Detailed Action
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

 Priority
This application makes reference to or appears to claim subject matter disclosed in Provisional Application No. 62/995,443, filed Jan. 27, 2020. If applicant desires to claim the benefit of a prior-filed application under 35 U.S.C. 119(e), 120, 121, 365(c)  or 386(c), the instant application must contain, or be amended to contain, a specific reference to the prior-filed application in compliance with  37 CFR 1.78. If the application was filed before September 16, 2012, the specific reference must be included in the first sentence(s) of the specification following the title or in an application data sheet (ADS) in compliance with pre-AIA  37 CFR 1.76; if the application was filed on or after September 16, 2012, the specific reference must be included in an ADS in compliance with 37 CFR 1.76. For benefit claims under 35 U.S.C. 120, 121, 365(c), or 386(c), the reference must include the relationship (i.e., continuation, divisional, or continuation-in-part) of the applications.
If the instant application is a utility or plant application filed under  35 U.S.C. 111(a), the specific reference must be submitted during the pendency of the application and within the later of four months from the actual filing date of the application or sixteen months from the filing date of the prior application. If the application is a national stage application under 35 U.S.C. 371, the specific reference must be submitted during the pendency of the application and within the later of four months from the date on which the national stage commenced under 35 U.S.C. 371(b) or (f), four months from the date of the initial submission under 35 U.S.C. 371 to enter the national stage, or sixteen months from the filing date of the prior application. See 37 CFR 1.78(a)(4) for benefit claims under 35 U.S.C. 119(e) and 37 CFR 1.78(d)(3) for benefit claims under 35 U.S.C. 120, 121, 365(c), or 386(c). This time period is not extendable and a failure to submit the reference required by 35 U.S.C. 119(e) and/or 120, where applicable, within this time period is considered a waiver of any benefit of such prior application(s) under 35 U.S.C. 119(e), 120, 121, 365(c), and 386(c). A benefit claim filed after the required time period may be accepted if it is accompanied by a grantable petition to accept an unintentionally delayed benefit claim under 35 U.S.C. 119(e)  (see 37 CFR 1.78(c)) or under  35 U.S.C. 120, 121, 365(c), or 386(c) (see 37 CFR 1.78(e)). The petition must be accompanied by (1) the reference required by 35 U.S.C. 120 or 119(e) and by 37 CFR 1.78 to the prior application (unless previously submitted), (2) the petition fee under 37 CFR 1.17(m), and (3) a statement that the entire delay between the date the benefit claim was due under 37 CFR 1.78 and the date the claim was filed was unintentional. The Director may require additional information where there is a question whether the delay was unintentional. The petition should be addressed to: Mail Stop Petition, Commissioner for Patents, P.O. Box 1450, Alexandria, Virginia 22313-1450.
If the reference to the prior application was previously submitted within the time period set forth in  37 CFR 1.78  but was not included in the location in the application required by the rule (e.g., if the reference was submitted in an oath or declaration or the application transmittal letter), and the information concerning the benefit claim was recognized by the Office as shown by its inclusion on the first filing receipt, the petition under  37 CFR 1.78 and the petition fee under  37 CFR 1.17(m)  are not required. Applicant is still required to submit the reference in compliance with  37 CFR 1.78  by filing an ADS in compliance with 37 CFR 1.76 with the reference (or, if the application was filed before September 16, 2012, by filing either an amendment to the first sentence(s) of the specification or an ADS in compliance with pre-AIA  37 CFR 1.76). See MPEP § 211.02.
Examiner notes that Applicant has referenced the Provisional Application No. 62/995,443, filed Jan. 27, 2020, in first paragraph of filed specification, but Application Data Sheet (ADS) filed 1/27/2021 does not reference the provisional application.


Claim Objections
Claims 1-5 are objected to because of the following informalities:  The claims do not comprise sentences ending with a period.  Appropriate correction is required. 
See 608.01 m, “...While there is no set statutory form for claims, the present Office practice is to insist that each claim must be the object of a sentence starting with "I (or we) claim," "The invention claimed is" (or the equivalent). If, at the time of allowance, the quoted terminology is not present, it is inserted by the Office of Data Management. Each claim begins with a capital letter and ends with a period.” (Emphasis added.)


 Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-5 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as failing to define the invention in the manner required by 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
 With regard to claims 1-5, the claim(s) are narrative in form and replete with indefinite language. The structure which goes to make up the device must be clearly and positively specified. The structure must be organized and correlated in such a manner as to present a complete operative device. The claim(s) must be in one sentence form only. Note the format of the claims in the patent(s) cited.  
Note specifically claim 1, reciting, “A system capable of securely authenticating users of a web application...comprising: an authentication server configured to store ... capable of validating cryptographic signatures and communicating...; a web application running in an Internet Browser (or similarly distributed application) 10capable of communicating with an authentication server over a secure channel and a user's local mobile device over a secure channel; a user's local mobile device capable of communicating...”  The claim is directed to a system, and recites the system comprising an authentication server and a user local mobile device.  However, the claim does not specifically disclose any processing or storing elements of the recited server/device.  Moreover, the claim further recites a web application running in an internet browser or similar application, without reciting structural elements such as a device comprising processor, for performing the task of running an application in a browser.  The claim is therefore rejected as failing to define the invention in the manner required.  Dependent claims 2-5 inherit the same deficiency and are rejected for the same reason.


Claims 1-5 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
With regard to claim 1, the phrases "or similarly distributed application" render the claim indefinite because the claim includes elements not actually disclosed (those encompassed by "or similarly distributed application"), thereby rendering the scope of the claim unascertainable.  See MPEP § 2173.05(d).  Claims 2, 3 and 5 similarly recite, "or similarly distributed application" and are rejected for the same reason.  Dependent claims 2-5 inherit the same deficiency and are similarly rejected. 
 With regard to claim 1, the phrases "or similar identifier” render the claim indefinite because the claim includes elements not actually disclosed (those encompassed by "or similar identifier"), thereby rendering the scope of the claim unascertainable.  See MPEP § 2173.05(d).  Claim 2 similarly recites, “or similar identifier” and is rejected for the same reason.  Dependent claims 2-5 inherit the same deficiency and are similarly rejected.  
With regard to claim 3, the claim recites, “...the Internet Browser...displays the values of a distributed ledger or legal contract or bill of sale or other text values...”  The phrase, “or other text values”, renders the claim indefinite because the claim includes elements not actually disclosed (those encompassed by "other text values"), thereby rendering the scope of the claim unascertainable.  See MPEP § 2173.05(d).
With regard to claim 3, the claim recites, “...wherein the authentication server verifies the hash code and signature and stores the values for future use, possibly by adding additional values and "chaining" additional hash codes and signature.” (Emphasis added.)  The phrase "possibly by" renders the claim indefinite because it is unclear whether the limitation(s) following the phrase are part of the claimed invention.  See MPEP § 2173.05(d).
With regard to claim 3, the claim recites, “...wherein an application running on the mobile device calculates a hash code of the the 15values sent from the authentication server, sings the hash code with the user's private key...”  (Emphasis added.)  The repetition of the word ‘the’ in ‘the the values’, as well as the word ‘sings’ instead of ‘signs’ in ‘sings the hash code’ are unclear.  For purposes of examination, the language is interpreted as typographical errors, and is further interpreted as, “...the 15values sent from the authentication server, signs the hash code with the user's private key...”
With regard to claim 4, the claim recites, “...where as the authentication server of the sender's bank or financial institution is capable of communicating with the authentication server of the recipient's bank or financial 10institution; where as the authentication server of the sender's bank or financial institution and the authentication server of the recipient's bank or financial institution are both capable of calculating a hash code...” (Emphasis added.)  The term ‘whereas’ implies a contrast or contradiction between the words that preceded and the words to follow; however, the claim does not recite any contrast.  The claim is therefore unclear.  For purposes of examination, the term ‘where as’ is interpreted as ‘wherein’.

 
 Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2 are rejected under 35 U.S.C. 103 as being unpatentable over Oberheide (US Publication 2014/0245396) in view of Zhao (US Publication 2020/0019693) in further view of Huang (US Publication 2020/0228517).  
With regard to claim 1, Oberheide discloses A system capable of securely authenticating users of a web application (or similarly distributed application), comprising: an authentication server ([19], “...The TFA service 110 is preferably composed of at least one server system and more preferably a distributed server system, a server cluster, or any suitable web accessible service...”) configured to store user credentials in various formats and 5various levels of detail ([19], “...The TFA service 110 will preferably maintain data records for registered device IDs (or alternatively accounts, usernames, or other suitable identifiers) and the associated device(s) that should be used for two-factor authentication. The TFA service 110 may alternatively be described as a multi-factor authentication service and be used as any additionally factor or layer of authentication or authorization. The database of records for registered devices can additionally manage and store notification credentials, which are used in pushing or publishing notifications to the secondary device and/or application. The TFA service 110 preferably interfaces with at least a requesting service provider and a device running an application that can be used as the secondary factor of authentication...”), most significantly the user credential will contain the user's public key ([47], “...The TFA service can verify the origin of the authentication response. In one variation a signature could be verified through an asymmetric key verification process (e.g., verified with a RSA public key associated with the RSA private key used of sign the response from the device).”; Figure 8, step 240);
the authentication server will be capable of validating cryptographic signatures ([47]) 
and communicating with an Internet Browser (or similarly distributed application) over a secure channel and with the user's mobile device over a secure channel ([17], “...The service provider may be a web application, a mobile application, or any suitable device or application. In some exemplary implementations, the service provider will have a primary client portal and a secondary personal device portal. The primary client portal can be a web application, a desktop client application...or any suitable primary client portal that depends on user authentication. The secondary personal device portal is preferably an application on a mobile computing device such as a phone, tablet, wearable computing device or any suitable computing device. The primary client portal can be accessed by a device different from the device of the secondary personal device portal, but the primary client portal may alternatively be accessed through the same device as the device of the secondary personal device portal (e.g., accessing a web site on a mobile browser and performing a second factor of authentication through a secondary application on the phone)...”; Figure 1; secure channel disclosed in [47], “...For the purposes of communication between the device application and the TFA service, confidentiality of the network transport is preferably preserved through a secure transport protocol (e.g., HTTPS, TLS, etc.)...”); 
a web application running in an Internet Browser (or similarly distributed application) 10([17] as above) capable of communicating with an authentication server over a secure channel and a user's local mobile device over a secure channel ([47], “...For the purposes of communication between the device application and the TFA service, confidentiality of the network transport is preferably preserved through a secure transport protocol (e.g., HTTPS, TLS, etc.)...”); 
a user's local mobile device capable of communicating with an authentication server over a secure channel and with an Internet Browser (or similarly distributed application) over a secure channel ([17], “...The service provider may be a web application, a mobile application, or any suitable device or application. In some exemplary implementations, the service provider will have a primary client portal and a secondary personal device portal. The primary client portal can be a web application, a desktop client application...or any suitable primary client portal that depends on user authentication. The secondary personal device portal is preferably an application on a mobile computing device such as a phone... The primary client portal can be accessed by a device different from the device of the secondary personal device portal, but the primary client portal may alternatively be accessed through the same device as the device of the secondary personal device portal (e.g., accessing a web site on a mobile browser and performing a second factor of authentication through a secondary application on the phone)...”; [47], “...For the purposes of communication between the device application and the TFA service, confidentiality of the network transport is preferably preserved through a secure transport protocol (e.g., HTTPS, TLS, etc.)...”) ;  
generate a session UUID (or similar identifier) that is shared with the Internet Browser (or similarly distributed application) and with the user's mobile device ([49], “...The passcode generation service can exist within the device application (e.g., the device application uses an SDK that internally processes passcode generation requests), but the passcode generation service may alternatively exist external to the device application wherein the SDK is used to communicate with a secondary application or a background passcode generation service.”; Figure 11; browser disclosed in [17]), 
wherein the user's mobile device is further configured to store the user's private key, sign the session UUID (or similar identifier) received from the authentication server and return the signed value to the authentication server ([47], “...Step S240, which includes validating an application response, functions to obtain user confirmation. The application response is preferably received at the TFA service. The application response can include a cryptographic signature or be otherwise cryptographically validated as originating from the device. The TFA service can verify the origin of the authentication response. In one variation a signature could be verified through an asymmetric key verification process (e.g., verified with a RSA public key associated with the RSA private key used of sign the response from the device)...”; Figure 8, S240, where device application on user device creates the cryptographic signature, therefore storing the user private key).

Oberheide discloses generate a session UUID (or similar identifier) that is shared with the Internet Browser (or similarly distributed application) and with the user's mobile device ([49], Figure 11; [17], as discussed above), but does not specifically disclose the server generating the UUID or similar identifier.   
However, Zhao discloses wherein the authentication server is further configured to generate a session UUID (or similar identifier) that is shared with the Internet Browser (or similarly distributed application) and with the user's mobile device ([42], “...The client SVA 331 conveys the obtained mobile device 310 ID and the client 320 ID to the server SVA 351 to receive a UUID (Universally Unique Identifier) as a one-time token from the server SVA 351...”; [49], “...The client SVA 402 receives the mobile device ID and sends the mobile device ID to the server SVA 404 in order to verify the mobile device and to receive a UUID as a one time token from the server. The server SVA 404 receives the mobile device ID and as a security measure verifies that the mobile device is still valid, e.g., the server SVA 404 can check that the mobile device is still managed by the MDM system. Once the mobile device ID is verified by the server SVA 404, the server SVA 404 sends a UUID to the client SVA 402 as a one time token. The client SVA 402 sends the UUID to the mobile SVA 403 in an authentication message for verifying the user...”; Figure 4; browser disclosed in [40], “...On the client 320 side, the client SVA 331 can be a java script library (or any language implementation that can be loaded by the web application 330) that is loaded by the web application 330 and runs in the web browser on the client 320 system...”; [54]).  It would have been obvious to one of ordinary skill in the art at the time the claimed invention was effectively filed to have combined the authenticating system of Oberheide with the modification of a UUID or similar identifier being generated and shared by the server as disclosed by Zhao, because such a modification would allow a further check on the validity of the mobile device prior to providing the UUID, thus enhancing the security of the system (See Zhao, [42]).

Oberheide discloses the authentication system as discussed above, but does not specifically disclose communicating the web application’s domain name.  However, Huang discloses wherein the Internet Browser (or similarly distributed application) is further configured to communicate the web application's domain name (or similar identifier) to the 20user's mobile device from the application context of the Internet Browser (or similarly distributed application), not from a code run time context that can be modified by users ([72], “...Browser 530 may use an origin header in requests that are sent to local engine 535. The requests may be made to send information to browser 530 or to launch a remote resource. The origin header may indicate what caused browser 530 to initiate a request. For example, the origin header may contain a domain name of a web application that is causing browser 530 to make the request. Browser 530 may prevent the origin header from being modified. For example, the browser 530 may generate the request that contains the origin header and may prevent the origin header from being modified...”; Figure 5, and Figure 2 disclosing mobile device).  It would have been obvious to one of ordinary skill in the art at the time the claimed invention was effectively filed to have combined the authenticating system of Oberheide as modified by a UUID or similar identifier being generated and shared by the server as disclosed by Zhao, with the further modification of communicating web application domain names as disclosed by Huang, because such a modification would enable domain verification, therefore enhancing security of the system (See Huang, [73]).

 With regard to claim 2, Oberheide, in view of Zhao, in further view of Huang, disclose the limitations of claim 1 as discussed above.  
With regard to the Internet Browser (or similarly distributed application) is not capable of communicating with the user's local mobile device over a secure channel, Oberheide further discloses a two-device embodiment, ([17], “...In some exemplary implementations, the service provider will have a primary client portal and a secondary personal device portal. The primary client portal can be a web application, a desktop client application, gaming system or application, a vehicle computing system, an internet connected device, or any suitable primary client portal that depends on user authentication. The secondary personal device portal is preferably an application on a mobile computing device such as a phone, tablet, wearable computing device or any suitable computing device. The primary client portal can be accessed by a device different from the device of the secondary personal device portal...”; where the primary client portal is disclosed as capable of comprising a web application and the secondary device portal is interpreted as a mobile device), and  Oberheide further discloses the secondary, mobile device communicating over an exposed interface ([23], “...In one variation, an application uses the authentication API or a similar API to communicate with the mobile device. The API of the application interface 130 can be private but may alternatively be exposed.).  Zhao further discloses the Internet Browser (or similarly distributed application) is not capable of communicating with the user's local mobile device over a secure channel ([16], “...an audio stream with encoded data is sent via the speakers of the sending device and received via the microphone of the receiving device. The received audio stream is then decoded by the receiving device to extract the data from the audio transmission...”; where the audio channel is not disclosed as being secure, and the signals are interpreted as being capable of being intercepted/retransmitted by other devices within a certain proximity; see [40], “...On the client 320 side, the client SVA 331 can be a java script library (or any language implementation that can be loaded by the web application 330) that is loaded by the web application 330 and runs in the web browser on the client 320 system.”, disclosing the application running in the web browser; see Figure 3A disclosing the communicating between client device and mobile device by audio signal).
 Huang further discloses wherein the Internet Browser (or similarly distributed application) displays the web application's domain name (or similar identifier) in the address bar (or similar display) and 5this display is unalterable by the code run time context ([72], “...Browser 530 may use an origin header in requests that are sent to local engine 535. The requests may be made to send information to browser 530 or to launch a remote resource. For example, the origin header may contain a domain name of a web application that is causing browser 530 to make the request. Browser 530 may prevent the origin header from being modified. For example, the browser 530 may generate the request that contains the origin header and may prevent the origin header from being modified...”; where Figure 2 discloses device displays) see also Oberheide specifically disclosing address bar, (see Figure 3B). 
Huang further discloses wherein the authentication server communicates the web application's domain name (or similar identifier) to the user's mobile device for display and with an admonition that this value must be checked against the value displayed by the Internet browser ([105, “...Browser 530 may send the identity ticket with the launch data to local engine 535. Browser 530 may send a domain name of a web application that is running in browser 530 to local engine 535. At step 745, local engine 535 may send a request for valid domain information...”; [106], “At step 753, trust engine 510 may send a request for valid domain information to configuration engine 520. The request may contain the client ID received in step 751. At step 755, configuration engine 520 may send valid domain information to trust engine 510. The valid domain information may indicate domains that a client device associated with the client ID is allowed to access. The valid domain information may indicate domains that are trusted by a client device associated with the client ID.”; [107], “...At step 757, trust engine 510 may send the valid domain information to local engine 535. At step 759, local engine 535 may validate the domain name received from browser 530...”; where the process comprises sending a request for valid domain information, and the subsequent return of data comprising valid/trusted domains is broadly interpreted as comprising “an admonition that this value must be checked against the value displayed by the browser”).




Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Oberheide (US Publication 2014/0245396) in view of Zhao (US Publication 2020/0019693) in further view of Huang (US Publication 2020/0228517), in further view of Vanczak (US Publication 2016/0189147), in further view of Kirillin (US Publication 2013/0159195).
With regard to claim 3, Oberheide, in view of Zhao, in further view of Huang, disclose the limitations of claim 1 as discussed above, but do not specifically disclose the further limitations of the internet browser displaying ledger, contract, or sale values.  
However, Vanczak discloses 10the Internet Browser (or similarly distributed application) displays the values of a distributed ledger or legal contract or bill of sale or other text values ([73], “...In an initial state of the transaction approval step the user 10 having the mobile device 14 is logged in at the contact module 20 of the entity 16 in the browser of the terminal 12. In the present embodiment, the entity 16 is preferably a bank... The logged-in user 10 initiates a transaction (for instance, a money transfer), and fills in the transaction form. On the next page, information on the transaction to be approved is displayed by the bank, and the user confirms the transaction data in the browser of his/her computer.”; where the transaction data displayed in the browser is interpreted as both contractual data and “text values”);
wherein these values are communicated to the authentication server and relayed to the mobile device of an authenticated user ([73], [74], “...The bank then sends the network address of the authentication module in an authentication message to the mobile device 14, and the user opens the message using his/her mobile device 14... the link sent by the contact module 20 comprises the URL (https://<secondary-website>) of the authentication module 24, as well as the value of the transaction identifier belonging to the transaction...”; (Figure 1, Figure 3,  where values are communicated to the bank (entity #16) via contact module, and from there to the authentication server (authentication module of entity 16) and then a message regarding transaction is sent to the user at the mobile device #14); [78], “...the transaction data are sent back to the mobile device 14 by the authentication module 24 in the next step. In this phase the transaction has not yet been approved on the mobile device 14...”; [79], “...At this time the user may review the data of the transaction. According to an embodiment the bank requires the client, preferably via the authentication module 24, to confirm some of the transaction data by re-entering them...”; )
wherein an application running on the mobile device receives a hash code of the values generated and sent by the entity (authentication server), ([109], “...a contract signed by the entity 16 and to be signed by the user 10 utilising data requested from the user 10, is prepared; and a hash of the contract is generated... network address of the key providing module 24 is then sent to the user's 10 mobile device 14 in an authentication message by means of the contact module 20, and the encrypted hash is also sent in the authentication message.”) signs the hash code with the user's private key and communicates the hash code and signature to the authentication server ([110], “According to a further embodiment, the signature process may also be carried out by signing the hash utilising the signature key residing on the client's smart mobile device. In this case there is no need for an external key provider, while the contact module 20 of the entity 16 remains responsible for generating the document to be signed in a suitable signable format, for generating the hash, and for inserting the signed hash and closing the completed document....”; [144], “...The card issuer bank 25 may send a message in a synchronous manner to the mobile device... The transaction may be viewed, confirmed, or rejected on the mobile device only after a successful authentication. The signature key residing on the mobile device may be applied for sending a return receipt of the MQ message received from the card issuer bank...”); 
wherein the authentication server verifies the ...signature ([112], “...For each stage of the signature process, certificate-based authentication is requested by the entity from all parties.”; where the certificate authentication during the signature process is broadly interpreted as verifying the signature)
and stores the values for future use, possibly by adding additional values and "chaining" additional hash codes and signature ([107], “...The hash electronically signed by the entity 16 is archived by the key providing module as evidence.  Utilising this document, on a later occasion it may be proven by the key providing module 28 that it signed...”; [144], “...The signature key residing on the mobile device may be applied for sending a return receipt of the MQ message received from the card issuer bank. The return receipt may be archived by the issuer bank's system as a proof of the transaction...”; where the language ‘possibly by adding additional values and "chaining" additional hash codes and signature’ comprises optional language and is not afforded full patentable weight).
It would have been obvious to one of ordinary skill in the art at the time the claimed invention was effectively filed to have combined the authenticating system of Oberheide as modified by a UUID or similar identifier being generated and shared by the server as disclosed by Zhao, as modified to communicate web application domain names as disclosed by Huang, with the further modification of a system comprising a user device comprising an internet browser displaying values of a ledger, contract, bill of sale, or other text values, as disclosed by Vanczak, because such a system would make business processes cheaper, more secure, and more efficient (See Vanczak, [16]).
Vanczak discloses a mobile device receiving and signing a hash code of the transaction values as discussed above ([109], “...a contract signed by the entity 16 and to be signed by the user 10 utilising data requested from the user 10, is prepared; and a hash of the contract is generated... network address of the key providing module 24 is then sent to the user's 10 mobile device 14 in an authentication message by means of the contact module 20, and the encrypted hash is also sent in the authentication message.”; [110], “...the signature process may also be carried out by signing the hash utilising the signature key residing on the client's smart mobile device...”).  However, Vanczak does not specifically disclose the mobile device calculating the hash code as recited by calculates a hash code of the 15values sent from the authentication server.  
However, Kirillin discloses the mobile device calculates a hash code of the 15values sent from the authentication server ([44], “...The client device 202 includes a mobile device such as a mobile phone, a personal digital assistant, an iPod, and the like having a web browser for internet browsing or online activity over a network 212...”; [46], “...In one embodiment, the client device 202 receives the random code generated by the code generator 210, and in response generates keys with the secret key from the authentication factor component 206 and the random code from the code generator 210. One key, for example, includes a symmetrical key that is used in generation of an encrypted banking message having banking operation data related to a transaction desired by the client. Another key, for example, includes a hash function for device authorization. In response to communicating the random code from the code generator 210, the server 204 receives from the client device 202 a hash function that includes a hash code with the encrypted message, the random number and the secret key.”; [49], “...Then, once the banking server 306 receives transaction requests one or more codes are generated by a code generator 318 and the codes are communicated via the network 304 to the mobile device. Each code provides a variable to the mobile device in calculating different keys, such as a hash code function and a symmetrical key...”; [58], “...The mobile device 402 includes a cryptographic engine 414 that contains algorithms and/or devices to generate at least two keys, such as a hash code and a symmetrical key (SYMM). The cryptographic engine 414 comprises a code generator 418 and a key generator 420 to respectively generate the hash code and the symmetrical key.”; [59], “...The code generator 418 further generates a hash code function (HASH CODE) for authorization of the banking operations for the transaction requested in a transaction request from the mobile device 402...”), 
Vanczak also discloses verifies the...signature as discussed above, but does not specifically disclose verifies the hash code.  However, Kirillin discloses wherein the authentication server verifies the hash code ([46], “...The server 204 uses this data to authorize the device 202 for the transaction by calculating its own symmetrical key using its own stored values for the secret key and random code in order to decrypt the encrypted message and authorize the device for the transaction.”; [60], “...The banking server 404 with the authentication factor 412 component is configured to receive the encrypted message, the hash function... decrypts the message with values for the symmetrical key calculated at the server and upon receiving the hash function and the unique client device identifier from the mobile device 402. The banking server 404 further calculates a hash function with values stored thereat and compares the hash function calculated at the serve with the hash function communicated from the mobile device 402. Based on the comparison the banking server 404 with the authentication factor component 412, the banking server 404 authorizes and executes the transaction.”; [61], “...The authorization component 436 compares the hash code function calculated at the hash code generator and one received from a mobile device for online activity. Based on the comparison, the authorization component 436 notifies the banking server to authorize the transaction with the mobile device.”)
It would have been obvious to one of ordinary skill in the art at the time the claimed invention was effectively filed to have combined the authenticating system of Oberheide as modified by a UUID or similar identifier being generated and shared by the server as disclosed by Zhao, as modified to communicate web application domain names as disclosed by Huang, as modified to comprise a user device comprising an internet browser displaying values of a ledger, contract, bill of sale, or other text values, as disclosed by Vanczak, with the further modification of a mobile device calculating the hash function and an authentication server component verifying the hash code as disclosed by Kirillin, because such a technique would improve transaction, account and identity security and decrease fraud (see Kirillin, [2], [3]).


Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Oberheide (US Publication 2014/0245396) in view of Zhao (US Publication 2020/0019693) in further view of Huang (US Publication 2020/0228517), in further view of Efremov, (EP 3 798 965 A1), In further view of Crofts (US Publication 2012/0290478), in further view of Bhatt (US Patent 9,990,613), in further view of Kirillin (US Publication 2013/0159195). 
With regard to claim 4, Oberheide, in view of Zhao, in further view of Huang, disclose the limitations of claim 1 as discussed above.  Oberheide further discloses the system of authenticating users of a web application as discussed above, but does not specifically disclose a transfer of funds between two different users’ mobile devices, where the users have different banks.  However, Efremov discloses the mobile device of a funds sender and the mobile device of a funds recipient both interact with an authentication server at the sender's bank or financial institution ([8], “...where each bank server 1 comprises automated bank system 5 with data base 6 storing customer profiles 7, customer accounts 8, transactions 9, postings 10, consolidated accounts of digital units of account 11, bank clearing accounts 12 and a platform for interoperating with blockchain 13, which consists of blockchain access module 14 storing public 15 and private 16 bank keys, limit module 17 and customer account control module 18, where the customer portal 3 comprises a blockchain access module 19 storing public 20 and private 21 portal keys, and each customer mobile device 4 comprises e-wallet 22 application, where private 23 and public 24 user keys are stored.”; [28], “...Account control module is designed as a firmware and it provides for account holder authentication and is responsible for business logic of account transactions...”; consequently the ‘account control module’ of the server is interpreted as ‘authentication server’; see also Figure 2, where each bank server 1 comprises the bank system 5 and the platform for interoperating with blockchain 13, which comprises customer account control module 18; furthermore, each mobile device #4 is broadly interpreted as interacting with each server by means of the customer portal 3, and the distributed ledger-blockchain 2.
20wherein the mobile device of a funds recipient can interact with an authentication server at the recipient's bank or financial institution ([8], [28] and Figure 2, mobile device 4 capable of interacting with authentication server at bank (account control module interpreted as authentication module of server 1));page 27 of 30SPECIFICATION: WebAuthn I JSON DLT - The Inlernet of Value 
wherein the sender's mobile device is capable of sending a message ... to the recipients mobile device and to the authentication server at the sender's bank or financial institution ([7], “...distributed ledger - blockchain, customer portal and k mobile devices of customers, where k =1, 2, 3, ..., M, which all elements are interconnected through telecommunication facilities...”)
where as the authentication server of the sender's bank or financial institution is capable of communicating with the authentication server of the recipient's bank or financial 10institution ([8], [28], “...Account control module is designed as a firmware and it provides for account holder authentication and is responsible for business logic of account transactions...”; consequently the ‘account control module’ of the server is interpreted as ‘authentication server’; see also Figure 2, where each bank server 1 comprises the bank system 5 and the platform for interoperating with blockchain 13, which comprises customer account control module 18; furthermore, the account control modules 18 are both in communication with the distributed ledger-blockchain, therefore allowing the authentication servers (account control modules) to indirectly communicate by means of the ledger; note ‘where as ‘ has been interpreted s ‘wherein’ as discussed under rejections under 35 USC 112b, above).
It would have been obvious to one of ordinary skill in the art at the time the claimed invention was effectively filed to have combined the authenticating system of Oberheide as modified by a UUID or similar identifier being generated and shared by the server as disclosed by Zhao, as modified to communicate web application domain names as disclosed by Huang, with the modification of allowing transfers between two user mobile devices associated with different banks, as disclosed by Efremov because such a system and method would increase customer base and enhance accessibility, immediacy, irrevocability , simplicity and security (see Efremov, [7]).

With regard to the language, “capable of” in the limitation wherein the sender's mobile device is capable of sending a message, Efremov discloses the devices ‘interconnected through telecommunication facilities” and therefore capable of sending messages.  However, Efremov does not specifically disclose sending such messages with financial details.  
However, Crofts discloses wherein the sender's mobile device is capable of sending a message with financial details (or a reference code that links to the financial details) to the recipients mobile device and to the ...server ([73], “...Payer enters an amount to be paid to the payee and submits the payment request. EPC 115 receives the request. EPC 115 creates a cloud transaction identifier and sends a message comprising the cloud transaction identifier to the payer. In an embodiment, the cloud transaction ID is sent via a token. The payer receives the cloud transaction ID and the payer device presents the option to share it with a payee. The payer sends the cloud transaction ID to the payee. In one embodiment, payer sends to payee via a short message service (SMS) message, an email message or a multimedia message service (MMS) message. Payer may send to payee by placing the payer device in close proximity with a payee device....”).
Crofts also discloses 5wherein the recipient's mobile device is capable of sending ... details to the message from the sender, ... and sending it to the sender's bank or financial institution ([73], “...Payee receives the cloud transaction ID and sends a payer request to EPC 115.”; where the ‘payer request’ is interpreted as sending details).
It would have been obvious to one of ordinary skill in the art at the time the claimed invention was effectively filed to have combined the authenticating system of Oberheide as modified by a UUID or similar identifier being generated and shared by the server as disclosed by Zhao, as modified to communicate web application domain names as disclosed by Huang, as modified to allow transfers between two user mobile devices associated with different banks, as disclosed by Efremov, with the further  modification of users sending messages comprising financial details, as disclosed by Crofts, because such a method would enable user oversight of transaction amounts and details, and therefore reduce risks associated with fraudulent transfers (See Crofts, [73]).
Crofts discloses 5 wherein the recipient's mobile device is capable of sending a message,  as discussed above, but does not specifically disclose wherein the recipient's mobile device is capable of appending financial details to the message from the sender, ... and sending it to the sender's bank or financial institution.  However, Bhatt discloses wherein the recipient's mobile device is capable of appending financial details to the message from the sender, ... and sending it to the sender's bank or financial institution (Col. 14, lines 26-40, “...in some embodiments, the notification is sent using the submitted identifier. For example, if the identifier is an email address, the notification is sent as an email message to the bill payee. In another example, if the identifier is a phone number, the notification is sent as a text message to the bill payee. The notification can include a message to prompt the bill payee to accept the bill payment from the bill payer by submitting payment card information. In some embodiments, the message includes a link that redirects the bill payee to a landing page (e.g., a website portal) that enables the bill payee to submit the payment card information. In some embodiments, the message simply prompts the bill payee to submit the payment card information by replying to the message (e.g., by replying to a text message or an email message)...”; where the reply to a text message or email message creates a linked or chained message and is interpreted as an ‘appending’ financial details; mobile device disclosed Col. 6, lines 44-47). 
It would have been obvious to one of ordinary skill in the art at the time the claimed invention was effectively filed to have combined the authenticating system of Oberheide as modified by a UUID or similar identifier being generated and shared by the server as disclosed by Zhao, as modified to communicate web application domain names as disclosed by Huang, as modified to allow transfers between two user mobile devices associated with different banks, as disclosed by Efremov, as modified to accommodate users sending messages comprising financial details, as disclosed by Crofts, with the further modification of the capability to append financial details to a message, as disclosed by Bhatt, because such a modification would allow the system and method to service payees who were not pre-existing customers of the payer’s banking institution, therefore increasing customer satisfaction and expanding customer base (see Bhatt, Col. 3 lines 1-15, disclosing ways to identify payee from database related to prior transfers; see also Col. 14. Lines 22-40, disclosing ways to prompt payee to enter financial payee information when the PSS is unable to identify a payment card based on submitted identifier). 

Crofts discloses both 5the sender’s and  recipient's mobile devices are capable of sending financial details in messages, as discussed above, Efremov discloses the authentication servers, as discussed above, and Bhatt discloses the appended/combined message as discussed above, but none of these references specifically discloses calculating and signing a hash of the message, or the servers verifying.  
However, Kirillin discloses a mobile device hashing and signing, as recited: a hash code of the financial details is calculated and signed with the sender's private key, and calculating a hash code of the combined message, signing the hash code and sending it to the sender's bank or financial institution ([44], “...The client device 202 includes a mobile device such as a mobile phone, a personal digital assistant, an iPod, and the like having a web browser for internet browsing or online activity over a network 212...”; [46], “...In one embodiment, the client device 202 receives the random code generated by the code generator 210, and in response generates keys with the secret key from the authentication factor component 206 and the random code from the code generator 210. One key, for example, includes a symmetrical key that is used in generation of an encrypted banking message having banking operation data related to a transaction desired by the client. Another key, for example, includes a hash function for device authorization. In response to communicating the random code from the code generator 210, the server 204 receives from the client device 202 a hash function that includes a hash code with the encrypted message, the random number and the secret key.”; [49], “...Then, once the banking server 306 receives transaction requests one or more codes are generated by a code generator 318 and the codes are communicated via the network 304 to the mobile device. Each code provides a variable to the mobile device in calculating different keys, such as a hash code function and a symmetrical key...”; [58], “...The mobile device 402 includes a cryptographic engine 414 that contains algorithms and/or devices to generate at least two keys, such as a hash code and a symmetrical key (SYMM). The cryptographic engine 414 comprises a code generator 418 and a key generator 420 to respectively generate the hash code and the symmetrical key.”; [59], “...The code generator 418 further generates a hash code function (HASH CODE) for authorization of the banking operations for the transaction requested in a transaction request from the mobile device 402...”), 
Efremov also discloses the authentication server of the recipient's bank or financial institution as discussed above, but does not specifically disclose the server as being capable of hashing code and verifying signatures.  However, Kirillin discloses server capable of calculating a hash code of the messages and verifying the signatures from the sender's mobile device and the recipient's mobile device and determining that the transfer is valid ([46], “...The server 204 uses this data to authorize the device 202 for the transaction by calculating its own symmetrical key using its own stored values for the secret key and random code in order to decrypt the encrypted message and authorize the device for the transaction.”; [60], “...The banking server 404 with the authentication factor 412 component is configured to receive the encrypted message, the hash function... decrypts the message with values for the symmetrical key calculated at the server and upon receiving the hash function and the unique client device identifier from the mobile device 402. The banking server 404 further calculates a hash function with values stored thereat and compares the hash function calculated at the serve with the hash function communicated from the mobile device 402. Based on the comparison the banking server 404 with the authentication factor component 412, the banking server 404 authorizes and executes the transaction.”; [61], “...The authorization component 436 compares the hash code function calculated at the hash code generator and one received from a mobile device for online activity. Based on the comparison, the authorization component 436 notifies the banking server to authorize the transaction with the mobile device.”; where the calculations/comparisons of hashes are interpreted as further accomplishing signature verification.  However, in the interest of compact prosecution, it is further noted that Oberheide more specifically discloses verifying the signatures ([47], “...The TFA service can verify the origin of the authentication response. In one variation a signature could be verified through an asymmetric key verification process (e.g., verified with a RSA public key associated with the RSA private key used of sign the response from the device).”).
It would have been obvious to one of ordinary skill in the art at the time the claimed invention was effectively filed to have combined the authenticating system of Oberheide as modified by a UUID or similar identifier being generated and shared by the server as disclosed by Zhao, as modified to communicate web application domain names as disclosed by Huang, as modified to allow transfers between two user mobile devices associated with different banks, as disclosed by Efremov, as modified to accommodate users sending messages comprising financial details, as disclosed by Crofts, as modified by the capability to append financial details to a message, as disclosed by Bhatt, with the further modification of a mobile device calculating the hash function and an authentication server component verifying the hash code as disclosed by Kirillin, because such a technique would improve transaction, account and identity security and decrease fraud (see Kirillin, [2], [3]).


Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Oberheide (US Publication 2014/0245396) in view of Zhao (US Publication 2020/0019693) in further view of Huang (US Publication 2020/0228517), in further view of “Passwords and hacking” (“Passwords and hacking: the jargon of hashing, salting and SHA-2 explained”, downloaded from https://www.theguardian.com/technology/2016/dec/15/passwords-hacking-hashing-salting-sha-2 , dated 15 Dec 2016, attached as PDF file).
With regard to claim 5, Oberheide, in view of Zhao, in further view of Huang, disclose the limitations of claim 1 as discussed above.  Oberheide further discloses the system of authenticating users of a web application as discussed above; however, Oberheide does not specifically disclose use of passwords combined with UUID salt and hashed for authentication, as recited by claim 5. 
Zhao discloses where in an application running in the Internet Browser (or similarly distributed application) is able to store a value (e.g., a UUID Salt) ([42], “...The client SVA 331 conveys the obtained mobile device 310 ID and the client 320 ID to the server SVA 351 to receive a UUID (Universally Unique Identifier) as a one-time token from the server SVA 351...”; [49], “...The client SVA 402 receives the mobile device ID and sends the mobile device ID to the server SVA 404 in order to verify the mobile device and to receive a UUID as a one time token from the server. The server SVA 404 receives the mobile device ID and as a security measure verifies that the mobile device is still valid, e.g., the server SVA 404 can check that the mobile device is still managed by the MDM system. Once the mobile device ID is verified by the server SVA 404, the server SVA 404 sends a UUID to the client SVA 402 as a one time token. The client SVA 402 sends the UUID to the mobile SVA 403 in an authentication message for verifying the user...”; Figure 4; browser disclosed in [40], “...On the client 320 side, the client SVA 331 can be a java script library (or any language implementation that can be loaded by the web application 330) that is loaded by the web application 330 and runs in the web browser on the client 320 system...”; [54]).  
 However, Zhao does not specifically disclose the UUID as a salt, combined with a password.  
However, “Passwords and hacking” discloses once the user is securely authenticated the user is able to perform future authentications with simple user names and passwords (page 2, lines 8-12, “...A user’s password is taken and...hash value is derived...To verify a user’s password is correct it is hashed and the value compared with that stored on record each time they login...”; where the password recorded to check against is broadly interpreted as disclosing the user had been authenticated, i.e., ‘once the user is securely authenticated’); 
store a value (e.g., a UUID Salt) and combine this value with the simple 20password in a one way cryptographic hash algorithm that guarantees a unique and repeatable result (page 2, lines 16-19, “Salting: Passwords are often described as “hashed and salted”. Salting is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed, typically this “salt” is placed in front of each password...,” where the addition of the unique random string discloses storage, if only temporary, by the system element; with regard to the hash algorithm guaranteeing unique and repeatable results, “Passwords and hacking” discloses such algorithms, page 4, entire page, and page 5 lines 1-18); 
wherein the result of the cryptographic hash algorithm is sent to the authentication server, hashed again, and stored on the server as a hashed value (page 2, lines 8-12, “...To verify a user’s password is correct it is hashed and the value compared with that stored on record each time they login....”, indicated the result being hashed and stored; Page 2 lines 29-30, “...Both hashing and salting can be repeated more than once to increase the difficulty in breaking the security.”, disclosing hashing again to increase security; where Oberheide discloses the authentication server as discussed above; see at least Oberheide, [19]); page 28 of 30 SPECIFICATION: WebAuthn IJSON DLT The Inlernel of Value 
wherein, when the user performs future authentications, the hash value sent to the authentication server is hashed again and this value is compared to the stored value and if they match, the user is authenticated (page 2, lines 8-12, “...To verify a user’s password is correct it is hashed and the value compared with that stored on record each time they login....”).
It would have been obvious to one of ordinary skill in the art at the time the claimed invention was effectively filed to have combined the authenticating system of Oberheide as modified by a UUID or similar identifier being generated and shared by the server as disclosed by Zhao, as modified to communicate web application domain names as disclosed by Huang, with the further modifications of salting the password prior to hashing and employing double-hashing techniques as disclosed by “Passwords and hacking”, because such modifications would have increased security (see “Passwords and hacking”, page 2, lines 13-15, “...You cannot directly turn a hashed value into the password, but you can work out what the password is if you continually generate hashes from passwords until you find one that matches, a so-called brute-force attack, or similar methods...,”; page 2 lines 23-30, “...The use of unique salts means that common passwords shared by multiple users – such as “123456” or “password” – aren’t immediately revealed when one such hashed password is identified – because despite the passwords being the same the salted and hashed values are not. Large salts also protect against certain methods of attack on hashes, including rainbow tables or logs of hashed passwords previously broken. Both hashing and salting can be repeated more than once to increase the difficulty in breaking the security...”).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Kuo (US 2015/0178729) 
Baentsch (US Publication 2009/0254485)
Butler (US Publication 2020/0084047)
Casares (US Publication 2008/0313047)
Wallaja (US Publication 2015/0213542)

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Margaret Neubig whose telephone number is (571)270-0437. The examiner can normally be reached Monday-Friday, 9:30-6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on 571-270-1492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.M.N. /Examiner, Art Unit 3685                                                                                                                                                                                                        
/JAMES D NIGH/Senior Examiner, Art Unit 3685