DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, 16/681,608, filed 11/12/2019 claims priority from US Provisional Application 62/760,795, filed 11/13/2018.
The effective filing date is after the AIA  date of March 16, 2013, and so the application is being examined under the “first inventor to file” provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Status of the Application
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on June 10, 2022 has been entered.
This Non-Final Office Action is in response to Applicant’s communication of June 10, 2022.
Claims 1-4 and 6-18 were previously pending, of which claims 1, 8, and 13 were independent.
In the most recent amendment, claims 1-4 and 6-18 are pending.  Independent claims 1 and 8 and dependent claims 7 and 10 have been amended.
All pending claims have been examined on the merits.  

Allowable Subject Matter
Claims 1-4, 6, and 7 are allowed. 
The following is an examiner’s statement of reasons for allowance: 
None of US 2014/0372128 A1 to Sheets et al. (“Sheets”.  Eff. Filed on Jun. 17, 2013.  Published on Dec. 18, 2014), US 2018/0234464 A1 to Sim et al. (“Sim”.  Filed on Feb. 15, 2007.  Published on Aug. 16, 2018), or US 2013/0159194 A1 to Habib (“Habib”.  Filed on Dec. 14, 2011.  Jun. 20, 2013) disclose or suggest the following claimed features of independent claim 1 (in combination with the other claimed features of claim 1):

receiving the authorization request for the transaction from an acquirer associated with the merchant, the authorization request including the authentication code representative of the voice authentication of the user; and 

Sheets appears to be silent regarding these features.

While Sim discloses the following in para. [0033], it fails to disclose that “the authorization request including the authentication code representative of the voice authentication of the user”:

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

While Habib discloses the following in para. [0008], it fails to disclose that “the authorization request including the authentication code representative of the voice authentication of the user”:

(See Habib, para. [0008]: “Therefore, in one aspect, the invention provides a system for utilizing voice recognition to permit a primary recipient of a benefit from a payor entity to receive the benefit, and, if desired, designate an alternative recipient and/or destination for the benefit. More specifically, the system includes a storage server for storing in a physical memory sets of baseline biometric files, each set of baseline biometric files being captured during an enrollment process and associated with a set of qualified recipients (including a primary recipient) of a series of benefit transfers from a payor. The set of baseline biometric files includes comprises a voice print for use in voice authentication of the qualified recipients. The system also includes a processor for executing stored computer-executable instructions that, when executed implement a voice authentication engine that: (i) compares a current voice print obtained from a recipient requesting authorization and access to at least one of the series of benefit transfers with the biometric baseline file for requesting recipient, and (ii) upon determining the current voice print matches with the biometric baseline file associate with the requesting recipient within an acceptable threshold, creates an authorization token comprising an authorization code and communicate the authorization token to the requesting recipient. In some embodiments, the authorization token and/or code may expire after a specific time period such that the expired authentication code cannot be used to obtain a benefit transfer after expiration.”)

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Claim Rejections - 35 USC § 103
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
It is noted that in the following rejections, numerous claim limitations are written as alternative limitations; to anticipate or render obvious such limitations, only one of the alternative limitations need be disclosed or taught by the cited reference.  (See MPEP §§ 2173.05(h), 2111 et seq.) 
Claims 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over US 2014/0372128 A1 to Sheets et al. (“Sheets”.  Eff. Filed on Jun. 17, 2013.  Published on Dec. 18, 2014) in view of US 2018/0234464 A1 to Sim et al. (“Sim”.  Filed on Feb. 15, 2007.  Published on Aug. 16, 2018), and further in view of US 2013/0159194 A1 to Habib (“Habib”.  Filed on Dec. 14, 2011.  Jun. 20, 2013).
In regards to independent claim 8. 
8. A computer-implemented method for use in facilitating voice authentication of a user in connection with a network transaction, the method comprising:

(See Sheets, para. [0038]: “In some embodiments, the communication device 110 may be a wireless device, a contactless device, a magnetic device, or other type of payment device. In some embodiments, the communication device 110 includes software (e.g., application) and/or hardware to perform the various payment transactions and capture user voice data as further described below.”)

receiving, at a directory server computing device, an authentication request for the transaction, initiated at a voice interactive device, 

(See Sheets, para. [0038]: “In some embodiments, the communication device 110 may be in electronic communication with the access device 120. The communication device 110 can be a personal digital assistant (PDA), a smart phone, tablet computer, notebook computer, or the like, that can execute and/or support payment transactions with a payment system 100. A communication device 110 can be used in conjunction with a payment device, such as a credit card, debit card, charge card, gift card, or other payment device and/or any combination thereof. The combination of a payment device (e.g., credit card) and the communication device 110 (e.g., smart phone) can be referred to as the communication device 110 for illustrative purposes. In some embodiments, the communication device 110 may be used in conjunction with transactions of currency or points (e.g., points accumulated in a particular software application). In some embodiments, the communication device 110 may be a wireless device, a contactless device, a magnetic device, or other type of payment device. In some embodiments, the communication device 110 includes software (e.g., application) and/or hardware to perform the various payment transactions and capture user voice data as further described below.”)

from a merchant plug-in (MPI) included at a merchant involved in the transaction, 

(See Sheets, para. [0039]: “The access device 120 may be configured to be in electronic communication with the acquirer 130 via a merchant 125. In one embodiment, the access device 120 may be a point-of-service (POS) device. Alternatively, the access device 120 can be any suitable device configured to process payment transactions such as credit card or debit card transactions, or electronic settlement transactions, and may have optical, electrical, or magnetic readers for reading data from portable electronic communication devices such as smart cards, keychain device, cell phones, payment cards, security cards, access cards, and the like. In some embodiments, the access device 120 may be located at and controlled by a merchant. For example, the access device 120 can be a POS device at a grocery store checkout line. In some embodiments, the access device 120 can be a client computer or a mobile phone in the event that the user is conducting a remote transaction.”)

the authentication request including a pre-authentication indicator based on voice authentication of a user by the voice interactive device or by a voice authentication service;

(See Sheets, para. [0041]: “Furthermore, the payment processing network 140 can receive a voice sample by the user (e.g., from the payment device 110, access device 120, or acquirer 130) to determine a risk factor associated with a transaction, as further described below.”)

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

generating, by the directory server computing device, a risk score for the transaction based at least in part on the pre-authentication indicator;

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

(See Sheets, para. [0089]: “The risk score attribute of the voice model 520 indicates a risk score associated with the particular authentication request by the user. In this example, the risk score may be on a scale from 0-100, with 100 being the highest (most risk). The match scores may decrease over time as the user authenticates with the authentication system more and becomes more “trusted” over time.”)

However, under a conservative interpretation of Sheets, it could be argued that Sheets does not explicitly teach the italicized portions below, but is taught in Sim:

determining, by the directory server computing device, whether to permit the transaction based on the generated risk score, without interacting with an access controller server (ACS) associated with an issuer of an account involved in the transaction; and

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

In regards to “access controller server (ACS) associated with an issuer of an account to which the transaction is directed”, the Examiner interprets that whether Sim’s “authentication module or logic 132” is operated by the “issuer of an account to which the transaction is directed”, or by a contractor hired by the issuer, is a matter of intended use.

returning, by the directory server computing device, a result response to the MPI, wherein the result response indicates a permission to proceed in the transaction.

(See Sim, para. [0030]: “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation. The authentication broker 100 may have a risk engine 130 that computes risk score or probabilities for risks such as general authentication risk (confidence of an approved authentication), or specific types of authentication risks, such as the risk of leaking sensitive information to an unsecured device, based on information related to an authentication request. Risk scores can be incorporated into the authentication making decision. For additional details on risk assessment modeling, see U.S. Pat. No. 9,396,332. For example, if adaptive authentication is desired, different ranges of general risk scores may control how many authentication factors and/or which authentication factors need to be satisfied. Higher risk scores might lead to increasing numbers or types of authentication factors.”)

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for voice authenticated for a transaction that uses risk scores, as taught by Sheets above, with authorizing a transaction based on authentication of the user (that uses voice matching and risk score), as further taught by Sim above, because “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation.” (See Sim, para. [0030]).  
Moreover, under a conservative interpretation of Sheets and Sim, it could be argued that neither Sheets nor Sim explicitly teaches the features in the italicized portions below, but these are taught in Habib:
prior to receiving an authorization request for a transaction …

the result response including an authentication code representative of the voice authentication of the user.

(See Habib, para. [0008]: “Therefore, in one aspect, the invention provides a system for utilizing voice recognition to permit a primary recipient of a benefit from a payor entity to receive the benefit, and, if desired, designate an alternative recipient and/or destination for the benefit. More specifically, the system includes a storage server for storing in a physical memory sets of baseline biometric files, each set of baseline biometric files being captured during an enrollment process and associated with a set of qualified recipients (including a primary recipient) of a series of benefit transfers from a payor. The set of baseline biometric files includes comprises a voice print for use in voice authentication of the qualified recipients. The system also includes a processor for executing stored computer-executable instructions that, when executed implement a voice authentication engine that: (i) compares a current voice print obtained from a recipient requesting authorization and access to at least one of the series of benefit transfers with the biometric baseline file for requesting recipient, and (ii) upon determining the current voice print matches with the biometric baseline file associate with the requesting recipient within an acceptable threshold, creates an authorization token comprising an authorization code and communicate the authorization token to the requesting recipient. In some embodiments, the authorization token and/or code may expire after a specific time period such that the expired authentication code cannot be used to obtain a benefit transfer after expiration.”)

The Examiner interprets that Habib’s “authorization code” and “authorization token” generated by the “voice authentication engine” read upon the claimed “authentication code”, because the last sentence of Habib’s para. [0008] recites both “authorization token and/or code” and “authentication code”.

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for voice authenticated for a transaction that uses risk scores, as taught by Sheets above, with authorizing a transaction based on authentication of the user (that uses voice matching and risk score), as further taught by Sim above, because “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation.” (See Sim, para. [0030]), and further in combination with the system and method for authenticating benefit recipients, as taught by Habib above, because doing so enables “an automated teller machine that receives the authentication code from the requesting recipient seeking payment of the funds that originate from the payor and the payment authorization module [to authorize] the transfers for the requesting recipient to an entity that operates the automated teller machine.” (See Habib, para. [0015].  
In regards to claim 9: 
9. The computer-implemented method of claim 8, further comprising 
validating an authentication key included in the pre-authentication indicator prior to generating the risk score; and wherein generating the risk score is based on whether the authentication key is validated or not.

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

(See also Sim, para. [0025]: “At step B, assuming that the authentication broker 100 authenticated the identity of the end user, then the authentication broker 100 issues an authentication credential such as a token 110. Note that there may be intermediate steps such as validating the client/application (perhaps verifying possession of a pre-registered secret key), exchanging an authorization code used to issue the token 110, etc.”)

The motivation to combine the two references is provided in the independent claims.

In regards to claim 10: 
10. (Currently Amended) The computer-implemented method of claim 9, further comprising generating the authentication code for the transaction.

 (See Sheets, para. [0026]: “An “authorization response message” may be an electronic message reply to an authorization request message. An authorization response message can be generated by an issuing financial institution or a payment processing network. The authorization response message may include, by way of example only, one or more of the following status indicators: Approval—transaction was approved; Decline—transaction was not approved; or Call Center—response pending more information, merchant must call the toll-free authorization phone number. The authorization response message may also include an authorization code, which may be a code that a issuer bank returns in response to an authorization request message in an electronic message (either directly or through the payment processing network) to the merchant's access device (e.g. POS equipment) that indicates approval of the transaction. The code may serve as proof of authorization. As noted above, in some embodiments, a payment processing network may generate or forward the authorization response message to the merchant.”)

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

(See also Sim, para. [0024]: “An example brokered authentication will be described with reference to FIG. 1. At step A the client 104 issues an authentication request 108 to the authentication broker 100. In some scenarios and with some protocols, step A might be proceeded by other steps, such as redirections after requesting a resource from the resource provider 106. In response to the authentication request 108, the authentication broker 100 authenticates the identity of the end user. The authentication may involve the user presenting one or more authentication factors. The user authentication may be passed off to a separate identity provider that authenticates the identity presented by the user and informs the authentication broker 100 of the authenticated identity.”)

Claims 13-17 are rejected under 35 U.S.C. 103 as being unpatentable over US 2014/0372128 A1 to Sheets et al. (“Sheets”.  Eff. Filed on Jun. 17, 2013.  Published on Dec. 18, 2014) in view of US 2018/0234464 A1 to Sim et al. (“Sim”.  Filed on Feb. 15, 2007.  Published on Aug. 16, 2018).
In regards to claim 13: 
13. A computer-implemented method for use in facilitating authentication of a user in connection with a network transaction by the user at a third party, the method comprising:
capturing, by a voice interactive device, a voice command for a transaction from a user, the voice command directed to a third party;

(See Sheets, para. [0038]: “In some embodiments, the communication device 110 may be a wireless device, a contactless device, a magnetic device, or other type of payment device. In some embodiments, the communication device 110 includes software (e.g., application) and/or hardware to perform the various payment transactions and capture user voice data as further described below.”)

determining content of the voice command;

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)

authenticating the user based on the captured voice command and a voice biometric reference associated with an identifier for at least one of the user and/or the voice interactive device; and

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for purposes of storing the voice data for future user authentication or for authenticating the user based on a stored voice model, described below. In some embodiments, the captured voice data can be digitized.”)

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)

However, under a conservative interpretation of Sheets, it could be argued that Sheets does not explicitly teach the italicized portions below, but is taught in Sim:
transmitting, by the voice interactive device, a purchase request for the transaction … to the third party, the purchase request including an indication of biometric authentication for the user,

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

In regards to “access controller server (ACS) associated with an issuer of an account to which the transaction is directed”, the Examiner interprets that whether Sim’s “authentication module or logic 132” is operated by the “issuer of an account to which the transaction is directed”, or by a contractor hired by the issuer, is a matter of intended use.

a purchase request for the transaction consistent with the content of the voice command to the third party …

(See also Sim, para. [0024]: “An example brokered authentication will be described with reference to FIG. 1. At step A the client 104 issues an authentication request 108 to the authentication broker 100. In some scenarios and with some protocols, step A might be proceeded by other steps, such as redirections after requesting a resource from the resource provider 106. In response to the authentication request 108, the authentication broker 100 authenticates the identity of the end user. The authentication may involve the user presenting one or more authentication factors. The user authentication may be passed off to a separate identity provider that authenticates the identity presented by the user and informs the authentication broker 100 of the authenticated identity.”)

(See also Sim, para. [0025]: “At step B, assuming that the authentication broker 100 authenticated the identity of the end user, then the authentication broker 100 issues an authentication credential such as a token 110. Note that there may be intermediate steps such as validating the client/application (perhaps verifying possession of a pre-registered secret key), exchanging an authorization code used to issue the token 110, etc.”)

(See also Sim, para. [0029]: “Modern authentication may involve one or more authentication factors. The most common type of authentication factor are knowledge factors 120 such as passwords, pins, pass phrases, or other information expected to be kept in human memory. Possession factors 122 are another type of factor which show that a specific physical object associated with a user identity is possessed. Automated teller machine (ATM) cards, physical security tokens, cellular terminals, and the like are types of possession factors. Biometric factors 124 are another type of factor that can be used to authenticate a subject. Biometric factors can be measures of fingerprints, hand geometry, facial features, iris/retina features, or others.”)

The examiner interprets that voice is an authentication factor.

whereby the third party is permitted to initiate an enhanced authentication of the user in connection with the transaction.

(See Sim, para. [0030]: “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation. The authentication broker 100 may have a risk engine 130 that computes risk score or probabilities for risks such as general authentication risk (confidence of an approved authentication), or specific types of authentication risks, such as the risk of leaking sensitive information to an unsecured device, based on information related to an authentication request. Risk scores can be incorporated into the authentication making decision. For additional details on risk assessment modeling, see U.S. Pat. No. 9,396,332. For example, if adaptive authentication is desired, different ranges of general risk scores may control how many authentication factors and/or which authentication factors need to be satisfied. Higher risk scores might lead to increasing numbers or types of authentication factors.”)

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for voice authenticated for a transaction that uses risk scores, as taught by Sheets above, with authorizing a transaction based on authentication of the user (that uses voice matching and risk score), as further taught by Sim above, because “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation.” (See Sim, para. [0030]).  

In regards to claim 14: 
14. The computer-implemented method of claim 13, wherein determining the content of the voice command includes:
transmitting the voice command to a voice recognition service; and
receiving the content from the voice recognition service.

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for purposes of storing the voice data for future user authentication or for authenticating the user based on a stored voice model, described below. In some embodiments, the captured voice data can be digitized.”)

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)

In regards to claim 15: 
15. The computer-implemented method of claim 13, wherein authenticating the user includes comparing, by the voice interactive device, the captured voice command and the voice biometric reference, wherein the voice biometric reference is stored in a trusted execution environment or a secure element of a memory included in said voice interactive device.

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for purposes of storing the voice data for future user authentication or for authenticating the user based on a stored voice model, described below. In some embodiments, the captured voice data can be digitized.”)

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)

In regards to claim 16: 
16. The computer-implemented method of claim 13, wherein authenticating the user includes authenticating the user via a network-based authentication service associated with the voice interactive device, based on a voice biometric reference stored in association with the network-based authentication service.

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for purposes of storing the voice data for future user authentication or for authenticating the user based on a stored voice model, described below. In some embodiments, the captured voice data can be digitized.”)

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)

In regards to claim 17: 
17. The computer-implemented method of claim 13, wherein authenticating the user includes:
transmitting the voice command to an authentication service associated with the voice interactive device, whereby the authentication service compares the voice command to a voice biometric reference identified to the user; and
receiving an authentication result for the voice command and the user.

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for purposes of storing the voice data for future user authentication or for authenticating the user based on a stored voice model, described below. In some embodiments, the captured voice data can be digitized.”)

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)

Claims 11 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Sheets in view of Sim and Habib, as applied to independent claim 8, and further in view of US 2020/0044851 to Everson et al. (“Everson”.  Filed Jul. 31, 2018.  Published Feb. 6, 2020). 
In regards to claim 11, under a conservative interpretation of Sheets in view of Sim and Habib, it could be argued that they does not explicitly teach the italicized portions below, which are taught by Everson:
11. The computer-implemented method of claim 8, wherein the voice interactive device includes a smart speaker.

(See Everson, para. [0039]: “According to another example, if the request is made at a terminal or during an in-person interaction, the system may request verification, such as a fingerprint, biometric, facial recognition, etc. In this example, the customer authentication may be provided via a terminal, PoS, ATM device, teller station, kiosk, etc. If the customer is at home or near a verified smart device, the customer may be requested to provide verification via the smart device. For example, a customer may be at home near a voice initiated assistant. In this scenario, the customer's voice may be used for authentication. In addition, the system may convey a OTP through the voice initiated assistant. The voice initiated assistant may voice the OTP or communicate the OTP via near field or other proximity based communication. Other smart devices, such as speakers, home security keypad, home security camera, appliance and/or other interactive devices and panels may be used as a communication channel.”)

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for facilitating voice authentication of a user in connection with a transaction, as taught by Sheets in view of Sim and Habib above, with use of a voice interactive device including a speak, as further taught by Everson in para. [0039] above, because the references are all directed to the same art of voice authentication using a risk score, as shown in Everson’s para. [0038]: “[0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated.”  
In regards to claim 12, under a conservative interpretation of Sheets in view of Sim and Habib, it could be argued that they does not explicitly teach the italicized portions below, which are taught by Everson:
12. The computer-implemented method of claim 8, wherein the authentication request includes information indicative of a type of the voice interactive device; and
wherein generating the risk score includes generating the risk score based on the type of the voice interactive device.

(See Everson, para. [0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated.”)

The Examiner interprets that “device type” comprises “security level” of the device channel.

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for facilitating voice authentication of a user in connection with a transaction, as taught by Sheets in view of Sim and Habib above, with use of a voice interactive device including a speak, as further taught by Everson in para. [0039] above, because the references are all directed to the same art of voice authentication using a risk score, as shown in Everson’s para. [0038]: “[0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated.”  

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Sheets in view of Sim, as applied to independent claim 13, and further in view of US 2020/0044851 to Everson et al. (“Everson”.  Filed Jul. 31, 2018.  Published Feb. 6, 2020). 
In regards to claim 18, it is rejected on the same grounds as claim 13. However, under a conservative interpretation of Sheets, it could be argued that Sheets does not explicitly teach the feature  “ a type of the voice interactive device” in the italicized portions below, but is taught in Sim:
 wherein the purchase request further includes a type of the voice interactive device;

(See Sim, para. [0032]: “Risk evaluation conditions and context can include: geographic location of the subject, network address or domain of the subject, features of the client or user agent (e.g., which web browser and/or version, device identity, device type, operating system, device software and OS patch compliance), a source that redirected to the authentication server to initiate authentication, time of day, day of the week, cookies and their settings (e.g., expire period if any), authentication/login frequency or time since a prior authentication, authentication factors or categories that previously failed, stale authentication factors, sensitivity of the resources being accessed, secure state of the requesting device, and others. Risk evaluation conditions may also be global or external, that is, not specific to a specific subject or transaction. For example, the authentication broker or another security domain might detect a network attack, an uptick in failed authentications, or other signals that indicate increased systemic risk.”)

The motivation for combining Sheets and Sim is provided in independent claim 13.

However, under a conservative interpretation of Sheets in view of Sim, it could be argued that Sheets in view of Sim does not explicitly teach the italicized portions below, which are taught by Everson:
18. The computer-implemented method of claim 13, wherein the voice interactive device includes one of a smart speaker and a vehicle.

(See Everson, para. [0039]: “According to another example, if the request is made at a terminal or during an in-person interaction, the system may request verification, such as a fingerprint, biometric, facial recognition, etc. In this example, the customer authentication may be provided via a terminal, PoS, ATM device, teller station, kiosk, etc. If the customer is at home or near a verified smart device, the customer may be requested to provide verification via the smart device. For example, a customer may be at home near a voice initiated assistant. In this scenario, the customer's voice may be used for authentication. In addition, the system may convey a OTP through the voice initiated assistant. The voice initiated assistant may voice the OTP or communicate the OTP via near field or other proximity based communication. Other smart devices, such as speakers, home security keypad, home security camera, appliance and/or other interactive devices and panels may be used as a communication channel.”)

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for facilitating voice authentication of a user in connection with a transaction, as taught by Sheets in view of Sim and Habib above, with use of a voice interactive device including a speak, as further taught by Everson in para. [0039] above, because the references are all directed to the same art of voice authentication using a risk score, as shown in Everson’s para. [0038]: “[0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated.”  

Response to Arguments
Re: Claim Rejections - 35 USC § 103
In regards to the 35 U.S.C. 103 rejection of independent claim 1, and its dependent claims 2-4 and 5-7, these rejections have been withdrawn, as necessitated by the amendments to independent claim 1, and the claims are allowed.  
In regards to the 35 U.S.C. 103 rejection of independent claim 8, and its dependent claims 9-12, these rejections have been amended, as necessitated by the amendments to independent claim 8. 
In regards to the 35 U.S.C. 103 rejection of independent claim 13 and its dependent claims 14-18, these claims were not amended in the amendment filed June 10, 2022.  
However, Applicant’s arguments are not persuasive, therefore the 35 U.S.C. 103 rejections of claims 13-17 over Sheets in view of Sim, and of claim 18 over Sheets in view of Sim and further in view of Everson are maintained.
More specifically, the Applicants argue that “the voice sample is provided in connection with authorization, not authentication”, and that additionally “the voice sample is not a ‘pre-authentication indicator’ because it is not based on any authentication of the user by a voice interactive device (or service).”
However, Sheets, para. [0041]: discloses: “Furthermore, the payment processing network 140 can receive a voice sample by the user (e.g., from the payment device 110, access device 120, or acquirer 130) to determine a risk factor associated with a transaction, as further described below.”
And Sheets para. [0089], which is also recited in the rejection of claim 8, discloses: “The risk score attribute of the voice model 520 indicates a risk score associated with the particular authentication request by the user.”  Therefore, Applicant’s argument that “the voice sample is provided in connection with authorization, not authentication” is false.  
Sheets para. [0089] also discloses: “The risk score attribute of the voice model 520 indicates a risk score associated with the particular authentication request by the user … The match scores may decrease over time as the user authenticates with the authentication system more and becomes more “trusted” over time.”  Therefore also Applicant’s argument that “the voice sample is not a ‘pre-authentication indicator’ because it is not based on any authentication of the user by a voice interactive device (or service)” is false, because “the risk score associated with the particular authentication request by the user”.
Furthermore, in regards to the 35 U.S.C. 103 rejection of independent claim 8, the Applicants argue in page 12 of the response filed on Dec. 16, 2021, that para. [0033] of the Sim reference fails to teach the claimed feature “determining, by the directory server computing device, whether to permit the transaction based on the generated risk score, without interacting with an access controller server (ACS) associated with an issuer of an account involved in the transaction”.
However, para. [0033] of the Sim reference discloses that “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors”, and “In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”  
No mention is made in Sim of “interacting with an access controller server (ACS) associated with an issuer of an account involved in the transaction”, and furthermore, para. [0026] of Sim discloses that “The resource provider receives the resource request 112 and token 110 and begins to perform an authentication procedure to determine whether the client 104 is permitted to access the resource requested by the resource request 112.”  
Therefore, the Applicant’s arguments pertaining to independent claim 8 are not persuasive.
In regards to the 35 U.S.C. 103 rejection of dependent claim 9, the Applicants argue in page 12 of the response filed on Dec. 16, 2021, that para. [0025] of the Sim reference fails to teach the claimed feature “validation of an authentication key”.  
However, para. [0025] of Sim teaches “At step B, assuming that the authentication broker 100 authenticated the identity of the end user, then the authentication broker 100 issues an authentication credential such as a token 110. Note that there may be intermediate steps such as validating the client/application (perhaps verifying possession of a pre-registered secret key), exchanging an authorization code used to issue the token 110, etc.”, and therefore discusses both authentication and authorization. Therefore, Applicant’s arguments are not persuasive.  Furthermore, the motivation to combine the Sheets and Sims references are provided in independent claim 8, as indicated in the rejection of claim 9.
In regards to the 35 U.S.C. 103 rejection of dependent claim 10, the Applicants argue features that have been amended into the claim in the present amendment, and therefore the new grounds of rejection of this claim are necessitated by Applicant’s amendment.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 10,554,657 B1 to Siddiqui et al. (“Siddiqui”.  Filed on Jul. 31, 2017.  Feb. 4, 2020).  See para. 

(See Siddiqui, col.9, lines 49-62: “Otherwise, if the authentication code 107 is received within the time window 239, the authentication service 218 continues from box 319 to box 320. In box 320, the authentication service 218 may determine whether an approval has been received from an authorized user. For example, the authentication service 218 may also verify that the voice speaking the authentication code 107 or a verbal confirmation matches the voice recognition profile 234 of the authorized user. If an approval is not received, or if the approval is not received from the authorized user, the authentication service 218 may move to box 318 and deny the authentication request of the first client device 206. Thereafter, the operation of the portion of the authentication service 218 ends.”)

(See Siddiqui, col.11, lines 54-67: “Otherwise, if the authorization code is received within the time window 239, the authentication service 218 continues from box 419 to box 420. In box 420, the authentication service 218 may determine whether an approval has been received from an authorized user. For example, the authentication service 218 may also verify that the voice speaking the authentication code 107 or a verbal confirmation matches the voice recognition profile 234 of the authorized user. If an approval is not received, or if the approval is not received from the authorized user, the authentication service 218 may move to box 418 and deny the transaction authorization request of the first client device 206. Thereafter, the operation of the portion of the authentication service 218 ends.”)

Applicants are invited to contact the Office to schedule an in-person interview to discuss and resolve the issues set forth in this Office Action.  Although an interview is not required, the Office believes that an interview can be of use to resolve any issues related to a patent application in an efficient and prompt manner.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Any inquiry concerning this communication or earlier communications should be directed to Examiner Ayal Sharon, whose telephone number is (571) 272-5614, and fax number is (571) 273-1794.  The Examiner can normally be reached from Monday to Friday between 9 AM and 6 PM.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan Donlon can be reached on (571) 270-3602.  The fax number for the organization where this application or proceeding is assigned is 571-273-8300.  
	Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

Sincerely,

/Ayal I. Sharon/
Examiner, Art Unit 3695

October 7, 2022