DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 21-40 are pending.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 21-22, 24-29, 31-36, 38-40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Damm-Goossens (US 8,719,952), and further in view of Jakobsson (PGPUB 2016/0105285).

Regarding Claims 21, 28, and 35:
Damm-Goossens teaches a method, a non-transitory, computer-readable medium storing one or more instructions executable by a computer system and a computer-implemented system, comprising: 
one or more computers (abstract, the public key of an RSA (asymmetric) software key pair is maintained confidentially on an authentication server, while the corresponding private key is maintained in encrypted, unstructured form on a mobile communication device (e.g. smartphone)); and 
one or more computer memory devices interoperably coupled with the one or more computers and having tangible, non-transitory, machine-readable media storing one or more instructions that, when executed by the one or more computers, perform one or more operations comprising (col 5 line 7-13, systems and methods described herein may include or employ one or more interconnected computer systems and/or mobile communication devices comprising one or more processors and associated memory, storage, input and display devices; such computer systems and/or mobile communication devices may run software implementing methods described herein when executed on hardware): 
receiving, by a user device of a user, a registration request (col 13 line 3-30, steps to generate registration request for generation and storage of public/private key pair; col 16 line 16-37, mobile communication device 30 receives a request for new keys from a user, i.e. new “registration request”); 
collecting authentication information of the user in accordance with the registration request (col 16 line 16-37, mobile communication device 30 requests the password for the selected identity from the user); 
determining that the collected authentication information matches preset authentication information (col 16 line 16-37, mobile communication device 30 decrypts the existing (old) private key using the entered password (step 224); mobile communication device 30 authenticates itself via challenge-response authentication using the existing (old) private key; col 11 line 65-col 12 line 17, in challenge-response exchange, mobile communication device 30 signs (encrypts) the challenge with the locally-stored private key associated with the identity (step 154), and sends a token including the signed challenge to authentication server 60 (step 156); in a step 158, authentication server 60 validates the signature using the public key for the given identity); 
generating a digital signature certificate private key and a digital signature certificate public key (col 16 line 16-37, mobile communication device 30 generates a new cryptographic key pair (step 226)); 
transmitting, to a server, a signed registration request message that is signed using the digital signature certificate private key and that includes the digital signature certificate public key (col 16 line 16-37, mobile communication device 30 generates a new cryptographic key pair (step 226) and sends key update request to authentication server; key update request may include the user ID, new public key, and the signed new public key; authentication server 60 validates the signature of the new public key, verifying that the sender of the request owns the corresponding private key (step 234), replaces the existing (old) public key with the new public key in its records (step 236), and returns a success code to mobile communication device 30); 
transmitting, to the server, a information verification message that is generated by signing a service request using the digital signature certificate private key, wherein the server is configured to read the digital signature certificate public key corresponding to the digital signature certificate private key (col 11 line 65-col 12 line 17, when accessing an identity on authentication server 60, mobile communication device 30 may be required to prove that it is the owner of the respective identity; this may be done via a challenge-response exchange; in challenge-response exchange, mobile communication device 30 signs (encrypts) the challenge with the locally-stored private key associated with the identity (step 154), and sends a token including the signed challenge to authentication server 60 (step 156); in a step 158, authentication server 60 validates the signature using the public key for the given identity); and 
receiving, from the server, authentication result information indicative of the server verifying the information verification message according to the digital signature certificate public key (col 11 line 65-col 12 line 17, Fig. 9, authentication server 60 continues serving the request if the signature is valid (issues OK message, as per Fig. 9), or returns error if validation fails).
Damm-Goossens does not explicitly teach collecting biometric authentication information of the user; 
determining that the collected biometric authentication information matches preset biometric authentication information stored on the user device; 
in response to determining that the collected biometric authentication information matches the preset biometric authentication information, generating a digital signature certificate private key and a digital signature certificate public key; 
transmitting, to the server, a biometric information verification message; and
receiving, from the server, authentication result information indicative of the server verifying the biometric information verification message.
However, Jakobsson teaches the concept of collecting biometric authentication information of a user (abstract, biometric parameters are obtained from a user and compared to a database of biometric templates to identify templates that most closely match the biometric parameters of the user; paragraph 38, a fingerprint is scanned); 
determining that the collected biometric authentication information matches preset biometric authentication information stored on a user device (paragraph 38, fingerprint is compared with database of templates; templates are identified that most closely match the user fingerprint); 
in response to determining that the collected biometric authentication information matches the preset biometric authentication information, generating a digital signature certificate private key and a digital signature certificate public key (paragraph 39, Fig. 2, at 208, the biometric authentication system 202 inputs user biometric parameters such as fingerprint scans and, at 210, numerically quantifies the biometric parameters for template comparison; at 212, the biometric authentication system 202 applies numeric data corresponding to the biometric parameters to the biometric data object database, which then identifies the closest matching biometric templates, at 214; at 215, the corresponding offsets are sent to the biometric authentication system 202, which derives candidate cryptographic keys, at 216, based on the offsets using multidimensional curves (by, e.g., identifying the y-axis intersection of the curve using modular arithmetic); paragraph 50-51, key derivation controller/key exchange controller derive asymmetric key pair and output public component to secured system); 
transmitting, to a server, a biometric information verification message (paragraph 39-40, biometric authentication system sends candidate keys derived from biometric information to device/system (i.e. secured system); device/system applies candidate keys to access secure systems; if access is granted, biometric authentication system indicates that user is authenticated); and
receiving, from the server, authentication result information indicative of the server verifying the biometric information verification message (paragraph 40, assuming a candidate key successfully gains access to the secure device/system 206, the secure device/system may respond by returning confidential data for display to the user).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the biometric authentication teachings of Jakobsson with the authentication information registration teachings of Damm-Goossens, in order to provide an authentication system using additional security factors such as biometric factors in addition to simple password authentication, thereby improving system security by requiring knowledge of a password (which can be stolen or guessed) as well as biometric factors which are more difficult to obtain or spoof.

Regarding Claims 22, 29, and 36:
Damm-Goossens in view of Jakobsson teaches the method of claim 21, the medium of claim 28, and the system of claim 35.  In addition, Jakobsson teaches wherein the biometric authentication information comprises one or more of fingerprint information, face image information, or voice information (paragraph 38, fingerprint is compared with database of templates; templates are identified that most closely match the user fingerprint).
The rationale to combine Damm-Goossens and Jakobsson is the same as provided for claims 21, 28, and 35 due to the overlapping subject matter between claims 21, 28, 35 and 22, 29, 36, respectively.

Regarding Claims 24, 31, and 38:
Damm-Goossens in view of Jakobsson teaches the method of claim 21, the medium of claim 28, and the system of claim 35.  In addition, Jakobsson teaches wherein the user device collects the biometric authentication information of the user using one or more of a fingerprint sensor, a camera, or a microphone (paragraph 42, Fig. 3, biometric input device, e.g. fingerprint scanner, iris scanner, or microphone).
The rationale to combine Damm-Goossens and Jakobsson is the same as provided for claims 21, 28, and 35 due to the overlapping subject matter between claims 21, 28, 35 and 24, 31, 38, respectively.

Regarding Claims 25, 32, and 39:
Damm-Goossens in view of Jakobsson teaches the method of claim 21, the medium of claim 28, and the system of claim 35.  In addition, Jakobsson teaches storing the preset biometric authentication information on the user device (paragraph 47, Fig. 3, external shared HW resources of exemplary smartphone, including biometric data object database; paragraph 43, biometric templates derived from user are employed to populate biometric data object database).
The rationale to combine Damm-Goossens and Jakobsson is the same as provided for claims 21, 28, and 35 due to the overlapping subject matter between claims 21, 28, 35 and 25, 32, 39, respectively.

Regarding Claims 26, 33, and 40:
Damm-Goossens in view of Jakobsson teaches the method of claim 21, the medium of claim 28, and the system of claim 35.  In addition, Damm-Goossens teaches storing the digital signature certificate private key and the digital signature certificate public key (paragraph 50, mobile communication device stores private key; authentication server stores public key).

Regarding Claims 27 and 34:
Damm-Goossens in view of Jakobsson teaches the method of claim 21 and the medium of claim 28.  In addition, Damm-Goossens teaches wherein the signed registration request message includes authentication challenge information, and wherein the authentication challenge information is digitally signed before the signed registration request message is generated (paragraph 50, during registration request, mobile communication device generates public key and signs with corresponding private key; registration request includes public key and signed public key; authentication server validates signature of public key, verifying sender; public key therefore comprises authentication challenge information, and is digitally signed).

Claim(s) 23, 30, 37 is/are rejected under 35 U.S.C. 103 as being unpatentable over Damm-Goossens in view of Jakobsson, and further in view of Baghdasaryan et al (PGPUB 2011/0082791).

Regarding Claims 23, 30, and 37:
Damm-Goossens in view of Jakobsson teaches the method of claim 21, the medium of claim 28, and the system of claim 35.
Neither Damm-Goossens nor Jakobsson explicitly teaches the method, medium, and system, comprising: 
determining the user device supports identification of biometric authentication information.
However, Baghdasaryan teaches the concept of determining a user device supports identification of biometric authentication information (abstract, request for secure financial transaction is received from a user, who is authenticated with a biometric device; paragraph 54, when a secure transaction is initiated, the systems and methods check the computing device accessing the Web site to determine if the computing device includes a fingerprint sensor or other biometric device; if so, an enrollment and/or authentication process is activated to offer an enhanced level of security to the user).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the device capability check teachings of Baghdasaryan with the biometric authentication registration teachings of Damm-Goossens in view of Jakobsson, in order to improve user convenience and efficiency by determining whether a device supported particular authentication methods prior to registering said methods, thereby providing additional security factors if possible, and allowing the system to choose other potential security factors in the event biometric authentication was unavailable.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491