DETAILED ACTION
This office action is in response to applicant communication filed on September 24, 2022.

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claims 1-10 have been cancelled.
Claims 11-20 are pending.


Election/Restrictions
In response to the restriction made on September 13, 2022, applicant has elected Group III (Claims 11-20) without traverse. Therefore, examiner maintained the restriction made on September 13, 20122 and the restriction is final, and examine only claims 11-20 as per applicant election. Claims 1-10 are cancelled.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.


Claims 11, 13 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Vimpari (US Pub. No. 2012/0066748) in view of Taylor (US Pub. No. 2015/0086017).

	As per claim 11 Vimpari discloses:
A method for control of a access portal comprising the processes: at a controller, receiving a plurality of physical access requests (access requests) from a plurality of devices; (abstract of Vimpari, the server receives a request, from a service, for the server, wherein the request includes, at least in part, a service-specific secret or a derivation of the service-specific secret) and (paragraph 35 of Vimpari, the server 105 may store the server-computed secret in a cache 119 at the server 105 for subsequent reference in response to subsequent authentication requests from the server 105).
At the controller, determining for each a sequence of access requests comprising at least a first access request and a second access request; (abstract of Vimpari, the server receives a request, from a service, for the server, wherein the request includes, at least in part, a service-specific secret or a derivation of the service-specific secret) and (paragraph 35 of Vimpari, the server 105 may store the server-computed secret in a cache 119 at the server 105 for subsequent reference in response to subsequent authentication requests from the server 105).
At the controller, upon authenticating the first access request (predecessor), writing into non-transitory storage a one-time verification code specific to an immediately subsequent second access request (successor) from the same app device; (paragraph 24 of Vimpari, when the server 105 receives the request from the service 103, the server 105 generates a server-computed secret and authenticates the request based on the comparison of the service-specific secret and the server-computed secret or their derivate. In one embodiment, the server 105 may temporarily store or cache the computed secrets in a temporary storage (e.g., in Random Access Memory), such as a cache 119 at the server 105).
At the controller, upon receiving a successor, performing an authentication process by matching the stored one-time verification code associated with the predecessor. (Paragraph 35 of Vimpari, the server 105 may store the server-computed secret in a cache 119 at the server 105 for subsequent reference in response to subsequent authentication requests from the server 105, such as a RAM. The server secret generator 115 may also be located separately from the server 105, or placed within the server 105).
Vimpari teaches the method of authenticating a first request and subsequent request (see abstract of Vimpari) but fails to disclose the method of requesting physical access using a mobile application. However, in the same field of endeavor, Taylor teaches this limitation as, (paragraph 10 of Taylor, a mobile system runs an application that authenticates itself with a baseboard management controller and, after authentication, provides user name and password credentials that define user access privileges. The access privileges may include physical access to components of the server information handling system provided by locks associated with the components and controlled by the baseboard management controller).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Vimpari and include the above limitation using the teaching of Taylor in order to secure the system using mobile application and without entering user credential.

As per claim 13 Vimpari in view of Taylor discloses:
Vimpari teaches the method of authenticating a first request and subsequent request (see abstract of Vimpari) but fails to disclose:
The method of claim 11 further comprising: on the condition the authentication process fails, setting a flag of questionable chain of control associated with the app device.
However, in the same field of endeavor, Taylor teaches this limitation as, (Paragraph 34 of Taylor, at step 158, the BMC determines whether the user's privileges are authentic and, if not, at step 160 a message is presented that authentication failed and the process terminates at step 172).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Vimpari and include the above limitation using the teaching of Taylor in order to enhance the security of the system by authentication the access request.

As per claim 18 Vimpari in view of Taylor discloses:
The method of claim 13 wherein, a flag of questionable chain of control causes an access control policy to be performed at the portal actuator wherein, an access control policy includes at least one of an access denial to a request from a user, or a device; an iteration of system authentication value; a version update; reauthentication process at a mobile application device; and transmitting a notification to an access control system administrator. (Paragraph 35 of Vimpari, the server 105 may store the server-computed secret in a cache 119 at the server 105 for subsequent reference in response to subsequent authentication requests from the server 105, such as a RAM. The server secret generator 115 may also be located separately from the server 105, or placed within the server 105).

As per claim 19 Vimpari in view of Taylor discloses:
The method of claim 11 wherein the app device transmits a first forward verification code from the app device that is determined by a first approximate elapsed time from a first access request to a second access request measured at the app device and the portal controller compares the first forward verification code with a second forward verification code read from non-transitory storage that was previously received as a component of the most recently successful access request. (Paragraph 24 of Vimpari, the server 105 may maintain the secret in the cache 119 for a predetermined time, until reset, etc. It is noted that the keeping the secret in cache memory is an optional step that serves to reduce potential resource consumption used in computing the secret for each authentication request; it is contemplated that the server secret generator 115 may, in addition or alternatively, dynamically compute the secret for each request).

As per claim 20 Vimpari in view of Taylor discloses:
The method of claim 11 wherein the app device transmits a first forward verification code from the app device that is determined by a first approximate elapsed time from a first access request to a second access request measured at the app device and the portal controller compares the first forward verification code with a second forward verification code that is determined by a second approximate elapsed time from the first access request to the second access request measured at the portal controller. (Paragraph 24 of Vimpari, the server 105 may maintain the secret in the cache 119 for a predetermined time, until reset, etc. It is noted that the keeping the secret in cache memory is an optional step that serves to reduce potential resource consumption used in computing the secret for each authentication request; it is contemplated that the server secret generator 115 may, in addition or alternatively, dynamically compute the secret for each request). 

Claims 12 and 14-17 are rejected under 35 U.S.C. 103 as being unpatentable over Vimpari (US Pub. No. 2012/0066748) in view of Taylor (US Pub. No. 2015/0086017) and further in view of Slaton (US Pub. No. 2009/0205036).

As per claim 12:
The combination of Vimpari and Taylor teaches the method of authenticating a first request and subsequent request (see abstract of Vimpari) but fails to disclose:
The method of claim 11 further comprising: on the condition the authentication process passes, writing a newer one-time verification code into non-transitory storage specific to yet another immediately subsequent successor.
However, in the same field of endeavor, Slaton teaches this limitation as, (paragraph 40 of Slaton, an OTP is a password that is altered each time it is regenerated in order to minimize its exposure to unauthorized intruders. In this case, the OTP is generated at two different nodes--an OTP server resident on the vault server 102 or the vault repository 136, and the soft token on the user computer 154. There are three common types of OTP. In one embodiment, the OTP is generated using a mathematical algorithm based on the previous OTP).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Vimpari and Taylor to include the above limitation using the teaching of Slaton in order to secure the system from unauthorized intruders using the one-time password.

As per claim 14:
The combination of Vimpari and Taylor teaches the method of authenticating a first request and subsequent request (see abstract of Vimpari) but fails to disclose:
The method of claim 12 wherein each newer one-time verification code is synthesized by the app device and transmitted in both a predecessor and successor request.
However, in the same field of endeavor, Slaton teaches this limitation as, (Paragraph 40 of Slaton, an OTP is a password that is altered each time it is regenerated in order to minimize its exposure to unauthorized intruders. In this case, the OTP is generated at two different nodes--an OTP server (not shown) resident on the vault server 102 or the vault repository 136, and the soft token on the user computer 154. There are three common types of OTP. In one embodiment, the OTP is generated using a mathematical algorithm based on the previous OTP).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Vimpari and Taylor to include the above limitation using the teaching of Slaton in order to secure the system from unauthorized intruders using the one-time password generated based on the previous OTP.

As per claim 15:
The combination of Vimpari and Taylor teaches the method of authenticating a first request and subsequent request (see abstract of Vimpari) but fails to disclose:
The method of claim 12 wherein each newer one-time verification code is a transformation of a timestamp read from the system clock of the app device.
However, in the same field of endeavor, Slaton teaches this limitation as, (Paragraph 40 of Slaton, the OTP is generated based on time-synchronization between the OTP server and the soft token. In this embodiment, the soft token includes an accurate clock that has been synchronized with a clock of the OTP server and the password is generated based on the two clocks).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Vimpari and Taylor to include the above limitation using the teaching of Slaton in order to secure the system from unauthorized intruders using the one-time password generated based  on the Previous OTP and time information.

As per claim 16:
The combination of Vimpari and Taylor teaches the method of authenticating a first request and subsequent request (see abstract of Vimpari) but fails to disclose:
The method of claim 12 wherein each newer one-time verification code is synthesized as transformation of the predecessor and transmitted only in the successor.
However, in the same field of endeavor, Slaton teaches this limitation as, (Paragraph 40 of Slaton, an OTP is a password that is altered each time it is regenerated in order to minimize its exposure to unauthorized intruders. In this case, the OTP is generated at two different nodes--an OTP server (not shown) resident on the vault server 102 or the vault repository 136, and the soft token on the user computer 154. There are three common types of OTP. In one embodiment, the OTP is generated using a mathematical algorithm based on the previous OTP).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Vimpari and Taylor to include the above limitation using the teaching of Slaton in order to secure the system from unauthorized intruders using the one-time password.

As per claim 17:
The combination of Vimpari and Taylor teaches the method of authenticating a first request and subsequent request (see abstract of Vimpari) but fails to disclose:
The method of claim 12 wherein each newer one-time verification code is a transformation of the result of authentication of the predecessor request.
However, in the same field of endeavor, Slaton teaches this limitation as, (Paragraph 40 of Slaton, an OTP is a password that is altered each time it is regenerated in order to minimize its exposure to unauthorized intruders. In this case, the OTP is generated at two different nodes--an OTP server (not shown) resident on the vault server 102 or the vault repository 136, and the soft token on the user computer 154. There are three common types of OTP. In one embodiment, the OTP is generated using a mathematical algorithm based on the previous OTP).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Vimpari and Taylor to include the above limitation using the teaching of Slaton in order to secure the system from unauthorized intruders using the one-time password. 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Ben Ayed (US 8,646,060). Ben Ayed discloses the method and system for multi-factor authentication using a smart token device.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434