DETAILED ACTION
Acknowledgements
This office action is in response to the claims filed 08/18/2022.
Claims 10-20 are withdrawn.
Claims 1-9 are pending.
Claims 1-9 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Restriction/Election Acknowledgement 
Applicant's election with traverse of Claims 1-9 in the reply filed on 08/18/2022 is acknowledged.  The traversal is on the grounds that there would not be a burden on Examiner with regard to searching the claims as identified. Applicant further posits that the office action “has not provided any support for the election or restrictions”.  
This is not found persuasive because the claims of Groups I and II are drawn to inventions which are distinct enough in scope that, even if Examiner were to include roughly similar classes and subclasses in the search process, there would still be an appreciable difference in the spheres of art searched.  The office action provides support for the restrictions. As explained in the office action,  Group I is drawn to arrangements for generation of secret information, as further pointed out in paragraph three of the office action, the first group recites the generation of cryptograms from two separate entities, first the financial institution and then the electronic device. Group II is drawn to access security as described in paragraph three of the office action, access requests to an application on multiple devices as recited by claims 10-20. These disclosures, while dealing broadly with similar technologies (for example, mobile technology and card data), seek to solve different problems in different industries, each of which has its own sphere of prior art. It would be a burden upon Examiner, and an inefficient use of the Office’s resources, to search these distinct spheres of prior art. Claims 10-20 are withdrawn.
The requirement is still deemed proper and is therefore made FINAL.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-9 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. 

Subject Matter Eligibility Standard
When considering subject matter eligibility under 35 U.S.C. § 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (101 Analysis: Step 1). Even if the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea) (101 Analysis: Step 2a(Prong 1), and if so, Identify whether there are any additional elements recited in the claim beyond the judicial exception(s), and evaluate those additional elements to determine whether they integrate the exception into a practical application of the exception. (101 Analysis: Step 2a (Prong 2). If additional elements does not integrate the exception into a practical application of the exception, claim still requires an evaluation of whether the claim recites additional elements that amount to an inventive concept (aka “significantly more”) than the recited judicial exception. If the claim as a whole amounts to significantly more than the exception itself (there is an inventive concept in the claim), the claim is eligible. If the claim as a whole does not amount to significantly more (there is no inventive concept in the claim), the claim is ineligible. (101 Analysis: Step 2b). 
The 2019 PEG explains that the abstract idea exception includes the following groupings of subject matter: a) Mathematical concepts b) Certain methods of organizing human activity and c) Mental processes
Analysis
In the instant case, claims 1 and 6 are directed to a method.

101 Analysis: Step 2a (Prong 1) – Identifying an Abstract Idea
The claim 1 recites the steps of “receiving… data… authenticating the user … generating and sending a response cryptogram … and returning a cardholder account ….” Claim 6 recites “receiving card data… generating an authorization cryptogram… prompting the user… receiving the challenge response… communicating the card data… receiving, from the financial institution backend, a response cryptogram…  generating a public/private key pair…  persisting the public/private key pair in secure storage.” The claim recites an abstract idea that is directed towards mathematical functions and mental processes, in this case, the information is sent and received for authentication and in the process keys and cryptograms are generated.

101 Analysis: Step 2a (Prong 2) – Identifying a Practical Application
 The claim does currently recite additional elements but those elements do not integrate the judicial exception into a practical application. The limitations recite “generation…cryptogram” and “generating…public/private key pair”. According to the disclosure (¶ 48, 55), “In step 210, a unique cryptogram may be dynamically generated within the mobile NFC device when it is interacting with EMV chip inside the contactless NFC card. In one embodiment the cryptogram may be an authorization request cryptogram (ARQC)…. the mobile electronic device may create a public/private key pair for mobile electronic device.” 
One of ordinary skill in the art knows there are cryptograms that  can be created with and are solvable by the mind and without using a computing device. Secondly key pairs are mathematically produced. The disclosure mentions generating a unique cryptogram and key pairs but it is unclear the algorithm used to generate the cryptogram. The use of a computing device would be automating a mental process or calculating a mathematical function which would utilize functions of a generic computer component. 
It is also important to point out the use of the word “persist” simply means to store, another function of a generic computing device, as shown in the disclosure (¶ 56), “the backend may instruct the device to securely generate and store an authentication credential, such as a cryptographic authentication credential, on the mobile electronic device's secure storage.”
Therefore, based on case law precedent, the claims are claiming subject matter similar to concepts already identified by the courts as dealing with abstract ideas. See Alice Corp. Pty. Ltd., 134 S.Ct. at 2356 (citing Bilski v. Kappos, 561, U.S. 593, 611 (2010)). Mere instructions to apply the exception using generic computer components and limitations to a particular field of use or technological environment do not amount to practical applications.

101 Analysis - Step 2b
Viewed as a whole, instructions/method claims recite the concept of a mental or a mathematical process as performed by a generic computer. The method claims do not, for example, purport to improve the functioning of the computer itself. Nor do they effect an improvement in any other technology or technical field. Instead, the claims at issue amount to nothing significantly more than an instruction to apply the abstract idea using some unspecified, generic computer.  See Alice Corp. Pty. Ltd., 134 S.Ct. at 2360. 
Dependent claims 2 and 7 describe attributes of a transaction card, claims 3, 5 and 8 describe information related to the received information, claims 4 and 9 describe the receipt of information.
Mere instructions to apply the exception using a generic computer component and limitations to a particular field of use or technological environment cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. The use of a computer or processor to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A)(f) & (h)). Therefore, the claim is not patent eligible.
Conclusion
The claim as a whole, does not amount to significantly more than the abstract idea itself. This is because the claim does not affect an improvement to another technology or technical filed; the claim does not amount to an improvement to the functioning of a computer system itself; and the claim does not move beyond a general link of the use of an abstract idea to a particular technological environment. 
Accordingly, the Examiner concludes that there are no meaningful limitations in the claim that transform the judicial exception into a patent eligible application such that the claim amounts to significantly more than the judicial exception itself. 
Dependent claims do not resolve the deficiency of independent claims and accordingly stand rejected under 35 USC 101 based on the same rationale.
Dependent claims 2-5, and 7-9 are also rejected. 


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 3, and 6-9 are  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 3 and 8 recite the limitation "the challenge".  Claim 6 recites “the electronic device”, and “the cardholder account”. There is insufficient antecedent basis for this limitation in the claim. Dependent claims 7-9 are also rejected.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-9 are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (CA 2796615) (“Singh“), and in view of Bhattacharya (US20200382328) (“Bhattacharya”) .
Regarding claim 1, Singh discloses receiving, from an electronic device associated with a user, card data for a contactless card, an authorization cryptogram, and a challenge response(¶ 3, 22); 
Singh- This card cryptogram along with the Sequence Counter, the card challenge, the Secure Channel Protocol identifier, and other data is transmitted back to the off-card entity.  (¶ 22)
 
authenticating the user based on the authorization cryptogram, the card data, and the challenge response(¶ 22); 
Singh- As the off-card entity should now have all the same information that the card used to generate the card cryptogram, it should be able to generate the same session keys and the same card cryptogram and by performing a comparison, it is able to authenticate the card.  (¶ )

generating and sending a response cryptogram to the electronic device(¶ 22); 
Singh- As the off-card entity should now have all the same information that the card used to generate the card cryptogram, it should be able to generate the same session keys and the same card cryptogram and by performing a comparison, it is able to authenticate the card…  The off-card entity now uses a similar process to create a second cryptographic value (host cryptogram) to be passed back to the card   (¶ 22)

returning a cardholder account to the electronic device; wherein the electronic device generates session keys for the electronic device, an online service, and the cardholder account; and wherein the electronic device persists the session keys in secure storage thereon (¶ 19); 
Singh-  These commands may involve the installation or deletion of content and applications or applets 41 on the secure element 32 (e.g., payment account applets, security or physical access applets, transportation access applets (e.g., subway cards, etc.)). (¶ 19)

Singh does not disclose a public/private key pair.
Bhattacharya teaches a public/private key pair (¶ 42, 71, 113, 143); 
Bhattacharya-  the keystore 133 generates and/or obtains a set of encryption and/or decryption keys. The keys can include an RSA key pair (e.g., a private key and a public key associated with the keystore 133) (¶ 71)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Singh(¶ 3) which teaches “Some mobile devices incorporate contactless card technology and/or near field communication (NFC) chips. NFC technology is commonly used for contactless short-range communications based on radio frequency identification (RFID) standards” and Bhattacharya(¶ 118) which teaches  “ensure that cloud-based payment transactions are processed according to the rules specified in the service profile for an account portfolio, CBP 1080 performs various core functions during the lifetime of an account that has been enabled. These functions can include provisioning, active account management, verification for payment” in order to protect sensitive data from theft and misuse (Bhattacharya; ¶ 2-5).
Regarding claims 2 and 7, Singh discloses wherein the contactless card is a NFC-enabled card (¶ 10, 15, 16, 17).  
Regarding claims 3 and 8, Bhattacharya teaches wherein the challenge comprises a PIN (¶ 131, 143).  
Regarding claims 4 and 9, Bhattacharya teaches wherein the electronic device communicates the public key to the online service, and the online service stores the public key (¶ 42, 71, 74, 82, 83, 87).  
Regarding claim 5, Singh discloses wherein the authorization cryptogram comprises an authorization request cryptogram, and the response cryptogram comprises an authorization response cryptogram (¶ 22).
Regarding claim 6, Singh discloses in a mobile electronic device associated with a user comprising at least one computer processor: receiving card data for a contactless card(¶ 3, 16); 
Singh-sometimes referred to as a mobile or electronic wallet (e-wallet) configuration, allowing a mobile communication device 30 (also referred to as a "mobile device" herein) to be used similar to a credit card or security card that would ordinarily be carried in a wallet. For example, this may be done by provisioning a secure element (SE) 32 on a memory 33 of the mobile device 30 via a provisioning server 34 (which may be provided by a trusted service manager (TSM)) with secure data, including one or more secure applets 41 (Blocks 50-51). The memory 33 may comprise a Subscriber Identity Module (SIM) card, a removable memory (e.g., a secure digital (SD) card), a designated or embedded memory associated with the NFC circuitry (e.g., within an NFC chip set), (¶ 16)

generating an authorization cryptogram for the card data (¶ 22); 
Singh-The card, using its internal Sequence Counter and static keys, creates new secret session keys and generates a first cryptographic value (card cryptogram) using one of its newly created session keys  (¶ 22)

prompting the user for a challenge response(¶ 22); 
Singh- A challenge/response mechanism may take place at the beginning of the secure channel establishment to prove that both sides are able to calculate the correct session key, given the sequence counter… the card, on receipt of this challenge, generates its own "card" challenge (again random data unique to this session). (¶ 22)

communicating the card data, the authorization cryptogram, and the challenge response to a financial institution backend(¶ 22); 
Singh- This card cryptogram along with the Sequence Counter, the card challenge, the Secure Channel Protocol identifier, and other data is transmitted back to the off-card entity. (¶ )

receiving, from the financial institution backend, a response cryptogram (¶ 22)
Singh- As the off-card entity should now have all the same information that the card used to generate the card cryptogram, it should be able to generate the same session keys and the same card cryptogram and by performing a comparison, it is able to authenticate the card…  The off-card entity now uses a similar process to create a second cryptographic value (host cryptogram) to be passed back to the card   (¶ 22)

generating a session keys for the electronic device, an online service, and the cardholder account; and persisting the session keys in secure storage(¶ 22); 
Singh- The card, using its internal Sequence Counter and static keys, creates new secret session keys and generates a first cryptographic value (card cryptogram) using one of its newly created session keys (see Appendix E.4.1 – DES Session Keys). (¶ 22)

Singh does not disclose receiving the challenge response from the user and a public/private key pair; 

Bhattacharya teaches receiving the challenge response from the user(¶ 77, 119, 120, 131, 143) and a public/private key pair (¶ 42, 71, 113, 143); 
Bhattacharya- Once an account is provisioned, active account management can be performed by CBP 1080. Active account management can be initiated either from transaction processing activity or from mobile application activity. After the account has been provisioned, …  the application 122 can first perform a user authentication procedure, such as obtaining and verifying a password, PIN, biometric data, etc…   the keystore 133 generates and/or obtains a set of encryption and/or decryption keys. The keys can include an RSA key pair (e.g., a private key and a public key associated with the keystore 133) (¶ 71, 120, 143)

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Singh(¶ 3) which teaches “Some mobile devices incorporate contactless card technology and/or near field communication (NFC) chips. NFC technology is commonly used for contactless short-range communications based on radio frequency identification (RFID) standards” and Bhattacharya(¶ 118) which teaches  “ensure that cloud-based payment transactions are processed according to the rules specified in the service profile for an account portfolio, CBP 1080 performs various core functions during the lifetime of an account that has been enabled. These functions can include provisioning, active account management, verification for payment” in order to protect sensitive data from theft and misuse (Bhattacharya; ¶ 2-5).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Makhotin et al., (US 2015008856) teaches the mobile device generating a cryptogram, the public/private keys, and an entered PIN. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ILSE I IMMANUEL whose telephone number is (469)295-9094.  The examiner can normally be reached on Monday-Friday 9:00 am to 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEHA PATEL can be reached on 571-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ILSE I IMMANUEL/Primary Examiner, Art Unit 3685