DETAILED ACTION
This Office Action is in response to the application 17/204,660 filed on 03/17/2021.
Claims 1-20 have been examined and are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Action is made Non-FINAL.
Priority
The present application claims priority to Provisional Application No.: 62/990,448, filed on March 17, 2020. 
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 09/03/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements have been considered by the examiner.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f): 
(f) ELEMENT IN CLAIM FOR A COMBINATION.—An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph: 
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph: 
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as "configured to" or "so that"; and 
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Such claim limitation(s) is/are: “means for accepting,” “means for regenerating,” “means for determining,” “means for transmitting” of claim 17. 
Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. 
Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. 
If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112 , sixth paragraph, applicant may amend the claim(s) so that it/they will clearly not invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites/recite sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Grajek et al. (“Grajek,” US 20150237049, published Aug. 20, 2015) in view of Guo et al. (“Guo,” US 20170289139, published Oct. 5, 2018).   
Regarding claim 1, Grajek discloses method of receiving secure data in a client device, comprising: 
(a) receiving a token having a token ID and a digital certificate generated by a certificate 5authority (CA) [having client device fingerprint data generated from client device parameters] (Grajek [0064], [0066], [0071]. The authentication token may also be used for access to additional network services in lieu of authenticating an additional time with the authentication system. For information regarding [ ] authentication via a digital certificate, U.S. Pat. Nos. 8,327,142, 8,301,877. For example, it may conduct []  a certificate-based authentication. For example, the userID could be stored in an authentication token stored by the browser or be associated with an authentication token. [Note that U.S. Patent No. 8301877 col. 11: 17-22 discloses: An aspect of the present invention contemplates the PKCS #10 request being an X.509 certificate request 44. In one embodiment of the present invention, the certificate server 40 is a certificate authority. The certificate server 40 is configured to digitally sign the certificate request 44.]); 
(b) accepting a request in the client device to provide secure data to the client device (Grajak FIG. 6, [0036], [0107]. The web server, like normal web servers, may communicate via HTTP over the World Wide Web with user devices and may communicate over, for example, secure HTTP/TLS/SSL, such as HTTPS. User device 110 requests a service from a resource associated with an enterprise. In 602 this request is sent to the app or web server, for example 103a to be handled. App or web server 103a then determines 604 whether the user and/or the device is authenticated and, if not authenticated, may redirect to the authentication system with optional parameters.); 
(c) regenerating the client device fingerprint data from the client device parameters (Grajek [0028]. The authentication system may then gather device characteristics using the capture script in the same manner, and calculate a new device fingerprint. If that fingerprint matches any of the stored fingerprints, the device is considered to have authenticated.); 
(d) determining, in the client device, differences between the client device fingerprint data of the digital certificate from the regenerated client device fingerprint data (Grajek [0028], [0033]. The authentication system may then gather device characteristics using the capture script in the same manner, and calculate a new device fingerprint. If that fingerprint matches any of the stored fingerprints, the device is considered to have authenticated. Authentication system 102 may also comprise one or more user interfaces. Such user interfaces may be dis played [ ] on user computing device 110 [note that user device participates with the authentication system during the verification of user or device credentials].); 
10(e) transmitting a request to a secure data service to provide secure data based upon the determination, comprising (Grajek FIG. 6, [0110]-[0111]. In block 614, if there is a match with another fingerprint stored in a table in association with the userID that is to be authenticated, then the authentication system 102 may generate and create an authentication token, store a record of the authentication token and/or that the token was created, and link it to the user ID. Then, that token may be sent 620 to the user device for storage by its browser in data storage on the user device 110. If the authentication token is authentic, which may be protected by cryptography as described herein, it may be accepted by the app web server 103a and then the user device would be allowed access to the network service provided by the web server 103a.): 
if the client device fingerprint data of the [digital certificate] matches the regenerated client device fingerprint data, transmitting the request to a secure data service to provide secure data to the secure data service (Grajek FIG. 6, [0110]-[0111]. In block 612, the authentication system may create a fingerprint based on the characteristics and determine if there is a match. In block 614, if there is a match with another fingerprint stored in a table in association with the userID that is to be authenticated, then the authentication system 102 may generate and create an authentication token, store a record of the authentication token and/or that the token was created, and link it to the user ID. Then, that token may be sent 620 to the user device for storage by its browser in data storage on the user device 110. If the authentication token is authentic, which may be protected by cryptography as described herein, it may be accepted by the app web server 103a and then the user device would be allowed access to the network service provided by the web server 103a.); 
15if the client device fingerprint data [of the digital certificate]e does not match the regenerated client device fingerprint data, determining if differences between the client device fingerprint data [of the digital certificate] and the regenerated client device fingerprint data are acceptable; if differences between the client device fingerprint data of the [digital certificate] and the regenerated client device fingerprint data are acceptable (Grajek FIGs 5-6, [0093]. If a match is not made based on the hash fingerprint, then a comparison may be made of the characteristics collected by the user computing device to previous characteristics collected by the user computing device or any computing device that is associated with the user ID sent to the authentication system 102 from the original redirect. If there is a match of characteristics compared on a one-to-one basis for each characteristic, or if it meets a configurable threshold of matches of the characteristics (such as a percentage match) then authentication may be considered successful as well. In this case the authentication token may be returned back to the calling party as described above.): 
20transmitting the request to a secure data service to provide secure data to the secure data service; and receiving the secure data (Grajek FIG. 6, [0110]-[0111]. In block 612, the authentication system may create a fingerprint based on the characteristics and determine if there is a match. In block 614, if there is a match with another fingerprint stored in a table in association with the userID that is to be authenticated, then the authentication system 102 may generate and create an authentication token, store a record of the authentication token and/or that the token was created, and link it to the user ID. Then, that token may be sent 620 to the user device for storage by its browser in data storage on the user device 110. If the authentication token is authentic, which may be protected by cryptography as described herein, it may be accepted by the app web server 103a and then the user device would be allowed access to the network service provided by the web server 103a.).
Grajek does not explicitly disclose: a digital certificate having client device fingerprint data generated from client device parameters. 
However, in an analogous art, Guo discloses a method comprising the steps of: 
a digital certificate having client device fingerprint data generated from client device parameters (Guo [0078]-[0079]. Moreover , the target device may record the hard ware inherent attributes that are collected by the target device when applying for the certificate . In this way , the same device attributes may be collected when device verification is requested subsequently , to make sure that the attribute information collected includes the corresponding attributes in the device certificate . The server can then match and compare the attributes . 304 . The server generates a device certificate including the device fingerprint and the public key.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Guo with teachings of Grajek to include the step of: a digital certificate having client device fingerprint data generated from client device parameters. One would have been motivated to provide users with a means for incorporating inherent device characteristics as device fingerprints in a corresponding device certificate.  (See Guo [0078].)  
Regarding claim 10, claim 10 is directed to a client device corresponding to the method of claim 1. Claim 10 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 17, claim 17 is directed to an apparatus corresponding to the method of claim 1. Claim 17 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Claims 2-4, 6, 11-13, 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Grajek et al. (“Grajek,” US 20150237049, published Aug. 20, 2015) in view of Guo et al. (“Guo,” US 20170289139, published Oct. 5, 2018) and Motwani et al. (“Motwani,” US 20120117351, published May 10, 2012). 
Regarding claim 2, Grajek and Guo disclose the method of claim 1. Grajek further discloses wherein if the differences between the client device fingerprint 25data of the digital certificate and the regenerated client device fingerprint data are acceptable (Grajek FIGs 5-6, [0093]. If a match is not made based on the hash fingerprint, then a comparison may be made of the characteristics collected by the user computing device to previous characteristics collected by the user computing device or any computing device that is associated with the user ID sent to the authentication system 102 from the original redirect. If there is a match of characteristics compared on a one-to-one basis for each characteristic, or if it meets a configurable threshold of matches of the characteristics (such as a percentage match) then authentication may be considered successful as well. In this case the authentication token may be returned back to the calling party as described above.). 
Guo further discloses transmitting the client device regenerated fingerprint data and token ID to the CA; receiving a further digital certificate generated by the CA having the client device regenerated fingerprint data (Guo [0067], [0078]-[0079], [0081]. The target device sends a certificate application request to the server [including] the public key in the public - private key pair. Moreover , the target device may record the hard ware inherent attributes that are collected by the target device when applying for the certificate . In this way , the same device attributes may be collected when device verification is requested subsequently , to make sure that the attribute information collected includes the corresponding attributes in the device certificate . The server can then match and compare the attributes . 304 . The server generates a device certificate including the device fingerprint and the public key. As shown in the above Table 2 , the device certifi cate is a digital certificate having the device fingerprint included in the extended information of the certificate . The digital certificate can be , for example , a certificate in an X . 509 V3 format.). 
Grajek and Guo does not explicitly disclose: storing the further digital certificate in the token. 
However, in an analogous art, Motwani discloses a method comprising storing the further digital certificate in the token (Motwani [0126]-[0127]. The processing module deter mines that the challenge request token is trusted when successfully matching at least one certificate authority identifier within the client certificate chain to a known certificate authority identifier The method continues at step 216 where the processing module sends a challenge response token when the processing module determines that the challenge request token is trusted. The challenge response token includes at least one of a server challenge, a server certificate chain.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Motwani with the teachings of Grajek and Guo to include the step of: storing the further digital certificate in the token. One would have been motivated to provide users with a means for using a chain of certificates to validate the authenticity of the requesting device and the server. (See Motwani [0127].)  
Regarding claim 3, Grajek, Guo, and Motwani disclose the method of claim 2. Grajek further discloses wherein if the differences between the client device fingerprint data of the digital certificate and the regenerated client device fingerprint data are not acceptable (Grajek FIGs 5-6, [0093]. If a match is not made based on the hash fingerprint, then a comparison may be made of the characteristics collected by the user computing device to previous characteristics collected by the user computing device or any computing device that is associated with the user ID sent to the authentication system 102 from the original redirect. If there is a match of characteristics compared on a one-to-one basis for each characteristic, or if it meets a configurable threshold of matches of the characteristics (such as a percentage match) then authentication may be considered successful as well. In this case the authentication token may be returned back to the calling party as described above.). 
Motwani further discloses returning an error to the client device; and 5logging the error to the secure data service (Motwani FIG. 10A, [0043], [0126]. For example, the DS managing unit 18 receives and aggregates network management alarms, alerts, errors, status information, performance information, and messages from the devices 12-14 and/or the units 16, 20. 22. The method continues at step 214 where the processing module sends an error message indicating that the challenge process has failed. The processing module may send the error message to one or more of a user device, a requesting entity, and a DS managing unit.). 
The motivation is the same as that of claim 2 above. 
Regarding claim 4, Grajek, Guo and Motwani disclose the method of claim 3. Motwani further discloses compiling the logged error in a token report; and providing the token report to an administrator of the client device ( Motwani FIG. 10A, [0043], [0126]. The DS managing unit 18 also performs network operations, network administration, and/or network maintenance. For example, the DS managing unit 18 receives and aggregates network management alarms, alerts, errors, status information, performance information, and messages from the devices 12-14 and/or the units 16, 20. 22. The method continues at step 214 where the processing module sends an error message indicating that the challenge process has failed. The processing module may send the error message to one or more of a user device, a requesting entity, and a DS managing unit.).
The motivation is the same as that of claim 3 above.
Regarding claim 6, Grajek and Guo disclose the method of claim 1. Guo further discloses wherein receiving a token having a digital certificate generated 15by the CA having the client device fingerprint data comprises: generating first client device fingerprint data from client device parameters; transmitting the first client device fingerprint data to a certificate authority (CA) (Guo [0067], [0078]-[0079], [0081]. The target device sends a certificate application request to the server [including] the public key in the public - private key pair. Moreover , the target device may record the hard ware inherent attributes that are collected by the target device when applying for the certificate . In this way , the same device attributes may be collected when device verification is requested subsequently , to make sure that the attribute information collected includes the corresponding attributes in the device certificate . The server can then match and compare the attributes . 304 . The server generates a device certificate including the device fingerprint and the public key. As shown in the above Table 2 , the device certifi cate is a digital certificate having the device fingerprint included in the extended information of the certificate . The digital certificate can be , for example , a certificate in an X . 509 V3 format.). 
Motwani further discloses and receiving the token (Motwani [0126]-[0127]. The processing module deter mines that the challenge request token is trusted when successfully matching at least one certificate authority identifier within the client certificate chain to a known certificate authority identifier The method continues at step 216 where the processing module sends a challenge response token when the processing module determines that the challenge request token is trusted. The challenge response token includes at least one of a server challenge, a server certificate chain.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Motwani with the teachings of Grajek and Guo to include the step of: storing the further digital certificate in the token. One would have been motivated to provide users with a means for using a chain of certificates to validate the authenticity of the requesting device and the server. (See Motwani [0127].)  
Regarding claim 11, claim 10 is directed to a client device corresponding to the method of claim 2. Claim 11 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 12, claim 12 is directed to a client device corresponding to the method of claim 3. Claim 12 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Regarding claim 13, claim 13 is directed to a client device corresponding to the method of claim 4. Claim 13 is similar in scope to claim 4 and is therefore rejected under similar rationale. 
Regarding claim 18, claim 18 is directed to an apparatus corresponding to the method of claim 2. Claim 18 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 19, claim 19 is directed to an apparatus corresponding to the method of claim 3. Claim 19 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Regarding claim 20, claim 20 is directed to an apparatus corresponding to the method of claim 4. Claim 20 is similar in scope to claim 4 and is therefore rejected under similar rationale. 
Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over as being unpatentable over Grajek et al. (“Grajek,” US 20150237049, published Aug. 20, 2015) in view of Guo et al. (“Guo,” US 20170289139, published Oct. 5, 2018), Motwani et al. (“Motwani,” US 20120117351, published May 10, 2012) and Sheets et al. (“Sheets,” US 20150019443, published Jan. 15, 2015). 
Regarding claim 5, Grajek, Guo, and Motwani disclose the method of claim 2. Grajek, Guo, and Motwani do not explicitly disclose: wherein (b)-(e) are performed by a secure software development kit (SDK) executing on the client device. 
However, in an analogous art, Sheets discloses a method comprising the step of: wherein (b)-(e) are performed by a secure software development kit (SDK) executing on the client device (Sheets [0056]. For example, a mobile payment application may be configured to interface with other mobile applications or merchant applications on a mobile device in order to provide payment information for a transaction. For instance, the mobile payment application may provide a software development kit (SDK) or application programming interface (API) that merchant applications and/or other mobile applications may use to interface with the mobile payment application.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Sheets with the teachings of Grajek, Guo, and Motwani to include: wherein (b)-(e) are performed by a secure software development kit (SDK) executing on the client device. One would have been motivated to provide users with a mobile payment application operating with a SDK environment. (See Sheets [0056].)  
Regarding claim 14, claim 14 is directed to a client device corresponding to the method of claim 5. Claim 14 is similar in scope to claim 5 and is therefore rejected under similar rationale. 

Claims 7 is rejected under 35 U.S.C. 103 as being unpatentable over as being unpatentable over Grajek et al. (“Grajek,” US 20150237049, published Aug. 20, 2015) in view of Guo et al. (“Guo,” US 20170289139, published Oct. 5, 2018), Motwani et al. (“Motwani,” US 20120117351, published May 10, 2012) and Alonso Cebrian et al. (“Alonso Cebrain,” US 20160156598, published Jun. 2, 2016). 
Regarding claim 7, Grajek, Guo, and Motwani disclose the method of claim 2. Grajek, Guo, and Motwani do not explicitly disclose: wherein the token comprises a hardware token communicatively coupleable to the client device. 
However, in an analogous art, Alonso Cebrain discloses a method comprising the step of: wherein the token comprises a hardware token communicatively coupleable to the client device (Alonso Cebrain [0095]. FIG. 7 illustrates an embodiment in which the accu racy of the extra authentication factor mechanism is increased by the usage of a public/private key to digitally sign an authentication token to show that the user 100 who is demanding an operation is in possession of the private key of a certificate, an specific computing mobile device with the private information built inside or a physical token guarding this private information (e.g. Smartcard used as citizen card).). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Sheets with the teachings of Grajek, Guo, and Motwani to include: wherein the token comprises a hardware token communicatively coupleable to the client device. One would have been motivated to provide users with smartcard based mobile authentication system. (See Alonso Cebrain [0095].)  
Claims 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over as being unpatentable over Grajek et al. (“Grajek,” US 20150237049, published Aug. 20, 2015) in view of Guo et al. (“Guo,” US 20170289139, published Oct. 5, 2018) and Willis et al. (“Willis,” US 20160267284, published Sep. 15, 2016).
Regarding claim 8, Grajek and Guo disclose the method of claim 1. Guo further discloses and receiving a further digital certificate generated by the CA having the [second] client device fingerprint data (Guo [0078] – [0079]. Moreover, the target device may record the hard ware inherent attributes that are collected by the target device when applying for the certificate. In this way , the same device attributes may be collected when device verification is requested subsequently , to make sure that the attribute information collected includes the corresponding attributes in the device certificate . The server can then match and compare the attributes . 304 . The server generates a device certificate including the device fingerprint and the public key .).
Grajek and Guo does not explicitly disclose: transmitting a request from an administrator of the client device to unbind the token from the client device and rebind the token to a second client device having second client device fingerprint data. 
However, in an analogous art, Willis discloses a method comprising the step of: transmitting a request from an administrator of the client device to unbind the token from the client device and rebind the token to a second client device [having second client device fingerprint data] (Willis [0031], [0036], [0041].  Once authentication has been performed between the security agent and the authentication server, the authentication server can then provide a TTL token 240. Generally, the TTL token assigned to the portable device will include various types of information. The TTL token may include information regarding what types of information may be deleted, in other words the scope that the particular TTL token is applied to. Although deactivation may be possible, generally this option is controlled by the authentication server administrator. In any case, the various factors, parameters and algorithms that can be used for determining what appropriate TTL token could be used may be stored on the authentication server. In another embodiment, the authentication server administrator can configure the various parameters for TTL tokens at a global level (e.g., assigning blanket parameters for all portable devices or for particular sets of data) or provide parameters for specific portable devices.). [Thus, the server administrator can update TTL token parameter to restrict the token to specific portable devices.]). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Willis with the teachings of Grajek and Guo to include: transmitting a request from an administrator of the client device to unbind the token from the client device and rebind the token to a second client device having second client device fingerprint data. One would have been motivated to provide users with a system that can assign or re-assign tokens to a specific set of mobile devices. (See Willis [0041].) 
 Regarding claim 15, claim 15 is directed to a client device corresponding to the method of claim 8. Claim 15 is similar in scope to claim 8 and is therefore rejected under similar rationale. 

Claims 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over as being unpatentable over Grajek et al. (“Grajek,” US 20150237049, published Aug. 20, 2015) in view of Guo et al. (“Guo,” US 20170289139, published Oct. 5, 2018) and Alonso Cebrian et al. (“Alonso Cebrain,” US 20160156598, published Jun. 2, 2016). 
Regarding claim 9, Grajek and Guo disclose the method of claim 1. Grajek further discloses the request is signed by a private key of the digital certificate (Grajek [0038]. Such additional factors may, for example, be a one-time password (OTP), a finger print, a certificate based mechanism (e.g. a cryptographic private key signature), among other additional factors.); and 
the secure data is received from the secure data service only after verification of the signature of the request (Grajek [0079], [0081]. The credentials such as username and password, or a certificate based signature, may be sent to the enterprise directory for validation . If a match is found, the authentication system counts it as a successful. The authentication system may then return an authentication token that provides single sign-onto the user device for access to the network service which may be a cloud, web, or mobile resource.). 
Alonso Cebrain further discloses a method comprising the step of: the token further comprises a secure private key (Alonso Cebrain [0095]. FIG. 7 illustrates an embodiment in which the accuracy of the extra authentication factor mechanism is increased by the usage of a public/private key to digitally sign an authentication token to show that the user 100 who is demanding an operation is in possession of the private key of a certificate, an specific computing mobile device with the private information built inside or a physical token guarding this private information (e.g. Smartcard used as citizen card).). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Sheets with the teachings of Grajek and Guo to include: wherein the token comprises a hardware token communicatively coupleable to the client device. One would have been motivated to provide users with smartcard based mobile authentication system. (See Alonso Cebrain [0095].)  
Regarding claim 16, claim 16 is directed to a client device corresponding to the method of claim 9. Claim 16 is similar in scope to claim 9 and is therefore rejected under similar rationale. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961.  The examiner can normally be reached on Monday to Friday, 9 AM - 6  PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




/EDWARD LONG/
Examiner, Art Unit 2439


/LUU T PHAM/            Supervisory Patent Examiner, Art Unit 2439