Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's response with amendments filed 06/01/2022 have been received and entered. Applicant has amended claims 1, 6, 11, 13, 21, and 23. Amended claims have been examined on the merits.
Applicant’s arguments, see Applicant Arguments pages 8-10, with respect to the rejection(s) of the independent claim(s) 1 (and 6) under 35 U.S.C. 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Narendra et al. (US 20160197727), hereinafter Narendra.
	 The rest of applicant’s arguments are moot in view of new grounds of rejection set forth above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 5, 6, and 9-11 are rejected under 35 U.S.C. 103 as being unpatentable over Vltavsky et al. (US 10122719), hereinafter Vltavsky in view of Narendra et al. (US 20160197727), hereinafter Narendra.
	Regarding Claim 1, Vltavsky teaches
	A method comprising: transmitting, by a first user device, an interaction request to a remote computer via a long range communication channel (Col. 2, lines 26-39, FIG. 1 is a diagram illustrating an operating environment 100, according to an embodiment. A user 102 may use a smartphone 104 to access an online service 106. The online service 106 may provide any type of service involving sensitive information, such as a banking service, an investment service, a tax service, an estate planning service, a human resources service, a social media platform, an online store, or the like. To connect to the online service 106, the user 102 may execute an application (“app”) to connect to the online service 106 via a network 108. The user 102 may enter a username and password to access the online service 106. The username and password constitutes a first factor of authentication. In addition to the first factor, the user 102 may provide additional factors);
	receiving, by the first user device, an authentication response message comprising a response value from the second user device via the short range communication channel (Col. 6, lines 10-19, In response to the request, the second device 304 collects and returns authentication tokens. The authentication tokens to be collected may be pre-configured, for example using the process described in FIG. 2. The second device 304 may prompt a user for biometric authentication input, knowledge-based authentication input, or other types of authentication input. After collecting the authentication inputs, the second device 304 transmits authentication tokens representing the input to the first device 300 (operation 312)).
	Vltavsky does not explicitly teach receiving, by the first user device, an authentication request message from the remote computer, the authentication request message including a token generated by the remote computer; transmitting, by the first user device, the authentication request message including the token to a second user device via a short range communication channel; wherein the response value was generated by the second user device based on an identifier associated with the second user device and the token generated by the remote computer, and the first user device is in direct communication with the remote computer and the second user device is not in direct communication with the remote computer; and transmitting, by the first user device, the authentication response message to the remote computer causing the remote computer to verify the response value and perform further processing responsive to the response value being verified.
	In the same field of endeavor, Narendra teaches
	receiving, by the first user device, an authentication request message from the remote computer, the authentication request message including a token generated by the remote computer; transmitting, by the first user device, the authentication request message including the token to a second user device via a short range communication channel;  (Para [0027] “FIG. 4 shows a personal digital identity device interacting with a mobile device and cloud service in accordance with various embodiments of the present invention. Personal digital ID device 400 communicates with mobile device 330 [ i.e. first device] over radio link 402 [i.e. short range communication], and mobile device 330 communicates with a cloud service 440 over radio link 432.”  Para [0034] “Because personal digital ID device 400 [i.e. the second device] uses radio link 402 [i.e. NFC, short range communication] to reach mobile device 330 [i.e. the first device] which in turn uses communication link 432 [i.e. long range communication] to reach a service 440, one can say that in some embodiments personal digital ID device 400 is able to communicate with service 440 with the mobile device 330 as an intermediary”. Para [0046] FIG. 6 shows a block diagram of a personal digital identity device in accordance with various embodiments of the present invention. Personal digital ID device 600 shows an example architecture for personal digital ID device 300 (FIG. 3) or personal digital ID device 400 (FIG. 4)” [i.e. mobile device 330 is in direct communication with cloud service 440 and the personal digital ID device 400 is not in direct communication with the cloud service 440]. Para [0053] In some embodiments, digital identifier 633 includes two shared secret keys K1 [i.e. an identifier of personal device] and K2 that are shared with a cloud service. Once personal digital ID device 600 is made available to a cloud service, the digital ID device could generate a random number R1, encrypt it with the shared secret key K1, and send it to the cloud service. The cloud service [i.e. remote server] will then decrypt R1 with key K1, then encrypt with key K2 both R1 and another random value R2 [i.e. token] and send the result back to personal digital ID device 600);
	 wherein the response value was generated by the second user device based on an identifier associated with the second user device and the token generated by the remote computer, and the first user device is in direct communication with the remote computer and the second user device is not in direct communication with the remote computer (Para [0034] “Because personal digital ID device 400 [i.e. the second device] uses radio link 402 [i.e. NFC, short range communication] to reach mobile device 330 [i.e. the first device] which in turn uses communication link 432 [i.e. long range communication] to reach a service 440, one can say that in some embodiments personal digital ID device 400 is able to communicate with service 440 with the mobile device 330 as an intermediary”. Para [0046] FIG. 6 shows a block diagram of a personal digital identity device in accordance with various embodiments of the present invention. Personal digital ID device 600 shows an example architecture for personal digital ID device 300 (FIG. 3) or personal digital ID device 400 (FIG. 4)” [i.e. mobile device 330 is in direct communication with cloud service 440 and the personal digital ID device 400 is not in direct communication with the cloud service 440]. Para [0053] In some embodiments, digital identifier 633 includes two shared secret keys K1 and K2 that are shared with a cloud service. Once personal digital ID device 600 is made available to a cloud service, the digital ID device could generate a random number R1, encrypt it with the shared secret key K1, and send it to the cloud service. The cloud service will then decrypt R1 with key K1, then encrypt with key K2 both R1 and another random value R2 and send the result back to personal digital ID device 600. Personal digital ID device 600 will then decrypt this payload with K2. If it successfully recovers R1 then it knows that it is communicating with an authenticated cloud service that it trusts. Personal digital ID device 600 then encrypts R2 back with K1 and sends it to the cloud service which will in turn decrypt it with K1 and if it successfully recovers R2 then it knows that it is communicating with an authenticated personal digital ID device it trusts.); and
	transmitting, by the first user device, the authentication response message to the remote computer causing the remote computer to verify the response value and perform further processing responsive to the response value being verified (Para [0034] “Because personal digital ID device 400 [i.e. the second device] uses radio link 402 [i.e. NFC, short range communication] to reach mobile device 330 [i.e. the first device] which in turn uses communication link 432 [i.e. long range communication] to reach a service 440, one can say that in some embodiments personal digital ID device 400 is able to communicate with service 440 with the mobile device 330 as an intermediary”. Para [0053] In some embodiments, digital identifier 633 includes two shared secret keys K1 and K2 that are shared with a cloud service. Once personal digital ID device 600 is made available to a cloud service, the digital ID device could generate a random number R1, encrypt it with the shared secret key K1, and send it to the cloud service. The cloud service will then decrypt R1 with key K1, then encrypt with key K2 both R1 and another random value R2 and send the result back to personal digital ID device 600. Personal digital ID device 600 will then decrypt this payload with K2. If it successfully recovers R1 then it knows that it is communicating with an authenticated cloud service that it trusts. Personal digital ID device 600 then encrypts R2 back with K1 and sends it to the cloud service which will in turn decrypt it with K1 and if it successfully recovers R2 then it knows that it is communicating with an authenticated personal digital ID device it trusts [i.e. verifying the response]).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by Vltavsky to incorporate teachings of Narendra such that the method of Vltavsky includes receiving, by the first user device, an authentication request message from the remote computer, the authentication request message including a token generated by the remote computer; transmitting, by the first user device, the authentication request message including the token to a second user device via a short range communication channel; wherein the response value was generated by the second user device based on an identifier associated with the second user device and the token generated by the remote computer, and the first user device is in direct communication with the remote computer and the second user device is not in direct communication with the remote computer; and transmitting, by the first user device, the authentication response message to the remote computer causing the remote computer to verify the response value and perform further processing responsive to the response value being verified. One would have been motivated to make such combination so that the user in possession of personal digital ID device 300 may interact with the device for the purpose of authenticating to mobile device 330 or authenticating to a service in communication with mobile device 300 (Narendra, Para [0026]).
	Regarding Claim 4, the combinations of Vltavsky and Narendra teaches all the limitations of claim 1 above,
	wherein the short range communication channel includes a BluetoothTM communication channel (Vltavsky, Col. 7, lines 54-56, In an embodiment, the first and second user devices are paired. The first and second devices may be paired using a Bluetooth standard), and
	wherein the long range communication channel includes a communication channel that uses the Internet (Narendra, Para [0030] “Communication link 432 between mobile device 330 and cloud service 440 may be any type of link that is possible between a mobile device and cloud service. For example, communication link 432 may be a radio link such as a cell phone signal or a WiFi signal”).
	The motivation/rationale to combine the references is similar to claim 1 above.
	Regarding Claim 5, the combinations of Vltavsky and Narendra teaches all the limitations of claim 1 above,
	wherein further processing includes transferring data between the first user device and a peer device, allowing a user of the first user device to access a secure location, data, and/or webpage, and/or performing a peer-to-peer transfer of value (Vltavsky, Col. 3, lines 34-41, As yet another example, the user 102 may have both a smartwatch and smartglasses, and both processes described above are used to provide four tokens to the application on the smartphone 104. Only when the four tokens from the PDC are provided with the tokens from the smartphone 104 will the application unlock and allow access to the user 102. Similar access protocols may be used to unlock secured resources).
	Regarding Claim 6,
Claim 6 is rejected for similar reasons as in claim 1.
	Vltavsky teaches
	A first user device comprising: a processor; a memory device; and a computer-readable medium coupled to the processor, the computer-readable medium comprising code executable by the processor for implementing a method comprising (Col. 8, lines 4-15, Embodiments may be implemented in one or a combination of hardware, firmware, and software. Embodiments may also be implemented as instructions stored on a machine-readable storage device, which may be read and executed by at least one processor to perform the operations described herein. A machine-readable storage device may include any non-transitory mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machine-readable storage device may include read-only memory (ROM), random-access memory (RAM), magnetic disk storage media, optical storage media, flash-memory devices, and other storage devices and media).
	Regarding Claim 9, 
Claim 9 is rejected for similar reasons as in claim 4.
	Regarding Claim 10,
Claim 10 is rejected for similar reasons as in claim 5.
	Regarding Claim 11, Vltavsky teaches
	A method comprising: receiving, by a second user device, an authentication request message from a first user device via a short range communication channel (Col. 5, lines 65-67, Col. 6, lines 1-10, A registered second device 304 may be paired with the first device 300, such as with Bluetooth pairing. However, if the second device 304 is not within communication range, then the first device 300 and the second device 304 may not be actively connected. By using a short-range wireless communication standard, such as Bluetooth, NFC, or the like, a user having both the first and second devices 300, 304 in their possession provides a higher degree of confidence that the user is authentic.  When the first device 300 determines that another registered device exists (operation 308), the first device 300 attempts to communicate with the second device 304 to obtain authentication tokens (operation 310)),
	transmitting, by the second user device, an authentication response message comprising the response value to the first user device (Col. 6, lines 10-19, In response to the request, the second device 304 collects and returns authentication tokens. The authentication tokens to be collected may be pre-configured, for example using the process described in FIG. 2. The second device 304 may prompt a user for biometric authentication input, knowledge-based authentication input, or other types of authentication input. After collecting the authentication inputs, the second device 304 transmits authentication tokens representing the input to the first device 300 (operation 312)).
	Vltavsky does not explicitly teach the authentication request message including a token that is generated by a remote computer and transmitted to the first device over a long range communication channel; generating, by the second user device, a response value based on the token included in the authentication request message and a second user device identifier; wherein the first user device transmits the authentication response message to a remote computer causing the remote computer to verify the response value and perform further processing responsive to the response value being verified, wherein the first user device is in direct communication with the remote computer, and the second user device is not in direct communication with the remote computer.
	In the same field of endeavor, Narendra teaches
	the authentication request message including a token that is generated by a remote computer and transmitted to the first device over a long range communication channel (Para [0053] In some embodiments, digital identifier 633 includes two shared secret keys K1 [i.e. an identifier of personal device] and K2 that are shared with a cloud service. Once personal digital ID device 600 is made available to a cloud service, the digital ID device could generate a random number R1, encrypt it with the shared secret key K1, and send it to the cloud service. The cloud service [i.e. remote server] will then decrypt R1 with key K1, then encrypt with key K2 both R1 and another random value R2 [i.e. token] and send the result back to personal digital ID device 600. Para [0030] “Communication link 432 between mobile device 330 and cloud service 440 may be any type of link that is possible between a mobile device and cloud service. For example, communication link 432 may be a radio link such as a cell phone signal or a WiFi signal”);
	generating, by the second user device, a response value based on the token included in the authentication request message and a second user device identifier (Para [0053] In some embodiments, digital identifier 633 includes two shared secret keys K1 [i.e. an identifier of personal device] and K2 that are shared with a cloud service. Once personal digital ID device 600 is made available to a cloud service, the digital ID device could generate a random number R1, encrypt it with the shared secret key K1, and send it to the cloud service. The cloud service [i.e. remote server] will then decrypt R1 with key K1, then encrypt with key K2 both R1 and another random value R2 [i.e. token] and send the result back to personal digital ID device 600. Personal digital ID device 600 will then decrypt this payload with K2. If it successfully recovers R1 then it knows that it is communicating with an authenticated cloud service that it trusts. Personal digital ID device 600 then encrypts R2 back with K1 and sends it to the cloud service which will in turn decrypt it with K1 and if it successfully recovers R2 then it knows that it is communicating with an authenticated personal digital ID device it trusts);
	wherein the first user device transmits the authentication response message to a remote computer causing the remote computer to verify the response value and perform further processing responsive to the response value being verified (Para [0053] In some embodiments, digital identifier 633 includes two shared secret keys K1 and K2 that are shared with a cloud service. Once personal digital ID device 600 is made available to a cloud service, the digital ID device could generate a random number R1, encrypt it with the shared secret key K1, and send it to the cloud service. The cloud service will then decrypt R1 with key K1, then encrypt with key K2 both R1 and another random value R2 and send the result back to personal digital ID device 600. Personal digital ID device 600 will then decrypt this payload with K2. If it successfully recovers R1 then it knows that it is communicating with an authenticated cloud service that it trusts. Personal digital ID device 600 then encrypts R2 back with K1 and sends it to the cloud service which will in turn decrypt it with K1 and if it successfully recovers R2 then it knows that it is communicating with an authenticated personal digital ID device it trusts [i.e. verifying the response]),
	wherein the first user device is in direct communication with the remote computer, and the second user device is not in direct communication with the remote computer (Para [0034] “Because personal digital ID device 400 [i.e. the second device] uses radio link 402 [i.e. NFC, short range communication] to reach mobile device 330 [i.e. the first device] which in turn uses communication link 432 [i.e. long range communication] to reach a service 440, one can say that in some embodiments personal digital ID device 400 is able to communicate with service 440 with the mobile device 330 as an intermediary”. Para [0046] FIG. 6 shows a block diagram of a personal digital identity device in accordance with various embodiments of the present invention. Personal digital ID device 600 shows an example architecture for personal digital ID device 300 (FIG. 3) or personal digital ID device 400 (FIG. 4)” [i.e. mobile device 330 is in direct communication with cloud service 440 and the personal digital ID device 400 is not in direct communication with the cloud service 440]).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by Vltavsky to incorporate teachings of Narendra such that the method of Vltavsky includes the authentication request message including a token that is generated by a remote computer and transmitted to the first device over a long range communication channel; generating, by the second user device, a response value based on the token included in the authentication request message and a second user device identifier; wherein the first user device transmits the authentication response message to a remote computer causing the remote computer to verify the response value and perform further processing responsive to the response value being verified, wherein the first user device is in direct communication with the remote computer, and the second user device is not in direct communication with the remote computer. One would have been motivated to make such combination so that the user in possession of personal digital ID device 300 may interact with the device for the purpose of authenticating to mobile device 330 or authenticating to a service in communication with mobile device 300 (Narendra, Para [0026]).
Claims 3 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Vltavsky et al. (US 10122719), hereinafter Vltavsky in view of Narendra et al. (US 20160197727), hereinafter Narendra in view of VAN OS et al. (US 20170339151), hereinafter VAN OS. 
	Regarding Claim 3, the combinations of Vltavsky, Musabeyoglu, and Fox Ivey teaches all the limitations of claim 1 above,
	The combinations of Vltavsky and Narendra does not explicitly teach wherein after receiving the authentication response message the method further comprises: displaying, by the first user device, the response value to a user of the first user device; and receiving, by the first user device, user input comprising the response value.
	In the same field of endeavor, VAN OS teaches
	wherein after receiving the authentication response message the method further comprises: displaying, by the first user device, the response value to a user of the first user device (Para [0279] At block 910, the authenticating device concurrently displays (e.g., in response to receiving the request), on the display of the authenticating device, an indication (e.g., 750, 850) of the request to proceed with the action, the information (e.g., 752, 852) about the selected one or more options, and an indication (e.g., 754, 854) of the requesting device (e.g., the name of the requesting laptop or phone, an identifier of the requesting device, or an icon or image that represents the requesting device such as a line drawing of a housing of the device)); and
	receiving, by the first user device, user input comprising the response value (Para [0281] At block 914, the authenticating device receives an input that is responsive to the request for authorization to proceed with the action (e.g., user authentication information, a fingerprint of finger 758/858, a passcode)).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by the combination of Vltavsky and Narendra to incorporate teachings of VAN OS such that the method of the combination of Vltavsky and Narendra includes wherein after receiving the authentication response message the method further comprises: displaying, by the first user device, the response value to a user of the first user device; and receiving, by the first user device, user input comprising the response value. One would have been motivated to make such combination so that the authenticating device concurrently displays an indication of the request to proceed with the action, information about the selected one or more options, and an indication of the requesting device. (VAN OS, [Abstract]).
	Regarding Claim 8, 
Claim 8 is rejected for similar reasons as in claim 3. 
  Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Vltavsky et al. (US 10122719), hereinafter Vltavsky in view of Narendra et al. (US 20160197727), hereinafter Narendra in view of Hammad (US 9372971), hereinafter Hammad.
	Regarding Claim 13, the combination of Vltavsky and Narendra teaches all the limitations of Claim 11 above,
	The combination of Vltavsky and Narendra does not explicitly teach wherein generating the response value further comprises: inputting, by the second user device, the token included in the authentication request message and the second user device identifier into a hash function; and obtaining, by the second user device, the response value as an output of the hash function.
	In the same field of endeavor, Hammad teaches
	wherein generating the response value further comprises: inputting, by the second user device, the token included in the authentication request message and the second user device identifier into a hash function (Col. 24, lines 19-25, In each of the embodiments described herein pertaining to verification token 40, token 40 may send the identification information pertaining to portable consumer device 5 to computer 10 in a number of forms, including: (1) unaltered form ("clear form"), (2) encrypted form, (3) hashed formed (e.g., encoded), (4) signed form, (5) or any combination of these forms); and
	obtaining, by the second user device, the response value as an output of the hash function (Col. 24, lines 31-40, In each of the embodiments described herein pertaining to verification token 40, the above codes of token 40 and the identification information read from device 5 by token 40 may be stored independently of computer 10 and may be secure from programs (including spyware and other malicious programs) running on computer 10. In such implementations, the identification information is put in secure form (e.g., encrypted, hashed, signed, or combination thereof) by verification token 40 before the information is provided to computer 10).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by combination of Vltavsky and Narendra to incorporate teachings of Hammad such that the method of combination of Vltavsky and Narendra includes wherein generating the response value further comprises: inputting, by the second user device, a token included in the authentication request message and the second user device identifier into a hash function; and obtaining, by the second user device, the response value as an output of the hash function. One would have been motivated to make such combination in order to provide verification token for obtaining a device verification value for a portable consumer device (Hammad, Col. 2, lines 14-15).
	Regarding Claim 14, the combination of Vltavsky, Narendra, and Hammad teaches all the limitations of Claim 11 and claim 13 above,
	wherein the remote computer determines an expected response value based on a stored second user device identifier and the token (Hammad, Col. 35, lines 13-24, Before receiving identification information for a portable consumer device 5 from a token, the issuing bank for the device may provide validation entity 80 with the look-up table, algorithm (including any seed values), or other data elements that the device uses to generate the device's variable datum (e.g., CVC3, dCVV, or cryptogram), which entity 80 may store in one of its databases 86. When validation entity 80 receives identification information from a verification token 40 for a specific portable consumer device 5, it accesses its record of the look-up table, algorithm, or other data elements for the specific device 5 to determine its value or set of values for the device's variable datum,… ),
	wherein the remote computer compares the expected response value to the response value (Hammad, Col. 35, lines 24-40 …, and compares the received value for a variable datum (e.g., CVC3, dCVV, or cryptogram) against its value or set of acceptable values for the variable datum to determine if the fifth validation test has been passed (e.g., a match in values is found), or has been failed (e.g., a match has not been found). To implement the fifth validation test, validation entity 80 may comprise code embodied on computer-readable medium 82 that directs data processor 81 to access the one or more stored data elements used to obtain the variable datum for the account from one of databases 86, code that directs data processor 81 to obtain one or more acceptable values for the variable datum from the one or more stored data elements, and code that directs data processor 81 to compare the received variable datum and the one or more acceptable values for a match to determine if the fifth test is passed (a match is found) or failed (a match is not found)).
	The motivation/rationale to combine the references is similar to claim 13 above.
 Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Vltavsky et al. (US 10122719), hereinafter Vltavsky in view of Narendra et al. (US 20160197727), hereinafter Narendra in view of Musabeyoglu et al. (US 10089801), hereinafter Musabeyoglu.
	Regarding Claim 21, the combination of Vltavsky and Narendra teaches all the limitations of Claim 1 above,
	The combination of Vltavsky and Narendra does not explicitly teach wherein the second user device generates the response value by computing a hash of the token and the identifier associated with the second user device.
	In the same field of endeavor, Musabeyoglu teaches
	wherein the second user device generates the response value by computing a hash of the token and the identifier associated with the second user device (Col. 15, lines 28-41, For example, the user device 204 may submit a request for, and subsequently receive, an access token from the remote server 302. It should also be noted that in some embodiments, alternative methods may be used by the system to validate access information. For example, the remote server 302 may provide the user device 204 with a hash function instead of a public key. In this example, the user device may generate an access token by hashing the nonce and the user ID using the hash function provided. To validate the access token in this example, the universal access control device may convey the nonce value to the remote server 302 and the remote server 302 may independently generate a second hash value, which is then compared to the received access token).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by combination of Vltavsky and Narendra to incorporate teachings of Musabeyoglu such that the method of combination of Vltavsky and Narendra includes wherein the second user device generates the response value by computing a hash of the token and the identifier associated with the second user device. One would have been motivated to make such combination in order to provide access control device that may be installed in proximity to, or within, an access control system to enable a user to use a user device to gain access to a secure area or resource (Musabeyoglu, [Abstract]).
Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Vltavsky et al. (US 10122719), hereinafter Vltavsky in view of Narendra et al. (US 20160197727), hereinafter Narendra in view of Musabeyoglu et al. (US 10089801), hereinafter Musabeyoglu in view of CHU et al. (US 20110197266), hereinafter CHU. 
	 Regarding Claim 24, the combination of Vltavsky, Narendra, and Musabeyoglu teaches all the limitations of Claim 1 and claim 21 above,
	The combination of Vltavsky, Narendra, and Musabeyoglu does not explicitly teach a method further comprising: truncating, by the second user device, the response value to be transmitted to the first user device.
	In the same field of endeavor, CHU teaches
	The method of claim 21, further comprising: truncating, by the second user device, the response value to be transmitted to the first user device (Para [0040] …The OTP algorithm is based, for example, at least in part on OATH Version 2. The OATH OTP generator takes three arguments to produce an OTP. The three arguments are: [0041] d--the number of OTP output digits (minimum is 6, maximum is 10) [0042] k--a 20-byte share secret [0043] c--an 8-byte counter Essentially, the OATH OTP algorithm first computes the HMAC-SHA1 value (see IETF RFC 2104) with the shared secret value as the HMAC-SHA1 key and the counter-value as the text input to HMAC-SHA1. It then applies a dynamic truncation algorithm to reduce the bytes output of HMAC-SHA1 into a 31-bit number. …).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by combination of Vltavsky, Narendra, and Musabeyoglu to incorporate teachings of CHU such that the method of combination of Vltavsky, Narendra, and Musabeyoglu further comprising: truncating, by the second user device, the response value to be transmitted to the first user device. One would have been motivated to make such combination in order to provide a dynamic truncation algorithm to reduce the bytes output of HMAC-SHA1 (CHU, Para [0040)]).
Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over Vltavsky et al. (US 10122719), hereinafter Vltavsky in view of Narendra et al. (US 20160197727), hereinafter Narendra in view of Musabeyoglu et al. (US 10089801), hereinafter Musabeyoglu in view of CHU et al. (US 20110197266), hereinafter CHU in view of GRAHAM et al. (US 20200092285), hereinafter GRAHAM. 
	Regarding Claim 25, the combination of Vltavsky, Narendra, Musabeyoglu, and CHU teaches all the limitations of Claim 1, claim 21 and claim 24 above,
	The combination of Vltavsky, Narendra, Musabeyoglu, and CHU does not explicitly teach wherein a truncated response value includes 1 to 10 alphanumeric characters.
	In the same field of endeavor, GRAHAM teaches
	The method of claim 24, wherein a truncated response value includes 1 to 10 alphanumeric characters (Para [0051] The response from the user is encrypted and is then received 430 by the age verification system and decrypted. The responsive data is passed 430 through a series of rules to determine that the response is complete; rules may include requiring that all fields be completed, that fields include a particular number of alphanumeric characters, by way of example. ...).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by combination of Vltavsky, Narendra, Musabeyoglu, and CHU to incorporate teachings of GRAHAM such that the method of combination of Vltavsky, Narendra, Musabeyoglu, and CHU includes wherein a truncated response value includes 1 to 10 alphanumeric characters. One would have been motivated to make such combination so that responsive data is passed through a series of rules to determine that the response is complete; rules that fields include a particular number of alphanumeric characters (GRAHAM, Para [0051)).
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Vltavsky et al. (US 10122719), hereinafter Vltavsky in view of Narendra et al. (US 20160197727), hereinafter Narendra in view of Vipond et al. (US 9119069), hereinafter Vipond.
	Regarding Claim 22, the combination of Vltavsky and Narendra teaches all the limitations of Claim 1 above,
	The combination of Vltavsky and Narendra does not explicitly teach wherein the response value has a fixed size of 256 bits.
	In the same field of endeavor, Vipond teaches
	wherein the response value has a fixed size of 256 bits (Col. 8, lines 28-32, In some embodiments, the authentication token and authentication server may mutually authenticate to one another using a challenge/response authentication or other types of message exchange including the exchange of unlock codes. Col. 11, lines 38-45, For example, if the random numbers are 256-bit numbers, the authentication server may use the SHA256 cryptographic hashing function developed by the National Institute of Standards and Technology (NIST). Various other hashing functions may be used, including other cryptographic hashing functions in the SHA-2 set designed by the NIST for other size random numbers).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by combination of Vltavsky and Narendra to incorporate teachings of Vipond such that the method of combination of Vltavsky and Narendra includes wherein the response value has a fixed size of 256 bits. One would have been motivated to make such combination so that other hashing functions may be used, including other cryptographic hashing functions in the SHA-2 set (Vipond, Col. 11, lines 42-44).
Claims 23 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Vltavsky et al. (US 10122719), hereinafter Vltavsky in view of Narendra et al. (US 20160197727), hereinafter Narendra in view of Ericson et al. (US 20180352266), hereinafter Ericson.
	Regarding Claim 23, the combination of Vltavsky and Narendra teaches all the limitations of Claim 1 above,
	The combination of Vltavsky and Narendra does not explicitly teach wherein the second user device generates the response value by encrypting [[a]] the token and the identifier associated with the second user device via a symmetric key.
	In the same field of endeavor, Ericson teaches
	wherein the second user device generates the response value by encrypting [[a]] the token and the identifier associated with the second user device via a symmetric key (Para [0041] Operation 430, in some embodiments, includes altering data in an image to include an encrypted digital token in order to create an altered image that includes the encrypted digital token. Para [0067] …Creating a digital token, for example, may involve using an encryption key and/or creating a unique identifier for the digital token. … Para [0105] The encrypting performed in operation 920 may be done using a public-private key pair. In one embodiment, for example, operation 920 may include processing system 820 encrypting a digital token with the public key in a public-private key pair (preventing the encrypted digital token from being decrypted by someone who does not have the corresponding private key, which may be kept secret by processing system 820). In another embodiment, operation 920 may also include using the private key of a public-private key pair to add signature information into a video. …).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method taught by combination of Vltavsky and Narendra to incorporate teachings of Ericson such that the method of combination of Vltavsky and Narendra includes wherein the second user device generates the response value by encrypting a token and an identifier associated with the second user device via a symmetric key. One would have been motivated to make such combination so that embedding of digital tokens within a digital video can occur cryptographically using a public key (Ericson, [Abstract]).
	Regarding Claim 26, the combination of Vltavsky and Narendra teaches all the limitations of Claim 1 above,
	wherein the remote computer verifies the response value with respect to an expected response value, the expected response value being generated by the remote computer based on an encryption key shared by the remote computer and the second user device (Ericson, Para [0119] In operation 970, processing system 820 verifies the validity of a decrypted digital token, according to some embodiments. Verifying validity can include extracting a unique identifier from the decrypted digital token, and then querying a database with the unique identifier. The database may include a list of all digital tokens created by processing system 820, and a record for the unique identifier can be referenced in the database. This record can contain an indicator of whether or not a given token is valid or invalid, for example. …).
	The motivation/rationale to combine the references is similar to claim 23 above. 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Chen (US 20210006396) is directed to a method for conducting a transaction comprising: receiving, by a processor in a thin client from a first portable device of a first portable device type, transaction data; determining, by the processor, that the first portable device is the first portable device type; applying, the processor, an encryption protocol associated with a second portable device type to the transaction data to create encrypted data; transmitting, by the processor, the encrypted data to a remote computer, wherein the remote computer utilizes the encryption protocol to decrypt the access data, and thereafter process the transaction data to conduct the transaction.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAMID TALAMINAEI whose telephone number is (571)270-3283. The examiner can normally be reached Flexible, M-F 7:30 -5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HAMID TALAMINAEI/Examiner, Art Unit 2436                                                                                                                                                                                         
/TRONG H NGUYEN/Primary Examiner, Art Unit 2436