DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Acknowledgment
Applicant’s preliminary amendment filed on May 3, 2021 is acknowledged. Accordingly claims 23-36 remain pending and have been examined.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 23-36, is/are rejected under 35 U.S.C. 103 as being unpatentable over Dorfman et al (hereinafter “Dorfman”) U.S. Patent No. 9,130,929 B2 in view of Brill et al (hereinafter “Brill”) U.S. Patent Application Publication No. 2016/0352519 A1.

As per claim 23, Dorfman discloses a method for a user having a computer hardware device, the computer hardware device comprising a processor and memory, to perform secure transactions using the computer hardware device, the method comprising the steps of:
registering the user with an authentication server after a proofing process (see fig. 6, which discloses “submit registration data”; col. 10, lines 48-67, which discloses that “As shown in FIG. 6, method 600 may include a user submitting registration data to an authentication host (step 602).”);
establishing a user account on an authentication server and creating a registration code associated with the user account (col. 10, lines 48-67, which discloses that “The IVR server(s) may then create an account associated with one or more of the user's device, the mobile application on the user's device, the user's log-in ID, the device name, and one or more verbal responses provided by the user during training step 608 (step 614).”);
generating on the computer hardware device with the processor a public/private key pair (col. 10, lines 17-33, which discloses that “The mobile app may then create a public/private key pair and certificate signing request ("CSR") with the user's log-in ID and the public key (step 506). The mobile app may save the private key, and bind the log-in ID with the public key.”);
storing the public/private key pair on the computer hardware device (col. 10, lines 17-33, which discloses that “The mobile app may save the private key, and bind the log-in ID with the public key.”);
generating on the computer hardware device a device profile (col. 10, lines 48-67, which discloses that “The IVR server(s) may then create an account associated with one or more of the user's device, the mobile application on the user's device, the user's log-in ID, the device name, and one or more verbal responses provided by the user during training step 608 (step 614).”);
obtaining the registration code on the hardware device (col. 10, lines 48-67, which discloses “Finally, method 600 may include sending a registration confirmation including the provided unique code to the user's mobile app (step 616).”);
registering the computer hardware device to the user before performing the transactions, the registration comprising the steps of:
transmitting the registration code from the hardware device to the authentication server, the registration code associated with the user account (col. 10, lines 47-67, which discloses that “The user may then dial-in to a number associated with the authentication service, or an associated voice recognition service, and enter the code provided by the authentication host (step 606).”), and
ii. transferring a hash of the device profile to the authentication server and storing and associating the device profile with the user account; and 
after the computer hardware device is registered to the user, using the computer hardware device and the user account for authentication before permitting a transaction to proceed (col. 5, lines 45-50, which discloses that “If authentication service 210 verifies that the smart app and/or mobile device 206 belong to the user associated with the user log-in ID entered in step 1, then authentication service 210 may enable the user to successfully log-in to the account associated with the user's log-in ID (step 5). Thus, the user may be authenticated with respect to the website without the user having to enter a password linked to the user's log-in ID.”).
`What Dorfman does not explicitly teach is:
ii. transferring a hash of the device profile to the authentication server and storing and associating the device profile with the user account
Brill discloses the method comprising:
ii. transferring a hash of the device profile to the authentication server and storing and associating the device profile with the user account (see abstr, which discloses that “The computing device generates a first authentication code using a cryptographic hash algorithm and the device key, and sends the first authentication code to the second computer server.”; 0012, which discloses that The device identifier 120 shown on display screen 110 may be the device identifier, or it may be a derivative generated by device 100, e.g., a cryptographic hash of the device identifier and the username and password associated with the user's user account.”)
Accordingly, it would have been obvious to one of ordinary skill in the art at time of applicant’s invention to modify the method of Dorfman and incorporate a method further comprising: ii. transferring a hash of the device profile to the authentication server and storing and associating the device profile with the user account in view of the teachings of Brill in order to enhance security of the transaction.

As per claims 24 and 32, Dorfman further discloses the method, wherein the proofing process comprises receiving a biometric (see claim 1).

As per claims 25 and 33, Dorfman further discloses the method, wherein the biometric is entered on the computer hardware device and is compared to a previously stored biometric stored on an external server, and the registering a user proceeds if biometric and the previously stored biometric match within a set tolerance (see claim 1).
As per claims 26 and 34, Dorfman further discloses the method, wherein the proofing process comprises a personal information of the user (col. 10, lines 48-67).

As per claims 27 and 35, Dorfman further discloses the method, wherein the personal information is entered on the computer hardware device, and the method further comprises receiving a third-party identity provider information, and the registering a user proceeds if the personal information and the third-party identity provider information matches within a set tolerance (col. 10, lines 48-67).

As per claims 28 and 36, Dorfman further discloses the method, wherein the proofing process comprises receiving a biometric and receiving personal information of the user (see claim 1; col. 10, lines 48-67).

As per claims 29 and 31, Dorfman further discloses the method, wherein the device profile comprises information on the hardware device selected from the group comprising (a) contact information, (b) mobile network code, (c) information about music, (d) pixel colors from a background screen, (e) installed applications, (f) arrangement of installed applications, (g) frequency of use of applications, (h) location of the user, (i) Bluetooth device pairings, (j) carrier name, (k)  mobile country code, (1) phone number, (m) photos, (n) device name, (0) MAC address, or combinations of one or more thereof (see claim 1 and fig. 2).

As per claim 30, Dorfman discloses a method for a user having a computer hardware device, the computer hardware device comprising a processor and memory, to perform secure transactions using the computer hardware device, the method comprising the steps of:
a. registering the user with the authentication server after a proofing process (see fig. 6, which discloses “submit registration data”; col. 10, lines 48-67, which discloses that “As shown in FIG. 6, method 600 may include a user submitting registration data to an authentication host (step 602).”); 
b. establishing a user account on an authentication server and creating a registration code associated with the user account (col. 10, lines 48-67, which discloses that “The IVR server(s) may then create an account associated with one or more of the user's device, the mobile application on the user's device, the user's log-in ID, the device name, and one or more verbal responses provided by the user during training step 608 (step 614).”); 
c. generating on the computer hardware device with the processor a public/private key pair and storing the key pair on the computer hardware device (col. 10, lines 17-33, which discloses that “The mobile app may then create a public/private key pair and certificate signing request ("CSR") with the user's log-in ID and the public key (step 506). The mobile app may save the private key, and bind the log-in ID with the public key.”); 
d. generating on the computer hardware device a device profile (col. 10, lines 48-67, which discloses that “The IVR server(s) may then create an account associated with one or more of the user's device, the mobile application on the user's device, the user's log-in ID, the device name, and one or more verbal responses provided by the user during training step 608 (step 614).”); 
e. obtaining the registration code on the computer hardware device (col. 10, lines 48-67, which discloses “Finally, method 600 may include sending a registration confirmation including the provided unique code to the user's mobile app (step 616).”); 
f. registering the computer hardware device before performing the transaction, the registration comprising the steps of: 
i. transmitting the registration code from the computer hardware device to the authentication server, the registration code associated with the user (col. 10, lines 47-67, which discloses that “The user may then dial-in to a number associated with the authentication service, or an associated voice recognition service, and enter the code provided by the authentication host (step 606).”), 
ii. transferring a hash of the device profile to the authentication server and storing and associating the device profile with the user account; 
g. using a registered computer hardware device and user account for authentication for a transaction using the steps of: 
i. inputting to the computer hardware device user data comprising unique knowledge, biometric information of the user, or both the unique knowledge and biometric information of the user (col. 5, lines 40-col. 6, line 11, which discloses that “It will be appreciated that, although the present embodiments are disclosed mainly in relation to voice recognition as a biometric method, the present embodiments of image authentication may be used in relation to any desired biometric mechanism, such as fingerprint scanning, eye (e.g., iris) recognition, DNA matching, heart monitoring, and/or impedance matching. To authenticate the user with the website using voice-type biometric analysis, method 250 may include one or more of the following steps.”);
ii. transmitting to a server a package comprising (1) the user data, (2) the public key (col. 5, lines 45-60, which discloses that “For example, as described in more detail below, the smart app and/or mobile device 206 may employ any desired signed certificate, public/private key, or other authentication technique to send extracted data to the authentication service 210.”),
iii. creating a digital signature with the private key, the user data, and the device profile (col. 11, lines 15-35, which discloses that “The mobile application of the additional device may display a QR code, consistent with the above-described methods. The user may then image the displayed QR code using the already bound device. The already bound device may decode the QR code displayed on the additional device, and send the extracted information, including for example a unique ID, to the authentication service in a client certificate, also consistent with the above-described methods.”),
iv. transmitting the digital signature to the authentication server (col. 11, lines 15-35, which discloses that “The already bound device may decode the QR code displayed on the additional device, and send the extracted information, including for example a unique ID, to the authentication service in a client certificate, also consistent with the above-described methods.””),
	v. receiving from the authentication server permission to proceed with the transaction if the digital signature is verified and the user data and the device profile of the package match a previous user data and a previous device profile previously sent to the authentication server (col. 5, lines 45-50, which discloses that “If authentication service 210 verifies that the smart app and/or mobile device 206 belong to the user associated with the user log-in ID entered in step 1, then authentication service 210 may enable the user to successfully log-in to the account associated with the user's log-in ID (step 5). Thus, the user may be authenticated with respect to the website without the user having to enter a password linked to the user's log-in ID.”), and
vi. performing a secure transaction (col. 11, lines 35-55, which discloses that “When the user's device sends appropriate information containing both collected image data and user data stored on the device, e.g., according to the methods described above, then the user may authorize the device that displayed the image challenge to execute a payment transaction, such as a payment involving the user's bank account or credit card account.”).
`What Dorfman does not explicitly teach is:
ii. transferring a hash of the device profile to the authentication server and storing and associating the device profile with the user account
Brill discloses the method comprising:
ii. transferring a hash of the device profile to the authentication server and storing and associating the device profile with the user account (see abstr, which discloses that “The computing device generates a first authentication code using a cryptographic hash algorithm and the device key, and sends the first authentication code to the second computer server.”; 0012, which discloses that The device identifier 120 shown on display screen 110 may be the device identifier, or it may be a derivative generated by device 100, e.g., a cryptographic hash of the device identifier and the username and password associated with the user's user account.”).
Accordingly it would have been obvious to one of ordinary skill in the art at time of applicant’s invention to modify the method of Dorfman and incorporate a method further comprising: ii. transferring a hash of the device profile to the authentication server and storing and associating the device profile with the user account in view of the teachings of Brill in order to enhance security of the transaction.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Charles C. Agwumezie whose number is (571) 272-6838. The examiner can normally be reached on Monday – Friday 8:00 am – 5:00 pm.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Hayes can be reached on (571) 272 – 6708.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/CHINEDU C AGWUMEZIE/Primary Examiner, Art Unit 3685                                                                                                                                                                                                        September 22, 2022