DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 19-38 are pending.  Claims 1-18 are cancelled.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/7/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 19, 22, 26, 28, 35 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 8, 11, 15, respectively, of U.S. Patent No. 10,484,345. Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter of the patent claims anticipates the claims of the instant application; for instance, the entirety of claim 19 of the instant application can be found in claim 1 of the patent, claim 22 can be found in claim 3, claim 26 can be found in claim 8, and claim 28 can be found in claim 11, and claim 35 can be found in claim 15.

Claim Objections
Claim 38 is objected to because of the following informalities:  
Claim 38 contains the following: “retrieving, but the second mobile application”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 19-20, 24, 26-28, 30, 32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kean et al (PGPUB 2012/0300938), and further in view of Ju et al (PGPUB 2014/0282983).

Regarding Claims 19 and 26:
Kean teaches a method and system comprising:
a server computer including (paragraph 23-24, trusted service management computer (TSM)):
a processor (paragraph 24, TSM processor); and
a server-side computer readable medium coupled to the processor, the server-side computer readable medium comprising code which, when executed by the processor, causes the processor to (paragraph 24, TSM memory and software): 
receive user data associated with a user (paragraph 60, trusted service manager (TSM) receives provisioning request from mobile device; paragraph 75, mobile device identification information received in conjunction with provisioning request; mobile device identification information comprising identifying information associated with secure element (i.e. “first mobile application”); paragraph 64, secure element identifiers, e.g. MSISDN, CPLC, ICCID, IMSI, uniquely identify end user and associated mobile device); 
determine that a first mobile application is a trusted application provisioned in a secure execution environment of a user device of the user by a trusted entity (paragraph 28, secure element for maintaining mobile device applications and confidential data offered by one or more service providers; paragraph 64, secure element identifiers, e.g. MSISDN, CPLC, ICCID, IMSI, uniquely identify end user and associated mobile device; TSM computer 110 may be configured to store unique identifiers of the mobile device, its secure element, and/or the end users for subsequent processing); 
authenticate the user based on the user data using an authentication process (paragraph 89, the TSM computer 110 may perform any number of suitable authentication procedures utilizing the device identification information); 
send a first cryptographic key to the first mobile application (paragraph 91-92, an authentication application and a base level key may be driven to the mobile device 150 by the TSM computer 110; the authentication application and the base level key may be received by the mobile device 150 at block 575; in certain embodiments, the authentication application may be stored on or provisioned to a secure element associated with the mobile device 150; for example, a general purpose chip associated with the mobile device 150 may receive the authentication application via an established OTA session, and the general purpose chip may provide the received authentication application to the secure element; claim 23, base level key stored in secure element); 
receive an identity verification cryptogram generated by the first mobile application using the first cryptographic key (paragraph 77, secure element authentication application uses base level key to generate or derive any number of transaction specific keys, utilizing base level key and e.g. a portion of the device identification information to derive or generate an intermediary key which is then provided to an algorithm to generate plurality of transaction specific keys; paragraph 79, request may be received from the mobile device; the request or communication may be encrypted with a transaction specific key generated by the authentication application that has been provisioned onto the mobile device 150; additionally, in certain embodiments, the request or communication may include an identifier of the mobile device and/or an identifier of the transaction specific key that was utilized); and
validate that the identity verification cryptogram was generated using the first cryptographic key previously sent by the server computer to the first mobile application (paragraph 80-82, device identifier included in the received request or communication may be utilized to access a database that includes stored device identification information and/or the stored base level key; once the stored information is accessed, at least a portion of the stored information may be utilized to generate any number of transaction specific keys; a determination may be made as to whether a correspondence exists between the transaction specific key utilized by the mobile device 150 and the transaction specific key generated by and/or selected by the TSM computer 110; for example, a determination may be made as to whether the transaction specific key utilized by the TSM computer 110 facilitates the decryption of the received request or communication; if it is determined at block 430 that a key correspondence exists, then operations may continue at block 435, and the mobile device 150 may be authenticated).
	Kean does not explicitly teach receiving user data associated with a user from a first mobile application; 
receiving the identity verification cryptogram from a second mobile application, wherein the first mobile application and the second mobile application are associated with the user; and
sending a second cryptographic key to the second mobile application upon validating the identity verification cryptogram.
However, Ju teaches the concept of receiving user data associated with a user from a first mobile application (paragraph 66, when an input signal for activating a specific application is generated, the control unit 160 may collect application service device address information for supporting the application, activate the communication unit 110, and control access of the application service device; the control unit 160 may compose a request message for requesting the single sign-on token, including information input by the user, and transmit the message to a specific application service device for supporting a specific application function; the input information included in the request message may be input information, for example, ID information and password information, which were previously registered with the application service device in order to activate the application, or integration ID information and password information which were preset for single sign-on; paragraph 104-105, first application service returns single sign-on token); 
receiving the identity verification cryptogram from a second mobile application, wherein the first mobile application and the second mobile application are associated with the user (paragraph 97-98, method of operating the single sign-on service system 10 of the present invention includes checking whether there is a service token for accessing the second application service device 202 for supporting the second application 153 and using the application service in operation S201 when the terminal 100 receives a request for activating the second application 153; if there is no service token, terminal extracts single sign-on token from accounting manager and composes inquiry message based on single sign-on token; second app transmits to second application service device; paragraph 66, integration ID information and password information which were preset for single sign-on, therefore, single sign-on token associated with user); and
sending a second cryptographic key to the second mobile application upon validating the identity verification cryptogram (paragraph 98-100, the terminal 100 may compose an inquiry message for inquiring a single sign-on session based on the single sign-on token and transmit the composed inquiry message to the second application service device 202 in operation 5209; when the single sign-on session check message (checkSSOSessionForMobile) is received from the second application service device 202, the single sign-on service device 300 may check whether the single sign-on token provided by the terminal 100 is effective by checking the inquiry message included in the single sign-on session check message (checkSSOSessionForMobile); then, when it is determined to receive the message composed based on the effective single sign-on token, the single sign-on service device 300 may create an integration service number corresponding to the single sign-on token in operations 5213; when the integration service number is received, the second application service device 202 may perform an integration ID sign-on and create a service token in operation 5217; here, the integration service number may include integration login information of the terminal 100; the second application service device 202 may provide, to the terminal 100, the service token and user data for supporting a function of the second application 153 in operation S219).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the single sign-on teachings of Ju with the cryptogram generating application teachings of Kean, in order to provide a means for multiple applications to utilize a single user authentication procedure for authentication, thereby improving efficiency and user experience, simplifying development, and increasing the likelihood that applications are built using authentication protocols, thereby improving the security environment.

Regarding Claim 20:
Kean in view of Ju teaches the method of claim 19.  In addition, Ju teaches the method further comprising: 
leveraging, by the server computer, the authentication process of the first mobile application to authenticate the user for the second mobile application (abstract, single sign-on service system includes a terminal configured to access at least one of a plurality of application service devices according to a request for activating at least one of a plurality of applications, and receive a service token used to operate the application service from each application service device on the basis of a single sign-on token without separately inputting sign-on information).
The rationale to combine Kean and Ju is the same as provided for claim 19 due to the overlapping subject matter between claims 19 and 20.

Regarding Claim 24:
Kean in view of Ju teaches the method of claim 19.  In addition, Ju teaches wherein the identity verification cryptogram is stored at a cloud storage system accessible by the first mobile application and the second mobile application (paragraph 103-105, cloud service manages single sign-on token for supporting application function; terminal stores received single sign-on token in cloud storage).
The rationale to combine Kean and Ju is the same as provided for claim 19 due to the overlapping subject matter between claims 19 and 24.

Regarding Claim 27:
Kean in view of Ju teaches the system of claim 26.  In addition, Ju teaches the system, further comprising:
the user device storing the first mobile application (paragraph 195-196, terminal, e.g. smart phone or handheld PC); and 
a computer readable medium storing the second mobile application (paragraph 30, computer readable record medium recording program for executing the method).
The rationale to combine Kean and Ju is the same as provided for claim 26 due to the overlapping subject matter between claims 26 and 27.

Regarding Claim 28:
Kean in view of Ju teaches the system of claim 26.  In addition, Ju teaches wherein the first mobile application is programmed to store the identity verification cryptogram at a cloud storage system accessible by the user device (paragraph 103-105, cloud service manages single sign-on token for supporting application function; terminal stores received single sign-on token in cloud storage).
The rationale to combine Kean and Ju is the same as provided for claim 26 due to the overlapping subject matter between claims 26 and 28.

Regarding Claim 30:
Kean in view of Ju teaches the system of claim 28.  In addition, Ju teaches wherein the second mobile application is programmed to retrieve the identity verification cryptogram generated by the first mobile application from the cloud storage system (paragraph 103-105, cloud service manages single sign-on token for supporting application function; terminal stores received single sign-on token in cloud storage; paragraph 97-98, if there is no service token, terminal extracts single sign-on token from accounting manager and composes inquiry message based on single sign-on token; second app transmits to second application service device).
The rationale to combine Kean and Ju is the same as provided for claim 28 due to the overlapping subject matter between claims 28 and 30.

Regarding Claim 32:
Kean in view of Ju teaches the system of claim 26.  In addition, Ju teaches wherein the first mobile application and the second mobile application are stored on the user device (paragraph 195-196, terminal, e.g. smart phone or handheld PC; paragraph 30, computer readable record medium recording program for executing the method).
The rationale to combine Kean and Ju is the same as provided for claim 26 due to the overlapping subject matter between claims 26 and 32.

Claim(s) 21-22, 35-36, 38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kean in view of Ju, and further in view of Copsey et al (PGPUB 2015/0012990).

Regarding Claim 21:
Kean in view of Ju teaches the method of claim 19.  In addition, Ju teaches the method, further comprising: 
receiving, by the server computer, a first set of user data including a first device identifier from the first mobile application (paragraph 66, when an input signal for activating a specific application is generated, the control unit 160 may collect application service device address information for supporting the application, activate the communication unit 110, and control access of the application service device; the control unit 160 may compose a request message for requesting the single sign-on token, including information input by the user, and transmit the message to a specific application service device for supporting a specific application function; the input information included in the request message may be input information, for example, ID information and password information, which were previously registered with the application service device in order to activate the application, or integration ID information and password information which were preset for single sign-on).
The rationale to combine Kean and Ju is the same as provided for claim 19 due to the overlapping subject matter between claims 19 and 21.
Neither Kean nor Ju explicitly teaches receiving, by the server computer, a second set of user data including a second device identifier from the second mobile application.
	However, Copsey teaches the concept of receiving, by a server computer, a second set of user data including a second device identifier from the second mobile application (paragraph 4, first request on behalf of first application on user device to access platform includes device identifier uniquely identifying the user device; second request on behalf of second application on user device to access platform includes device identifier; access device determines that user has previously authenticated based on match between device identifiers, and allows second application to access platform; paragraph 29, computing devices may be mobile devices).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the second application identifier transmission teachings of Copsey with the cryptogram generating application teachings of Kean in view of Ju, in order to improve authentication simplicity and security by tying multiple applications to a single device, thereby eliminating the need for a user to maintain separate credentials for each application available on a device, while reducing the chance that a credential was being used by a malicious third party from an unknown device.

Regarding Claim 22:
Kean in view of Ju and Copsey teaches the method of claim 21.  In addition, Copsey teaches the method, further comprising: 
determining, using the first device identifier and the second device identifier, that the first mobile application and the second mobile application are stored on the user device (paragraph 4, first request on behalf of first application on user device to access platform includes device identifier uniquely identifying the user device; second request on behalf of second application on user device to access platform includes device identifier; access device determines that user has previously authenticated based on match between device identifiers, and allows second application to access platform; paragraph 29, computing devices may be mobile devices).
The rationale to combine Kean and Copsey is the same as provided for claim 21 due to the overlapping subject matter between claims 21 and 22.

Regarding Claim 35:
Kean teaches a method comprising: 
transmitting a first set of user data associated with a user to a server computer (paragraph 60, trusted service manager (TSM) receives provisioning request from mobile device; paragraph 75, mobile device identification information received in conjunction with provisioning request; mobile device identification information comprising identifying information associated with secure element (i.e. “first mobile application”); paragraph 64, secure element identifiers, e.g. MSISDN, CPLC, ICCID, IMSI, uniquely identify end user and associated mobile device), wherein a first mobile application is a trusted application provisioned in a secure execution environment of the user device by a trusted entity (paragraph 28, secure element for maintaining mobile device applications and confidential data offered by one or more service providers; paragraph 64, secure element identifiers, e.g. MSISDN, CPLC, ICCID, IMSI, uniquely identify end user and associated mobile device; TSM computer 110 may be configured to store unique identifiers of the mobile device, its secure element, and/or the end users for subsequent processing); 
receiving, by the first mobile application, a first cryptographic key from the server computer (paragraph 91-92, an authentication application and a base level key may be driven to the mobile device 150 by the TSM computer 110; the authentication application and the base level key may be received by the mobile device 150 at block 575; in certain embodiments, the authentication application may be stored on or provisioned to a secure element associated with the mobile device 150; for example, a general purpose chip associated with the mobile device 150 may receive the authentication application via an established OTA session, and the general purpose chip may provide the received authentication application to the secure element; claim 23, base level key stored in secure element); and
generating, by the first mobile application, an identity verification cryptogram using the first cryptographic key (paragraph 77, secure element authentication application uses base level key to generate or derive any number of transaction specific keys, utilizing base level key and e.g. a portion of the device identification information to derive or generate an intermediary key which is then provided to an algorithm to generate plurality of transaction specific keys; paragraph 79, request may be received from the mobile device; the request or communication may be encrypted with a transaction specific key generated by the authentication application that has been provisioned onto the mobile device 150; additionally, in certain embodiments, the request or communication may include an identifier of the mobile device and/or an identifier of the transaction specific key that was utilized). 
	Kean does not explicitly teach transmitting, by the first mobile application at the user device;
providing, by the first mobile application, the identity verification cryptogram to a second mobile application associated with the user; 
transmitting, by the second mobile application, the identity verification cryptogram and a second set of user data associated with the user to the server computer; and 
receiving, by the second mobile application, a second cryptographic key from the server computer upon the server computer validating the identity verification cryptogram.
	However, Ju teaches the concept of transmitting, by a first mobile application at a user device (paragraph 66, when an input signal for activating a specific application is generated, the control unit 160 may collect application service device address information for supporting the application, activate the communication unit 110, and control access of the application service device; the control unit 160 may compose a request message for requesting the single sign-on token, including information input by the user, and transmit the message to a specific application service device for supporting a specific application function; the input information included in the request message may be input information, for example, ID information and password information, which were previously registered with the application service device in order to activate the application, or integration ID information and password information which were preset for single sign-on; paragraph 104-105, first application service returns single sign-on token);
providing, by the first mobile application, the identity verification cryptogram to a second mobile application associated with the user (paragraph 97-98, method of operating the single sign-on service system 10 of the present invention includes checking whether there is a service token for accessing the second application service device 202 for supporting the second application 153 and using the application service in operation S201 when the terminal 100 receives a request for activating the second application 153; if there is no service token, terminal extracts single sign-on token from accounting manager and composes inquiry message based on single sign-on token, i.e. the single sign-on token is “provided” to the second application); 
transmitting, by the second mobile application, the identity verification cryptogram to the server computer (paragraph 97-98, terminal extracts single sign-on token from accounting manager and composes inquiry message based on single sign-on token; second app transmits to second application service device); and 
receiving, by the second mobile application, a second cryptographic key from the server computer upon the server computer validating the identity verification cryptogram (paragraph 98-100, the terminal 100 may compose an inquiry message for inquiring a single sign-on session based on the single sign-on token and transmit the composed inquiry message to the second application service device 202 in operation 5209; when the single sign-on session check message (checkSSOSessionForMobile) is received from the second application service device 202, the single sign-on service device 300 may check whether the single sign-on token provided by the terminal 100 is effective by checking the inquiry message included in the single sign-on session check message (checkSSOSessionForMobile); then, when it is determined to receive the message composed based on the effective single sign-on token, the single sign-on service device 300 may create an integration service number corresponding to the single sign-on token in operations 5213; when the integration service number is received, the second application service device 202 may perform an integration ID sign-on and create a service token in operation 5217; here, the integration service number may include integration login information of the terminal 100; the second application service device 202 may provide, to the terminal 100, the service token and user data for supporting a function of the second application 153 in operation S219).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the single sign-on teachings of Ju with the cryptogram generating application teachings of Kean, in order to provide a means for multiple applications to utilize a single user authentication procedure for authentication, thereby improving efficiency and user experience, simplifying development, and increasing the likelihood that applications are built using authentication protocols, thereby improving the security environment.
	Neither Kean nor Ju explicitly teaches transmitting, by the second mobile application, a second set of user data associated with the user.
	However, Copsey teaches the concept of transmitting, by a second mobile application, a second set of user data associated with a user (paragraph 4, first request on behalf of first application on user device to access platform includes device identifier uniquely identifying the user device; second request on behalf of second application on user device to access platform includes device identifier; access device determines that user has previously authenticated based on match between device identifiers, and allows second application to access platform; paragraph 29, computing devices may be mobile devices).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the second application identifier transmission teachings of Copsey with the cryptogram generating application teachings of Kean in view of Ju, in order to improve authentication simplicity and security by tying multiple applications to a single device, thereby eliminating the need for a user to maintain separate credentials for each application available on a device, while reducing the chance that a credential was being used by a malicious third party from an unknown device.

Regarding Claim 36:
Kean in view of Ju and Copsey teaches the method of claim 35.  In addition, Copsey teaches wherein the first set of user data includes a first device identifier, and the second set of user data includes a second device identifier, wherein the first device identifier and the second device identifier identify the user device (paragraph 4, first request on behalf of first application on user device to access platform includes device identifier uniquely identifying the user device; second request on behalf of second application on user device to access platform includes device identifier; access device determines that user has previously authenticated based on match between device identifiers, and allows second application to access platform; paragraph 29, computing devices may be mobile devices).
The rationale to combine Kean and Copsey is the same as provided for claim 35 due to the overlapping subject matter between claims 35 and 36.

Regarding Claim 38:
Kean in view of Ju and Copsey teaches the method of claim 35.  In addition, Ju teaches the method, further comprising: 
storing, by the first mobile application, the identity verification cryptogram at a cloud storage system accessible by the first mobile application and the second mobile application (paragraph 103-105, cloud service manages single sign-on token for supporting application function; terminal stores received single sign-on token in cloud storage); and 
retrieving, but the second mobile application, the identity verification cryptogram from the cloud storage system (paragraph 97-98, if there is no service token, terminal extracts single sign-on token from accounting manager and composes inquiry message based on single sign-on token; second app transmits to second application service device).
The rationale to combine Kean and Ju is the same as provided for claim 35 due to the overlapping subject matter between claims 35 and 38.

Claim(s) 23, 37 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kean in view of Ju and Copsey, and further in view of Shimakawa (PGPUB 2015/0101032).

Regarding Claim 23:
Kean in view of Ju and Copsey teaches the method of claim 21.
Neither Kean nor Ju nor Copsey explicitly teaches the method, further comprising: 
determining, using the first device identifier and the second device identifier, that the second mobile application is stored on another user device of the user.
However, Shimakawa teaches the concept of determining, using a first device identifier and a second device identifier, that a second mobile application is stored on another user device of the user (paragraph 10-12, communication unit is capable of communicating with a first device, a second device, and a service on a network, the service having a resource on a user of the first device; controller may control the communication unit so that the communication unit accesses the resource using the stored access token in response to a request from the second device associated with the user; paragraph 18, communication unit receives, from the first device, association information that represents association with the user, the first device, and the second device, and the storage unit so that the storage unit stores the received association information; paragraph 45, user authentication server 150 performs a user authentication process with a user ID and password in response to a request from the server 100, in an association process with each device 300 and the user; paragraph 96-97, user authentication processing unit 121 requests the user authentication server 150 to perform authentication. In the case where the authentication succeeds, the user authentication processing unit 121 transmits the user ID and device ID to the user/device management unit 111 and transmits the authentication result to the device 300; user/device management unit 111 adds, to the device list on the user database, the device ID received from the user authentication processing unit 121).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the multiple devices of a single user teachings of Shimakawa with the cryptogram generating application teachings of Kean in view of Ju and Copsey, in order to improve user convenience and security by allowing user access to accounts, applications, and data using multiple separate personal devices which are securely authenticated using single sign-on techniques.

Regarding Claim 37:
Kean in view of Ju and Copsey teaches the method of claim 35.
Neither Kean nor Ju nor Copsey explicitly teaches wherein the first set of user data includes a first device identifier identifying the user device, and the second set of user data includes a second device identifier identifying another device of the user.
However, Shimakawa teaches the concept wherein a first set of user data includes a first device identifier identifying a user device, and a second set of user data includes a second device identifier identifying another device of the user (paragraph 10-12, communication unit is capable of communicating with a first device, a second device, and a service on a network, the service having a resource on a user of the first device; controller may control the communication unit so that the communication unit accesses the resource using the stored access token in response to a request from the second device associated with the user; paragraph 18, communication unit receives, from the first device, association information that represents association with the user, the first device, and the second device, and the storage unit so that the storage unit stores the received association information; paragraph 45, user authentication server 150 performs a user authentication process with a user ID and password in response to a request from the server 100, in an association process with each device 300 and the user; paragraph 96-97, user authentication processing unit 121 requests the user authentication server 150 to perform authentication. In the case where the authentication succeeds, the user authentication processing unit 121 transmits the user ID and device ID to the user/device management unit 111 and transmits the authentication result to the device 300; user/device management unit 111 adds, to the device list on the user database, the device ID received from the user authentication processing unit 121).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the multiple devices of a single user teachings of Shimakawa with the cryptogram generating application teachings of Kean in view of Ju and Copsey, in order to improve user convenience and security by allowing user access to accounts, applications, and data using multiple separate personal devices which are securely authenticated using single sign-on techniques.

Claim(s) 33 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kean in view of Ju, and further in view of Shimakawa.

Regarding Claim 33:
Kean in view of Ju teaches the system of claim 26.
Neither Kean nor Ju explicitly teaches wherein the second mobile application is stored on another user device of the user.
However, Shimakawa teaches the concept wherein a second mobile application is stored on another user device of the user (paragraph 10-12, communication unit is capable of communicating with a first device, a second device, and a service on a network, the service having a resource on a user of the first device; controller may control the communication unit so that the communication unit accesses the resource using the stored access token in response to a request from the second device associated with the user; paragraph 18, communication unit receives, from the first device, association information that represents association with the user, the first device, and the second device, and the storage unit so that the storage unit stores the received association information; paragraph 45, user authentication server 150 performs a user authentication process with a user ID and password in response to a request from the server 100, in an association process with each device 300 and the user; paragraph 96-97, user authentication processing unit 121 requests the user authentication server 150 to perform authentication. In the case where the authentication succeeds, the user authentication processing unit 121 transmits the user ID and device ID to the user/device management unit 111 and transmits the authentication result to the device 300; user/device management unit 111 adds, to the device list on the user database, the device ID received from the user authentication processing unit 121).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the multiple devices of a single user teachings of Shimakawa with the cryptogram generating application teachings of Kean in view of Ju, in order to improve user convenience and security by allowing user access to accounts, applications, and data using multiple separate personal devices which are securely authenticated using single sign-on techniques.

Claim(s) 25, 29 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kean in view of Ju, and further in view of Burgess (“What is Apple’s iCloud Keychain and how do I use it?”).

Regarding Claim 25:
Kean in view of Ju teaches the method of claim 19.  In addition, Ju teaches wherein the identity verification cryptogram is stored on a cloud storage system (paragraph 103-105, cloud service manages single sign-on token for supporting application function; terminal stores received single sign-on token in cloud storage).
The rationale to combine Kean and Ju is the same as provided for claim 19 due to the overlapping subject matter between claims 19 and 25.
Neither Kean nor Ju explicitly teaches the cloud storage system of an operating system provider of the user device.
However, Burgess teaches the concept of a cloud storage system of an operating system provider of a user device (page 1 paragraph 1-2, Apple's iCloud Keychain keeps account names, passwords, and credit card numbers (i.e. identity credentials) stored in iCloud; it’s a management feature in iOS 7 that keeps your account names, passwords, and even credit card numbers stored behind 256-bit AES encryption on Apple's iCloud servers; then that data is synced between authorized iOS 7 devices and OS X Mavericks — the latest computer OS from Apple).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the OS provider cloud teachings of Burgess with the cryptogram generating application teachings of Kean in view of Ju, in order to limit credential storage to an encrypted cloud under the control of the OS provider, eliminating any potential trust issues which would arise from storing credentials in a (possibly malicious) third-party provided cloud storage environment, as well as ensuring the highest level of compatibility between the cloud service and the OS environment.

Regarding Claim 29:
Kean in view of Ju teaches the system of claim 28.
Neither Kean nor Ju explicitly teaches wherein the cloud storage system is managed by an operating system provider of the user device.
However, Burgess teaches the concept wherein a cloud storage system is managed by an operating system provider of a user device (page 1 paragraph 1-2, Apple's iCloud Keychain keeps account names, passwords, and credit card numbers (i.e. identity credentials) stored in iCloud; it’s a management feature in iOS 7 that keeps your account names, passwords, and even credit card numbers stored behind 256-bit AES encryption on Apple's iCloud servers; then that data is synced between authorized iOS 7 devices and OS X Mavericks — the latest computer OS from Apple).
It would have been obvious to one or ordinary skill in the art before the effective filing date of
the claimed invention to combine the OS provider cloud teachings of Burgess with the cryptogram generating application teachings of Kean in view of Ju, in order to limit credential storage to an encrypted cloud under the control of the OS provider, eliminating any potential trust issues which would arise from storing credentials in a (possibly malicious) third-party provided cloud storage environment, as well as ensuring the highest level of compatibility between the cloud service and the OS environment.

Claim(s) 31 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kean in view of Ju, and further in view of Judge et al (PGPUB 2015/0363186).

Regarding Claim 31:
Kean in view of Ju teaches the system of claim 26.
Neither Kean nor Ju explicitly teaches wherein the first mobile application and the second mobile application are programmed to interface via an application programming interface.
However, Judge teaches the concept wherein a first mobile application and a second mobile application are programmed to interface via an application programming interface (paragraph 2, electronic devices (such as mobile devices, smartphones, tablet computers, etc.) can be configured to allow different types of applications to execute thereon; the applications can be pre-installed or downloaded over a network; paragraph 31, FIG. 4 also shows a relationship between first application 412 and second application 414; first application 412 may be configured to interact with the second application 414 via an application programming interface (API); the first application 412 and second application 414 may have a version dependency on each other to make sure that changes to the API are carried through to both the first application 412 and second application 414).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the first and second application API teachings of Judge with the cryptogram generating application teachings of Kean in view of Ju.  It is well-known in the art that application programming interfaces are the primary means of inter-application communication.  Therefore, a person of ordinary skill in the art, facing the problem of communicating information between two applications, would be familiar with and choose well-known methods, such as APIs, to enable two applications to communicate.

Claim(s) 34 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kean in view of Ju, and further in view of Jensen et al (US 8,489,846).

Regarding Claim 34:
Kean in view of Ju teaches the system of claim 26.
Neither Kean nor Ju explicitly teaches wherein the second mobile application is provisioned on a device of the user by an untrusted entity, the untrusted entity having a lower level of confidence than the trusted entity.
However, Jensen teaches the concept wherein a second application is provisioned on a device of a user by an untrusted entity, the untrusted entity having a lower level of confidence than a trusted entity (abstract, computing system includes a processor and a partition management unit (PMU); the partition management unit allocates partitions of memory and processing time; col 8 line 42-59, system 100 can be configured for a first partition for a trusted application and a second partition for an untrusted application); and
Kean teaches wherein the application is a mobile application (paragraph 60).
	It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the untrusted software partitioning teachings of Jensen with the cryptogram generating application teachings of Kean in view of Ju, in order to improve system security and safety, and minimize the potential for attacks and exploits, by partitioning the system to logically separate trusted and untrusted software, thereby allowing the system to control access to trusted application information by untrusted applications.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491