DETAILED ACTION

Status of Claims

Claims 1-20 are currently pending and have been examined in this application.  This FINAL communication is in response to the amendment submitted on 6/9/22. 
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments


Applicant's arguments filed regarding 101 have been fully considered but they are not persuasive. 

Issue #1
Applicant: Steps 2A-Prong 1: Applicant vigorously disagrees that the instant claims fall within a judicial exception to patent-eligible subject matter. In the Response to Arguments, the Office Action characterizes the claims, under their alleged broadest reasonable interpretation, as "still directed to a Certain method of organizing human activity (fundamental economic practice or commercial or legal interaction) of authenticating a transaction option with a code." Office Action at page 4. The Office Action's support of this allegation is merely:  If a claim limitation, under its broadest reasonable interpretation (BRI), covers performance of the limitation as a certain method of a fundamental economic practice or commercial or legal interaction, then it falls within the "Certain Methods of Organizing Human Activity" grouping of abstract ideas. Office Action at page 9. The Office Action merely states the allegation as fact without sufficient support. The Office Action does not narrow the alleged characterization to either of a "fundamental economic practice" or a "commercial or legal interaction." No reasoning is provided as to why the claims are alleged as falling into either category. Applicant notes that the MPEP (2106.04(a)(2) II A) list several examples of "fundamental economic principles or practices" that include: settlement risks, wagering games, financial instruments, price optimization, local payment processing, marking on physical mail objects, and placing market orders. Applicant does not understand how use of multifactor authentication that is used to protect user and server information aligns with the MPEP examples. Furthermore, the MPEP (2106.04(a)(2) II B) list several examples of "commercial or legal interactions" that include: performance guarantees, managing a value of a life insurance policy, processing insurance claims, hedging, mitigating settlement risk, arbitration, and so forth. Again, Applicant does not understand how use of multifactor authentication that is used to protect user and server information aligns with the MPEP examples.  The Office Action (on page 6) appears to acknowledge that the claims are directed to multifactor authentication as part of computer security. Computer security plays a vital role in enabling a vast array of online activities. Categorizing an aspect of computer security as a "fundamental economic practice" or a "commercial or legal interaction" would impermissibly result in the abstract idea exception swallowing the rule, contrary to the Supreme Court's Alice decision. As stated in the MPEP, 2106.04(a)(2) II, "this grouping is limited to activity that falls within the enumerated sub-groupings of fundamental economic principles or practices, commercial or legal interactions, and managing personal behavior and relationships or interactions between people, and is not to be expanded beyond these enumerated sub-groupings except in rare circumstances as explained in MPEP § 2106.04(a)(3)." Applicant maintains that the recited claims are not properly categorized to any of the enumerated sub-groupings. Applicant submits that the Office Action does not define precisely what abstract idea the claims are allegedly directed to. In contrast, the Supreme Court was quite clear on this point in Alice Corp. v. CLS Bank Int'l, 573 U.S. 208, 219 (2014) (crisply stating that the claims were directed to the abstract idea of "intermediated settlement, i.e., the use of a third party to mitigate settlement risk."). Accordingly, Applicant requests similar precision here. 

Examiner: The claims are still directed to a Certain method of organizing human activity (fundamental economic practice or commercial or legal interaction) of authenticating a transaction option with a code.  The abstract idea is directed to at least a fundamental economic practice via the mitigation of risk by preventing a transaction from being completed by a fraudster.  Multi-factor authentication has been stripped from the abstract idea in Step 2A-Prong 1 and is considered in Prong 2.  The abstract idea of authenticating a transaction using codes is still present.    



Issue #2
Applicant:  Step 2A prong 2 - even if claims 1, 9, and 15 were to be found as judicial exceptions in prong 1 (which Applicant does not concede), Applicant submits that the claims are integrated into a practical application as applied to prong 2….In the Response to Arguments, the Office Action asserts that" The claim indicates that only one trap code may be used, and from the generated codes, the ordering of said codes changes between transactions. This means, there could be two codes generated, one of which is a trap code. A hacker could decipher between these two codes/indications which are merely flip-flopped/reordered between each transaction -which does not result in a meaningful improvement to security.  Office Action at page 6. The Office Action interprets a single, very-narrow case (only two codes, one valid and one trap) and assumes that "an order in which the plurality of authentication codes and the respective indications are presented varies between secure transactions" implies that the order is varied between each and every transaction, which is not recited by the claims. Rather, as known in the art of cyber-security, repeating patterns are generally avoided while randomized tasks are viewed as increasing security. Claim 1 has been amended to clarify that a plurality of valid codes and at least one trap code are included. Accordingly, amended claim 1 is not limited to repetition of a single pattern when varying an order of displayed codes. 


Examiner:  Applicant has advanced the discussion with the latest amendments, however the claims still do not go beyond generally linking to a particular technological environment relying on multi-factor authentication.  The applicant is indicating that non-repeating patterns help to increase security, but what is the significance here?  One aspect the specification discusses in 0042 “Varying the order in which the codes are displayed may provide an increase in protection against spyware, such as keystroke recorders and touch sensor recorders, that may be, unknowingly to the user, executing on client computer system 130”, however the mention of such technical components (keystroke records/touch sensor recorders) have not yet been mentioned in the claim.  Also if emphasis is being placed on the “randomized” tasks, where is this term of “randomize” emphasized in the claim language? As mentioned before, Examiner suggests narrowing the claim language to incorporate the encoding elements of Claim 5 (& intervening claim 4) which Examiner has previously cited.  Applicant is welcome to reach out to the Examiner to further discuss.  The rejection is maintained.  




	Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
The claims are either directed to a system or method, which is one of the statutory categories of invention.  (Step 1: YES).
The Examiner has identified method Claim 1 as the claim that represents the claimed invention for analysis and is similar to system Claims 9 & 15.  Claim 1 recites the limitations of (additional elements emphasized in bold and are considered to be parsed from the remaining abstract idea): 



in response to a request from a user to complete a secure transaction, initiating a multi-factor authentication procedure to verify an identity of the user; in response to successfully verifying, by comparing submitted user credentials to recorded user credentials stored in a memory circuit as a first step of the multi-factor authentication procedure, the identity of the user, determining, by a computer system, that a plurality of transaction options is available for completing the secure transaction; generating, by the computer system as a part of the multi-factor authentication procedure, a plurality of authentication codes, each authentication code of the plurality corresponding to a respective one of the plurality of transaction options, wherein each authentication code is usable one time; adding, to the plurality of authentication codes, at least one trap authentication code with a corresponding unavailable transaction option; sending, by the computer system to a computing device associated with the user, the plurality of authentication codes and respective indications of the corresponding transaction options, wherein the sending causes an order in which the plurality of authentication codes and the respective indications are presented on a screen of the computing device to vary between secure transactions; receiving, by the computer system as a second step of the multi-factor authentication procedure, an entry indication of a particular authentication code from the user; and processing, in response to receiving the particular authentication code, the secure transaction using the corresponding transaction option based on the particular authentication code, wherein, in response to determining that the particular authentication code is a trap authentication code, the processing includes denying the secure transaction.





which is a process that, under its broadest reasonable interpretation, covers performance of the limitation(s) as a Certain method of organizing human activity (fundamental economic practice) of authenticating a transaction option with a code.  

If a claim limitation, under its broadest reasonable interpretation (BRI), covers performance of the limitation as a certain method of a fundamental economic practice, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas.  


Accordingly, the claim recites an abstract idea. (Step 2A-Prong 1: YES. The claims are abstract)
This judicial exception is not integrated into a practical application. Limitations that are not indicative of integration into a practical application include:  (1) Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea (MPEP 2106.05.f), (2) Adding insignificant extra-solution activity to the judicial exception (MPEP 2106.05.g), (3) Generally linking the use of the judicial exception to a particular technological environment or field of use (MPEP 2106.05.h).  The computer system, computing device, multi-factor authentication, trap authentication code, and memory circuit in Claim 1 are just using generic computer components (as well as the non-transitory CRM, computer system and multi-factor authentication of Claim 9 and memory, processor, device, device screen, computer system and multi-factor authentication of Claim 15).  The computer hardware is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than generally linking the use of the judicial exception to a particular technological environment or field of use.  Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Therefore claims 1, 9 & 15 are directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when considered separately and as an ordered combination, they do not add significantly more (also known as an “inventive concept”) to the exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using computer hardware amounts to no more than no more than generally linking the use of the judicial exception to a particular technological environment or field of use.  Generally linking the use of the judicial exception to a particular technological environment or field of use with the use of generic computer components, cannot provide an inventive concept - rendering the claim patent ineligible. Thus claims 1, 9 & 15 are not patent eligible. (Step 2B: NO. The claims do not provide significantly more)  
The dependent claims further define the abstract idea that is present in their respective independent claims and hence are abstract for at least the reasons presented above.  The dependent claims do not include any additional elements (including Claims 5 & 11 – hashing algorithm – which is a computer tool used to implement the abstract idea) that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination.  Therefore, the dependent claims are directed to an abstract idea.  Thus, the aforementioned claims are not patent-eligible.
 
	
Conclusion
The prior art made of record, and not relied upon, considered pertinent to applicant' s disclosure or directed to the state of art is listed on the enclosed PTO-892.  
The following is a brief description for relevant prior art that was cited but not applied:	

Hockey (US 20200106764) provides a system for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials.

Weiss (US 8234220) provides a method to allow a user to select any one of a plurality of accounts associated with the user to employ in a financial transaction.)

Alves (US 20200265423) provides an offline end-user token generator and method relating ot secure input into an online platform using the tokens. 

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULMAJEED AZIZ whose telephone number is (571)270-5046. The examiner can normally be reached M-F 7-4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan Donlon can be reached on 571-270-3602. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABDULMAJEED AZIZ/Primary Examiner, Art Unit 3695