHA challenge from the computerized CAPTCHA system and present it to the user, for example, on a display of the user computing device.”); receiving, by the authentication server device, a game result from the network server device (Moscicki: paragraphs 0038 and 0095, “Returning to FIG. 2, at (220) the user computing device can receive a response from the user and transmit it to the computerized CAPTCHA system. At (222) the computerized CAPTCHA system can receive the response from the user computing device.”); comparing, by the authentication server device, the data representing the game play results with one or more expected game play results (Moscicki: paragraphs 0096-0105, “the computerized CAPTCHA system can generate a verification token and provide it to the user computing device if one or more verification conditions are satisfied”… “at (224) the verification token can be generated and provided if the trust score calculated at (214) is greater than a threshold value, regardless of whether the response correctly satisfies the challenge”); and based on the comparison, determining a response to the login request (Moscicki: paragraphs 0104-0105, “In response to receiving the validation at (236), at (238) the resource provider can provide the user computing device with access to the resource. At (240) the user computing device can access the resource”).
Moscicki does not explicitly disclose the following limitation which is disclosed by Zavesky, wherein the game result includes data representing game play results from the interaction of the user with the authentication game including data pertaining to one or more of game play speed or reaction time (Zavesky: paragraphs 0015 and 0034-0035, “A determination may be made that a first user is using macros or automated software (e.g., which may be based on detecting actuations (e.g., keystrokes) of input devices at abnormal rates of speed).”… “The module 208a-1 may receive inputs that are indicative of (physical qualities/characteristics of) the user that is allegedly playing in the game. Those inputs may be compared against a database/library of physical characteristics that are stored for the user (e.g., potentially as part of the module 204a-1 described above). The comparison may yield/generate one or more values that may be compared against one or more thresholds in order to determine whether it is likely/probable that the user that is allegedly playing the game is actually the person playing the game”).
Moscicki and Zavesky are analogous art because they are from the same field of endeavor, a detection of suspicious activity, and more specifically, to a detection and counteraction of player fraud in a gaming environment.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Moscicki and Zavesky before him or her, to modify the system of Moscicki to include the game result that comprises data pertaining to one or more of game play speed or reaction time of Zavesky. The suggestion/motivation for doing so would have been to monitor an execution of an application (i.e., the application may comprise a game (e.g., a video game). Inputs to the game may be monitored, where the inputs may include actions taken) for potentially suspicious (e.g., fraudulent) activity (Zavesky: paragraph 0015).
Regarding claim 31, claim 31 discloses a system claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 31 and rejected for the same reasons.  Moscicki further discloses a database configured to store user data (Moscicki: paragraphs 0043-0044, “Computerized CAPTCHA system 102 can include or otherwise be in communication with any number of databases, including, for example, a user account database 122, a user web-history database 124, and a CAPTCHA challenges database 126. It will be appreciated that any database or other data storage functionality can be implemented using a single database or can be distributed across a plurality of storage devices. Further, each of such databases 122, 124, and 126 can be located locally or located remotely and accessed over a network”)
Regarding claim 40, claim 40 discloses a method claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 40 and rejected for the same reasons.  Moscicki further discloses receiving, by the authentication server device, information regarding the user including one or more of user demographic information, user location information, or information about a user device (Moscicki: paragraphs 0025-0026, “the reputation signals may include one or more of, for example, a device type, one or more device capabilities, an Internet Protocol address, a current location, a user web-history, a user location history, whether the user participates in various other web-services, or other additional information”).
Regarding claims 22 and 32, Moscicki does not explicitly disclose the following limitation which is disclosed by Zavesky, wherein the login request comprises at least one of a user name or password (Zavesky: paragraph 0063, “one or more identifiers/identifications may be obtained. The identifications… may include one or more of a username and password, a personal identification number (PIN)”).  The same motivation to modify Moscicki in view of Zavesky, as applied in claim 1 above, applies here.
Regarding claims 23 and 33, Moscicki as modified discloses wherein the game play results data further includes data pertaining to game play accuracy (Moscicki: paragraphs 0006 and 0097-0098, “the resource provider can communicate with the CAPTCHA system to confirm whether the user-provided solution is correct.”).
Regarding claims 24 and 34, Moscicki as modified discloses wherein the game play results include data pertaining to the user's maneuvers during the authentication game (Zavesky: paragraphs 0015 and 0034-0035, “A determination may be made that a first user is using macros or automated software (e.g., which may be based on detecting actuations (e.g., keystrokes) of input devices at abnormal rates of speed).”… “The module 208a-1 may receive inputs that are indicative of (physical qualities/characteristics of) the user that is allegedly playing in the game. Those inputs may be compared against a database/library of physical characteristics that are stored for the user (e.g., potentially as part of the module 204a-1 described above). The comparison may yield/generate one or more values that may be compared against one or more thresholds in order to determine whether it is likely/probable that the user that is allegedly playing the game is actually the person playing the game”).  The same motivation to modify Moscicki in view of Zavesky, as applied in claim 1 above, applies here.
Regarding claim 25, Moscicki as modified discloses wherein the game play results include data pertaining to game play movements during the authentication game (Zavesky: paragraphs 0015 and 0034-0035, “A determination may be made that a first user is using macros or automated software (e.g., which may be based on detecting actuations (e.g., keystrokes) of input devices at abnormal rates of speed).”… “The module 208a-1 may receive inputs that are indicative of (physical qualities/characteristics of) the user that is allegedly playing in the game. Those inputs may be compared against a database/library of physical characteristics that are stored for the user (e.g., potentially as part of the module 204a-1 described above). The comparison may yield/generate one or more values that may be compared against one or more thresholds in order to determine whether it is likely/probable that the user that is allegedly playing the game is actually the person playing the game”).  The same motivation to modify Moscicki in view of Zavesky, as applied in claim 1 above, applies here.
Regarding claims 26 and 37, Moscicki as modified discloses further comprising: approving, by the authentication server device, the login request based on the determined response to the login request (Moscicki: see figure 2 and paragraphs 0103-0105, “the computerized CAPTCHA system can provide a validation of the verification token to the resource provider if the verification token is valid”).
Regarding claims 27 and 39, Moscicki as modified discloses further comprising: receiving, by the authentication server device, additional information regarding the user including one or more of user demographic information, user location information, and information about the user device (Moscicki: paragraphs 0025-0026, 0039, 0075 and 0081-0082, “the reputation signals may include one or more of, for example, a device type, one or more device capabilities, an Internet Protocol address, a current location, a user web-history, a user location history, whether the user participates in various other web-services, or other additional information”).
Regarding claims 29 and 36, Moscicki as modified discloses wherein the authentication game is selected based on one or more of a user device type, browser type, keyboard layout, or screen size (Moscicki: paragraphs 0026 and 0075, “a reputation signal can be obtained at (214) that indicates a device type of the user computing device, such as, for example, whether the user computing device is a personal computer, laptop, smartphone, or other device type. The trust values associated with each device type can be based on the relative cost of each device type. Thus, if at (214) the computerized CAPTCHA system obtains a reputation signal indicating that the user computing device is a relatively sophisticated and expensive consumer smartphone, then, as a result, the computerized CAPTCHA system can add a trust value of relatively large value to the trust score”).
Regarding claims 30 and 38, Moscicki as modified discloses wherein the one or more expected game play results are determined based on the user's prior game play results (Moscicki: paragraphs 0034, 0048 and 0084, “User web-history database 124 can store or provide data describing previous web activity or web interactions performed by one or more computing devices associated with a user account”…“the auction website can simply rely upon the computerized CAPTCHA system to leverage existing knowledge regarding the reputation of the user to perform the entirety of the verification process”).

Claim(s) 28 and 35 are rejected under 35 U.S.C. 103 as being unpatentable over Moscicki in view of Zavesky, and further in view of Hearn et al. (US 9348981) (hereinafter Hearn).
Regarding claims 28 and 35, Moscicki in view of Zavesky does not explicitly disclose the following limitation which is disclosed by Hearn, wherein the authentication game is selected based on one or more of the user's age, gender, education, income level, marital status, language, nationality, or occupation (Hearn: column 5 lines 44-53, “other information identifying the users 125a/125b/125n of the system 100. Examples of information identifying users includes, but is not limited to, the user's name, contact information, relationship status, likes, interests, links, education and employment, location, usually used user device(s) and device details (e.g., browser, machine, operating system, language, etc.), etc.”).  
Moscicki in view of Zavesky and Hearn are analogous art because they are from the same field of endeavor, a detection of suspicious activity, and more specifically, to a detection and counteraction of player fraud in a gaming environment.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Moscicki in view of Zavesky and Hearn before him or her, to modify the system of Moscicki in view of Zavesky to include the game is selected to authenticate the request based on education and employment of a user of Hearn. The suggestion/motivation for doing so would have been to guard against possible fraudulent login attempts, and login by bots and other automated devices (Hearn: column 1 lines 26-27).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TRANG T DOAN/Primary Examiner, Art Unit 2431