DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the submission filed 07/05/2022. Claims 1-5, 7-12 and 14-20 are amended. Claims 1-20 remain pending.

Continued Examination under 37 CFR 1.114
	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this Application after Final Rejection. Since this Application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 07/05/2022 has been entered. 

Remarks
Per §112(a) rejections of claims 1, 8 and 15, in response to amendments respective rejections are withdrawn.
Per claim 12, in response to amendments claim objection of record is withdrawn.

Response to Arguments
Applicant’s arguments, see Remarks: page 10, filed 07/05/2022, with respect to the rejection(s) of claim(s) 1-20 under §102 and §103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made as follows.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-2 and 5 are rejected under 35 U.S.C. 102(a) (1) as being anticipated by Hinton, US2008/0021866.

Per claim 1, Hinton discloses a method comprising: 
obtaining a registration of a first authenticator for a first account at an identity server as part of a passwordless authentication system (user registration within the computing environment of a given enterprise, e.g., establishment of a user account in a computer system, is not necessarily altered by the fact that the enterprise may also participate within a federated environment. For example, a user may still establish an account at a domain through a legacy or pre-existing registration process that is independent of a federated environment– Hinton: par. 0062);
authenticating the first account for a user device at the identity server through a first authentication exchange between the identity server and the user device (ASR servers 332 are responsible for authenticating users when the domain controls access to application servers 334, which can be considered to generate, retrieve, or otherwise support or process protected resources 335. The domain may continue to use legacy user registration application 336 to register users for access to application servers 334. Information that is needed to authenticate a registered user with respect to legacy operations is stored in enterprise user registry 338; enterprise user registry 338 may be accessible to federation components as well – Hinton: par. 0066 – Note: user has registered with a domain, e.g., enterprise A – 204 as their home domain and user’s authentication between user and their home domain is through conventional legacy operations, e.g., user ID and password exchange between user’s device and the home domain);
registering the identity server as a second authenticator for a second account with a relying party without involving the user device, the second account separate from the first account (The domain's legacy functionality can be integrated into a federated environment through the use of federation front-end processing 340, which includes point-of-contact server 342 and trust proxy server 344 (or more simply, trust proxy 344 or trust service 344) which itself interacts with Security Token Service (STS) 346, which are described in more detail below with respect to FIG. 4. Federation configuration application 348 allows an administrative user to configure the federation front-end components to allow them to interface with the legacy back-end components through federation interface unit 350 – Hinton: par. 0068 – Note: the user may have accounts at multiple federated domains, each of which is able to act as an identity provider for the user; these domains do not necessarily have information about the other domains nor about a user's identity at a different domain – par. 0058);
initiating a second authentication exchange between the identity server and the relying party by obtaining from the relying party, a credential request associated with the second account (the functionality of a legacy authentication service can be used in a federated environment through the use of point-of-contact servers…One of the roles of the federation front-end is to translate a federated authentication token received at a point-of-contact server into a format understood by a legacy authentication service. Hence, a user accessing the federated environment via the point-of-contact server would not necessarily be required to re-authenticate to the legacy authentication service. Preferably, the user would be authenticated to a legacy authentication service by a combination of the point-of-contact server and a trust proxy such that it appears as if the user was engaged in an authentication dialog – Hinton: par. 0069); 
responsive to a determination that the first account authenticated in the first authentication exchange is authorized to act as the second account, obtaining a credential response authenticated by the second authenticator for the second account in the identity server (the point-of-contact server may translate HTTP or HTTPS messages to SOAP and vice versa. As explained in more detail further below, the point-of-contact server may also be used to invoke a trust proxy to translate assertions, e.g., a SAML token received from an issuing party can be translated into a Kerberos token understood by a receiving party – Hinton: par. 0070 – Note: Federated user lifecycle management functionality/service comprises functions for supporting or managing federated operations with respect to the particular user accounts or user profiles of a given user at multiple federated domains; in some cases, the functions or operations are limited to a given federated session for the user – par. 0118, such as a transaction session that involves a service provider in a second domain, i.e., a different account of the user with the service provider in the second domain); and 
completing the second authentication exchange by providing the credential response from the identity server to the relying party, wherein the second authentication exchange authenticates the user device to the relying party (a service provider in a different domain) without involving the user device (Federation eases the administrative burden on service providers. A service provider can rely on its trust relationships with respect to the federation as a whole; the service provider does not need to manage authentication information, such as user password information, because it can rely on authentication that is accomplished by a user's authentication home domain or an identity provider – Hinton: par. 0047 – Note: authentication exchange between user’s device and the relying party is eliminated. The user can then access protected resources at a second, distinct entity, termed the relying party, by presenting the authentication assertion that was issued by the first entity without having to explicitly re-authenticate at the second entity. Information that is passed from an issuing party to a relying party is in the form of an assertion – par. 0050).

Per claim 2, Hinton discloses features of claim 1, further comprising registering the identity server as the second authenticator for a plurality of relying parties in the passwordless authentication system (…there is …[at least] one entity within the federation with which the user has performed a federated enrollment or registration operation, then it would be expected that this entity would act as the user's identity provider in order to support the user's transactions throughout the federated environment – Hinton: par. 0059 – Note: user enrolls with home domain and after authenticating with the home domain using legacy authentication exchange, the home domain acts as user’s authenticator/issuing entity/identity provider for the federated environment components, i.e., relying parties/service providers).

Per claim 5, Hinton discloses features of claim 1, further comprising, obtaining from the user device, the registration of the first authenticator for the first account in the passwordless authentication system (…there is …[at least] one entity within the federation with which the user has performed a federated enrollment or registration operation, then it would be expected that this entity would act as the user's identity provider in order to support the user's transactions throughout the federated environment – Hinton: par. 0059 – Note: user enrolls with home domain and after authenticating with the home domain, it acts as user’s authenticator/issuing entity/identity provider for the federated environment components, i.e., relying parties/service providers).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Hinton, US2008/0021866 in view of Mesard, US10880312.

Per claim 6, Hinton discloses features of claim 1.
Hinton is not relied on to explicitly disclose, however, Mesard discloses wherein the passwordless authentication system is configured according to WebAuthn standards (the authentication component 126 of the virtual server 118 may call the web API 122 to request authentication information for the client device 106. In some examples, the API call through the API 122 may include input parameters to receive the username and/or password for the user account of the user of the client device 106. Generally, the web API 122 may map to, or otherwise be associated with, a network endpoint of the subscriber, such as a subscriber device 114 in the remote subscriber network 104. In some examples, the web API 122 may cause a function, process, code, application, etc., to execute on a subscriber device 114 based on the call through the web API 122. For instance, the web API 122 may cause code to execute on a subscriber device 114 to obtain, from the user directory 116, authentication data. The code may identify a user account based on the username and/or password included in the API call, and identify authentication data used to authenticate the client device 106 and/or user (e.g., public key(s), indication that the username and password are valid, etc.) – Mesard: col. 11, lines 1-19 – Note: wherein user directory 116 in the remote subscriber network 104 is independent of the user’s device 106. Also, while SFTP is being described, any type of cryptographic communication protocol, or other network protocol may be utilized, e.g., Web Authentication (WebAuthn) protocol – col. 6, lines 16-23).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Hinton in view of Mesard to include wherein the passwordless authentication system is configured according to WebAuthn standards.
One of ordinary skill in the art would have been motivated because it would allow “look[ing]-up the public key(s) that are mapped to, or otherwise associated with, the user account associated with the username” – Mesard: col. 4, lines 30-34.

2.	Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Hinton, US2008/0021866 in view of Ylonen, US2013/0117554.

Per claim 7, Hinton discloses features of claim 1.
Hinton is not relied on to disclose but Ylonen discloses wherein the determination that the first account is authorized to act as the second account is based on the first account being assigned to a role associated with the second account (FIG. 9 illustrates processing a role change request for an account where a role implies certain access rights specified for the role…a role may imply a set of accounts that the user may access. Thus, giving a user a role is equivalent to authorizing the user to connect to each of the accounts specified for the role, and removing a role from a user is equivalent to removing the authorization for the user to connect to each of the specified accounts (unless authorized by a remaining role. Generally, the role change above was described as if a user can have only one role, but can be easily extended to multiple roles (having multiple roles is roughly equivalent to having "super-roles" that are sets of roles, and imply memberships in the union of the accounts specified for the underlying roles) – Ylonen: par. 0091 and 0093). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Hinton in view of Ylonen to include wherein the determination that the first account is authorized to act as the second account is based on the first account being assigned to a role associated with the second account.
One of ordinary skill in the art would have been motivated because it would allow optimizing processing of a request “by first computing which keys at which accounts would need to be removed when the user is detached from the old role, computing which new keys should be added at which accounts for the user's new role” – Ylonen: par. 0092.

3.	Claim(s) 3, 8-10, 12, 15-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hinton, US2008/0021866 in view of Smirnov, US2021/0383363.

Per claim 3, Hinton discloses features of claim 1.
Hinton is not relied on to disclose but Smirnov discloses further comprising storing private cryptographic information associated with the second account in a hardware storage module coupled to the identity server (the signed request is transferred to the hardware security module (HSM), where the user's digital wallet is created by generating private and public keys… the private and public keys of the digital wallet and the authentication data of users assigned to confirm transactions on the created digital wallet are saved in the HSM– Smirnov: par. 0029-0030).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Hinton in view of Smirnov to include storing private cryptographic information associated with the second account in a hardware storage module coupled to the identity server.
One of ordinary skill in the art would have been motivated because it would allow “to organize an additional security circuit when performing transactions and checking cryptographic keys in an isolated environment…to secure the process of checking the necessary information prior to performing the transaction itself in the blockchain network (150) and eliminates the risk of any data leakage” – Smirnov: par. 0067.

Per claim 8, Hinton discloses an apparatus comprising: 
a network interface (point of contact server) configured to communicate, on behalf of an identity server, with a user device (client device) and a relying party (trust proxy server) across one or more computer networks (enterprise/domain) (in a preferred federated computing system for supporting the present invention, the functionality of a legacy authentication service can be used in a federated environment through the use of point-of-contact servers…back-end processing components 330, which include authentication service runtime (ASR) servers 332 – Hinton: par. 0066 and 0069 and Fig. 2-5).
Hinton is not relied on to disclose but Smirnov discloses a hardware storage module configured to store private cryptographic information (HSM (120) provides an isolated secure environment for generation and storage of digital wallet addresses and private keys, as well as for signing of the approved fund withdrawal transactions. HSM (120) stores the authentication information, including public keys of all users – Smirnov: par. 0069); and 
Smirnov discloses that after successful validation of the request on the control server (110), the user request is transmitted to the HSM (120), where the validation process (234) is also performed, during which the signature of the request (232) is verified for compliance with the public key stored in the HSM (120) – Smirnov: par. 0085.
Hinton in view of Smirnov discloses a processor (control server 110) coupled to the network interface and the hardware storage module, the processor configured to perform operations recited in the method of claim 1. 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Hinton in view of Smirnov to include a hardware storage module configured to store private cryptographic information; and a processor coupled to the network interface and the hardware storage module, the processor configured to perform operations recited in the method of claim 1.
One of ordinary skill in the art would have been motivated because it would allow “to organize an additional security circuit when performing transactions and checking cryptographic keys in an isolated environment…to secure the process of checking the necessary information prior to performing the transaction itself in the blockchain network (150) and eliminates the risk of any data leakage” – Smirnov: par. 0067.

Per claim 15, it recites one or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor of an identity server, cause the processor to perform operations recited in the apparatus of claim 8. 
Therefore, claim 15 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 8 above. 

Per claims 9 and 16, Hinton in view of Smirnov disclose features of claims 8 and 15, further comprising registering the identity server as the second authenticator for a plurality of relying parties in the passwordless authentication system (…there is …[at least] one entity within the federation with which the user has performed a federated enrollment or registration operation, then it would be expected that this entity would act as the user's identity provider in order to support the user's transactions throughout the federated environment – Hinton: par. 0059 – Note: user enrolls with home domain and after authenticating with the home domain using legacy authentication exchange, the home domain acts as user’s authenticator/issuing entity/identity provider for the federated environment components, i.e., relying parties/service providers).

Per claims 10 and 17, Hinton in view of Smirnov disclose features of claims 8 and 15, further comprising storing private cryptographic information associated with the second account in a hardware storage module coupled to the identity server (the signed request is transferred to the hardware security module (HSM), where the user's digital wallet is created by generating private and public keys… the private and public keys of the digital wallet and the authentication data of users assigned to confirm transactions on the created digital wallet are saved in the HSM– Smirnov: par. 0029-0030).
The same motivation to modify Hinton in view of Smirnov applied to claim 8 above applies here.

Per claims 11 and 18, Hinton in view of Smirnov discloses features of claims 10 and 17.
Hinton and Smirnov are not relied on to explicitly disclose but Ylonen discloses further comprising updating the private cryptographic information associated with the second account (a request or background job is used for bringing configured trust relationships for an account up to date. The current state of permitted trust relationships is maintained in a database (using, e.g., source host, source account, destination host, destination account, permitted command to execute, and type of trust relationship (public key vs. host-based authentication vs. Kerberos vs. PKI) as fields in a database table), and whenever an account on a host is updated (a request to update it runs), trust relationships where the account is either the source or destination are looked up, and the configuration files (including authorized keys and identity keys) for the account are updated accordingly – Ylonen: par. 0202). 

Per claims 12 and 19, Hinton in view of Smirnov disclose features of claims 8 and 15, further comprising, obtaining from the user device, the registration of the first authenticator for the first account in the passwordless authentication system (…there is … [at least] one entity within the federation with which the user has performed a federated enrollment or registration operation, then it would be expected that this entity would act as the user's identity provider in order to support the user's transactions throughout the federated environment – Hinton: par. 0059 – Note: user enrolls with home domain and after authenticating with the home domain, it acts as user’s authenticator/issuing entity/identity provider for the federated environment components, i.e., relying parties/service providers).

4.	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Hinton, US2008/0021866 in view of Smirnov, US2021/0383363 as applied to claim 8 above, further in view of Mesard, US10880312.

Per claim 13, Hinton in view of Smirnov discloses features of claim 8.
Hinton or Smirnov is not relied on to explicitly disclose, however, Mesard discloses wherein the passwordless authentication system is configured according to WebAuthn standards (the authentication component 126 of the virtual server 118 may call the web API 122 to request authentication information for the client device 106. In some examples, the API call through the API 122 may include input parameters to receive the username and/or password for the user account of the user of the client device 106. Generally, the web API 122 may map to, or otherwise be associated with, a network endpoint of the subscriber, such as a subscriber device 114 in the remote subscriber network 104. In some examples, the web API 122 may cause a function, process, code, application, etc., to execute on a subscriber device 114 based on the call through the web API 122. For instance, the web API 122 may cause code to execute on a subscriber device 114 to obtain, from the user directory 116, authentication data. The code may identify a user account based on the username and/or password included in the API call, and identify authentication data used to authenticate the client device 106 and/or user (e.g., public key(s), indication that the username and password are valid, etc.) – Mesard: col. 11, lines 1-19 – Note: wherein user directory 116 in the remote subscriber network 104 is independent of the user’s device 106. Also, while SFTP is being described, any type of cryptographic communication protocol, or other network protocol may be utilized, e.g., Web Authentication (WebAuthn) protocol – col. 6, lines 16-23).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Hinton and Smirnov further in view of Mesard to include wherein the passwordless authentication system is configured according to WebAuthn standards.
One of ordinary skill in the art would have been motivated because it would allow “look[ing]-up the public key(s) that are mapped to, or otherwise associated with, the user account associated with the username” – Mesard: col. 4, lines 30-34.

5.	Claim(s) 4, 11, 14, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hinton, US2008/0021866 in view of Smirnov, US2021/0383363  as applied to claims 3, 8, 10, 15 and 17 above, and further in view of Ylonen, US2013/0117554.

Per claim 4, 11 and 18, Hinton in view of Smirnov discloses features of claims 3, 10 and 17.
Hinton and/or Smirnov are not relied on to explicitly disclose but Ylonen discloses further comprising updating the private cryptographic information associated with the second account (a request or background job is used for bringing configured trust relationships for an account up to date. The current state of permitted trust relationships is maintained in a database (using, e.g., source host, source account, destination host, destination account, permitted command to execute, and type of trust relationship (public key vs. host-based authentication vs. Kerberos vs. PKI) as fields in a database table), and whenever an account on a host is updated (a request to update it runs), trust relationships where the account is either the source or destination are looked up, and the configuration files (including authorized keys and identity keys) for the account are updated accordingly – Ylonen: par. 0202). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Hinton and Smirnov further in view of Ylonen to include updating the private cryptographic information associated with the second account.
One of ordinary skill in the art would have been motivated because it would allow optimizing processing of a request “by first computing which keys at which accounts would need to be removed when the user is detached from the old role, computing which new keys should be added at which accounts for the user's new role” – Ylonen: par. 0092.

Per claims 14 and 20, Hinton in view of Smirnov disclose features of claims 8 and 15.
Hinton and/or Smirnov are not relied on to disclose but Ylonen discloses wherein the determination that the first account is authorized to act as the second account is based on the first account being assigned to a role associated with the second account (FIG. 9 illustrates processing a role change request for an account where a role implies certain access rights specified for the role…a role may imply a set of accounts that the user may access. Thus, giving a user a role is equivalent to authorizing the user to connect to each of the accounts specified for the role, and removing a role from a user is equivalent to removing the authorization for the user to connect to each of the specified accounts (unless authorized by a remaining role. Generally, the role change above was described as if a user can have only one role, but can be easily extended to multiple roles (having multiple roles is roughly equivalent to having "super-roles" that are sets of roles, and imply memberships in the union of the accounts specified for the underlying roles) – Ylonen: par. 0091 and 0093). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Hinton and Smirnov further in view of Ylonen to include wherein the determination that the first account is authorized to act as the second account is based on the first account being assigned to a role associated with the second account.
One of ordinary skill in the art would have been motivated because it would allow optimizing processing of a request “by first computing which keys at which accounts would need to be removed when the user is detached from the old role, computing which new keys should be added at which accounts for the user's new role” – Ylonen: par. 0092.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Lindermann (US2018/0191695) discloses system and method for bootstrapping a user binding.
Lindermann (US2018/0191501) discloses system and method for sharing keys across authenticators.
Kumar (US9503452) discloses identity recognition and affiliation of a user in a service transaction.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2494