Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are pending.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,805,289. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the present application are anticipated by the ‘289 patent.  This is an anticipatory double patenting rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Atherton US 2012/0131350 and further in view of Kulkarni et al., US 2008/0086764.

Regarding claim 1, Atherton discloses a system for intercepting a request to transfer data and obtain authorization from an authorized user (paragraph 0179: Authorized user 101 is requested to biometrically authorize said specific cryptographic operation.) the system comprising: 
at least one processor; a biometric sensor (0075: biometric sensors) communicatively coupled to the at least one processor (fig. 1, ([0143] the biometric/cryptographic processing unit (BCU) 103; ); 
a datastore storing biometric identity data indicative of the authorized user ([0144] information processing and information storage functions 108). 
Atherton lacks or does not expressly disclose determining an authorization level.  
However, Kulkarni discloses perform a method of determining an authorization level for the request to transfer data and receiving approval for the request (0070: the process of requiring higher level access authentication credentials, as higher-value resources are requested, can be repeated for as many types of high-level access resources as are needed. Further, additional factor authentication for higher level resource access can be required at initial login and not delayed until the higher level resource is actually requested.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Atherton with Kulkarni to include deterring an authorization level for the request in order to provide access to high level resources, as taught by Kulkarni, 0070.
Atherton, as modified above further discloses the method comprising the steps of: 
receiving the request to transfer data (paragraph 0231:  some types of information input to the BCU 103 from the information processing and information storage functions 108 may be configured to require biometric authorization by a specific authorized user of the BCU 103 for a specific cryptographic operation, in turn requiring positive biometric identification of said specific authorized user, prior to said information being transferred to the communications unit 110 for transfer to an external device.); 
determining the level of authorization required to complete the request; 
requesting biometric information from the authorized user to approve the request; and 
approving the request when the authorized user provides the biometric information (fig. 1 and paragraph 0179: Authorized user 101 is requested to biometrically authorize said specific cryptographic operation. Also see paragraphs 0448-0469).  
Regarding claim 2, lacks or does not expressly disclose wherein the request to transfer data is a request to access a network and a third party monitors the user for data transfer requests, wherein the authorization is performed by the third party.  However, Kulkarni discloses wherein the request to transfer data is a request to access a network and a third party monitors the user for data transfer requests, wherein the authorization is performed by the third party (fig. 1, authentication server 202 and Fig. 2A:  The authentication service 202 sets the authentication credential to user agent 1 101, and presents (22) the token value and instructions to complete authentication on another channel.).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Atherton with Kulkarni to include authorization performed by a third party in order to authenticate a user over multiple channels, as taught by Kulkarni, 0054.Regarding claim 3, Atherton, lacks or does not expressly disclose wherein the user requesting the transfer of data is a different user than the authorized user.  However, Kulkarni discloses wherein the user requesting the transfer of data is a different user than the authorized user (fig. 1, user agent 1, user 1 presented with token to complete authentication).  It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Atherton with Kulkarni wherein the user requesting transfer of data is a different user than the authorized user, in order to authenticate the user requesting data, as taught by Kulkarni, 0054.Regarding claim 4, Atherton, as modified above further discloses the system of claim 3, wherein the request for biometric authorization is sent by the third party across an application program interface ([0179] 2. Authorized user 101 is requested to biometrically authorize said specific cryptographic operation. [0180] 3. User 101 presents for biometric identification as part of the biometric authorization process. In the case of fingerprint biometrics, this would involve user 101 presenting a finger to the biometric sensor 104 (in this example a fingerprint scanner).).Regarding claim 5, Atherton, as modified above further discloses the system of claim 1, wherein the approval is stored and the system is updated such that the user is authorized in the future without biometric authentication from the authorized user (0166:  authorized user 101 may provide biometric pre-authorization for future key updating operations. For simplicity, in the descriptions and preferred embodiments that follow it is assumed (unless otherwise stated) that all biometric authorization processes are real time, but it should be appreciated that in alternative embodiments biometric pre-authorization may instead be employed.).Regarding claim 6, Atherton, as modified above further discloses the system of claim 1, wherein the request to transfer data is a request to access a physical facility, wherein multifactor authentication is required to access the physical facility, wherein the biometric sensor detects at least one of fingerprint data, retina data, iris data, palm data, and facial data of the authorized user, and wherein the request to access the physical facility is performed either over a local network or via short-range wireless communication (0002: techniques based on fingerprint recognition, facial recognition, iris recognition, retinal recognition, voice recognition, heartbeat recognition, DNA recognition, and others. 0211: a store employee identifying the products at a checkout and transmitting the product information to the user's cell phone by known means such as a Bluetooth wireless connection or SMS message or some other suitable means.  0134: and access control devices to gain access to buildings, locations, vehicles, bank accounts, etc.).Regarding claim 7, Atherton, as modified above further discloses the system of claim 1, wherein the method further comprises the steps of: detecting a location of the request to transfer data; and approve the request based on the location ([0216] biometrically authenticated access control to buildings and other locations).Regarding claim 8, Atherton, as modified above further discloses the system of claim 7, wherein the location is compared to a plurality of stored locations, wherein each stored location of the plurality of stored locations is indicative of at least one of a user location of the user making the request for transfer or a device location of the device used to make the request for transfer (0141:  the PID 100 would be small compared with the size of a human being--for example it may be in the form of a cell phone; PDA; laptop computer; or access control device to gain access to a building, location, vehicle, bank account, etc. Each BCU 103 (and therefore each PID 100) may have one or more authorized users, each of whom is identified to the BCU 103 by biometric means.).As per claims 9 and 12, this is a method version of the claimed system discussed above in claims 1-8 wherein all claimed limitations have also been addressed and/or cited as set forth above.
Regarding claim 10, Atherton, as modified above further discloses the method of claim 9, wherein the level of authorization is determined based on at least one of an identity of the user, the data being transferred, and the location of the user (0141:  the PID 100 would be small compared with the size of a human being--for example it may be in the form of a cell phone; PDA; laptop computer; or access control device to gain access to a building, location, vehicle, bank account, etc. Each BCU 103 (and therefore each PID 100) may have one or more authorized users, each of whom is identified to the BCU 103 by biometric means.).Regarding claim 11, Atherton, as modified above further discloses the method of claim 9, wherein the biometric sensor detects at least one of fingerprint data, retina data, iris data, palm data, and facial feature data for the authorized user (0002: fingerprint recognition, facial recognition, iris recognition, retinal recognition, voice recognition, heartbeat recognition, DNA recognition, and others.).Regarding claim 13, Atherton, as modified above further discloses the method of claim 12, wherein the user requests the transfer of data on a private network and the third party monitors the private network for data transfer requests ([0089] each said cryptographically enabled device on said information network that is not a personal information device preferably being configured such that it will retain a history of private/public key pairs that it generates, along with the active time window for each said key pair).Regarding claim 14, Atherton, as modified above further discloses the method of claim 9, further comprising the steps of: sending a request for at least one form of authentication from the user; receiving the at least one form of authentication from the user; and approving the request for the transfer of data only when the at least one form of authentication from the user authenticates the user and the transfer of data is approved from the authorized user via the biometric sensor (Biometric sensor 104 and  [0052] a means to determine whether said biometric information derived from said user corresponds to an authorized user of said BCPM and thereby determine whether said user is a said authorized user of said BCPM; ).As per claim 15, 17-19, this is a media version of the claimed system and method discussed above in claims 1-14 wherein all claimed limitations have also been addressed and/or cited as set forth above.
Regarding claim 16, Atherton, as modified above further discloses the media of claim 15, wherein the biometric information is requested based on at least one of an identification card, an identification number, and hardware that is different than stored hardware identification information, when the user is authorized, an identity of the user is stored such that the biometric information is not requested in the future, and wherein the user is the authorized user (0197:  the BCU 103 may be a card or module that can be plugged in to a cell phone, PDA or laptop computer.).Regarding claim 20, Atherton, as modified above further discloses the media of claim 19, wherein the computer-executable instructions are further executed to perform the step of updating the stored authorization data each time a data transfer request is received and the data transfer request is either approved or denied (0389: systems may allow updating of certain types of personal information, provided the corresponding authorized user is biometrically identified during the updating process).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2014/0068726 to Jakobsson teaches to determine if user 116 is requesting a service or taking an action that requires high quality authentication (704).
US 2006/05282680 to Kuhlman et al teaches a user device making the request is then authenticated (400) and the biometric information of the user is then requested (406). Further, the method includes authenticating (412) the biometric information of the user. The security information of the domain is transferred (414) to the user device once the authentication of the user device and the biometric information are both successful.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434