DETAILED ACTION

Status of Claims
This action is in reply to the amendments and arguments filed July 5, 2022. Claims 1, 13, and 20 have been amended. Claims 1-4 and 6-21 are currently pending and have been examined.


Response to Arguments
112(a): Applicant’s response and amendments have been fully considered and are persuasive. The 112(a) rejection of claims 1-4 and 6-21 is withdrawn (see arguments, page 10-11)
112(b): Applicant’s response and amendments have been fully considered and are persuasive. The 112(b) rejection of claims 1-4, 5-12 and 21 is withdrawn (see arguments page 10-11). 
103: Applicant’s arguments with respect to the 103 rejection have been fully considered but are not persuasive.
Applicant essentially argues the amended claims overcome the cited references in the previous rejection (see pp. 11-12 of Applicant’s arguments). The Applicant’s arguments are moot in light substantive amendments of the independent claims that necessitate updated search and consideration (see MPEP 706.07(a), 1207.03(a)).
As such, an updated 103 rejection is provided below that addresses the amended claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 8, 13-16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20150150104 A1 (Melzer) in view of US 20150205957 A1 (Turgeman).

As per claims 1, 13, and 20, Melzer teaches, 
a data module (FIG. 2, item 211, ¶ [0045] “central monitoring module”) configured to receive sensor data (¶ [0022] “behavior of the user”) from a hardware device associated with a user (¶ [0022] “client terminal”), the sensor data comprising information describing the user's historical usage of one or more applications that are executable on the hardware device (¶ [0031] “application usage data”),
a transaction module (¶ [0065]) configured to receive transaction data associated with a transaction (¶ [0065] “an access request”),
a verification module (¶ [0022] “an authentication module”) configured to verify an identity of a user (¶ [0022] “authenticate”) making the transaction (¶ [0022] “an access to a resource”) based on the received sensor data by (¶ [0022] “a deviation from the behavioral pattern),
dynamically generating a security question (¶ [0022] “a security question”) that relates to the received sensor data (¶ [0022] “deviation”), the security question generated based on the usage information describing the user's historical usage of the one or more applications that are executable on the hardware device (¶ [0031] “behavior may include … application usage data”),
presenting the dynamically generated security question to the user for the user to provide a response within an application (¶ [0022] “a user interface which generates a presentation of the security question and receives a user input in response to the presentation”),
determining whether the user's response (¶ [0022] “user input”) to the dynamically generated security question (¶ [0022] “in response to the presentation”) corresponds to the sensor data (¶ [0022] “the deviation”) used to generate the security question in response to receiving the user's response (¶ [0022] “receives a user input”) while the application presenting the dynamically generated security question remains open (¶ [0022] “a user interface … receives a user input in response to the presentation”), 
verifying the user's identity (¶ [0022] “authenticate”) and allowing the transaction (¶ [0022] “an access to a resource”) in response to determining that the user's response corresponds to the sensor data (¶ [0022] “a match between the user input and the deviation”),
wherein said modules comprise one or more of hardware circuits, programmable hardware devices, and a processor executing code (¶ [0034).

Melzer does not explicitly teach, however, Turgeman teaches,
denying the transaction (FIG. 3, item 333, ¶ 82 “require the user to actively call a telephone support line or a fraud department of the computerized service”) in response to detecting that an action performed by the user indicates the user is attempting to determine an answer to the dynamically generated question using an alternate one of the one or more applications (¶ 68 “adding a redundant question that is not required for the account-creation process (e.g., "How did you hear about us?"); or the like… whereas an experienced attacker would be surprised and would exhibit changes in his data-entry patterns or speed, in his navigation or interactions, or the like. Such rule(s) may be used by the system in order to differentiate between an authorized user and an attacker” ¶ 68 "correction operations" (e.g., would not click on the Back button of the browser or the account-creation process”).
It would have been obvious before the effective file date to provide security answer related suspicious activity mitigation based user interaction analysis of Turgeman in Melzer. The motivation would be to improve security associated with transaction authorization.

As per claim 8, combination of Melzer and Turgeman teach all the limitations of claim 1. Melzer also teaches, 
wherein the verification module is further configured to (¶ [0022]) verify the user's identity (¶ [0022]) during an ongoing transaction (¶ [0065] “an access request from a user”) by prompting the user for the response to the security question to complete the transaction (¶ [0022] “a presentation of the security question”).


Claim 2-4 and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Melzer in view of Turgeman in further view of US 20150347999 A1 (Lau).

As per claims 2 and 14, combination of Melzer and Turgeman teach all the limitations of claims 1 and 13. Melzer also teaches, 
wherein the verification module (¶ [0022]) comprises a location module configured to (¶ [0047] “a GPS module”) verify the identity of the user by determining that the sensor data comprises a geographic location for the user (¶ [0010]).

Melzer does not explicitly teach, however, Lau teaches,
that corresponds to a geographic location of the transaction (¶ [0016]-[0017]).
It would have been obvious before the effective file date to authorize a transaction based on a transaction location of Lau in Melzer. The motivation would be to improve security associated with transaction authorization.

As per claims 3 and 15, combination of Melzer and Turgeman teach all the limitations of claims 1, 2 and 13, 14. Melzer also teaches,
wherein the location module is further configured to (¶ [0047]),

Melzer does not explicitly teach, however, Lau teaches, 
verify the identity of the user in response to determining that the user provided authentication information for the transaction at the geographic location that corresponds to authentication information for the user from the sensor data (¶ [0016], [0017]).
It would have been obvious before the effective file date to authorize a transaction based on a transaction location of Lau in Melzer. The motivation would be to improve security associated with transaction authorization.

As per claims 4 and 16, combination of Melzer, Turgeman, and Lau teach all the limitations of claims 1, 2 and 13, 14. Melzer teaches, 
wherein the location module is further configured to (¶ [0047]) 

Melzer does not explicitly teach, however, Lau teaches,
verify the identity of the user in response to determining that the geographic location of the transaction is within a threshold distance of a known location in the sensor data (¶ [0040]).
It would have been obvious before the effective file date to authorize a transaction based on a transaction location of Lau in Melzer. The motivation would be to improve security associated with transaction authorization.


Claim 9 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Melzer in view of Turgeman in further view of US 20150032621 A1 (Kar).

As per claim 9, combination of Melzer and Turgeman teach all the limitations of claim 1. Melzer also teaches, 
wherein the verification module is further configured to (¶ [0022]) prompt the user for a response to a security question (¶ [0022]).

Melzer does not explicitly teach, however, Kar teaches, 
in response to suspecting fraud associated with the transaction (¶ [0023], [0053]).
It would have been obvious before the effective file date to provide fraud analysis of Kar in Melzer. The motivation would be to improve transaction authorization security.

As per claim 21, combination of Melzer, Turgeman, and Kar teach all the limitations of claim 1 and 9. Kar also teaches, 
wherein the detected fraud comprises (¶ [0023], [0053]) one or more of detecting that a transaction is fraudulent (¶ [0049]), detecting that the hardware device is stolen, and in response to a fraud check by a financial institution.
It would have been obvious before the effective file date to provide fraud analysis of Kar in Melzer. The motivation would be to improve security associated with transaction authorization.


Claims 6, 17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Melzer in view of Turgeman in further view of US 7606915 B1 (Calinov).

As per claim 6, combination of Melzer and Turgeman teach all the limitations of claim 1. Melzer also teaches,
wherein the verification module is further configured to (¶ [0022]).

Melzer does not explicitly teach, however, Calinov teaches, 
deny the transaction in response to detecting that the user used an application that can be used to determine the response to the prompt prior to providing the response to the prompt (col. 9, lines 12-17).
It would have been obvious before the effective file date to provide security attack analysis during security question based authentication of Calinov in Melzer. The motivation would be to improve security associated with transaction authorization.

As per claim 17, combination of Melzer and Turgeman teach all the limitations of claim 13. 
Melzer does not explicitly teach, however, Calinov teaches, 
wherein the transaction is denied in response to detecting that the user used an application that can be used to determine the response to the prompt prior to providing the response to the prompt (col. 9, lines 12-17, col. 9, lines 23-43).
It would have been obvious before the effective file date to provide security attack analysis during security question based authentication of Calinov in Melzer. The motivation would be to improve security associated with transaction authorization.

As per claim 19, combination of Melzer, Turgeman, and Calinov teach all the limitations of claims 13 and 17. Melzer also teaches, 
verify the user's identity during an ongoing transaction (¶ [0022], [0065]) by prompting the user for the response to the security question to complete the transaction ((¶ [0022])).


Claims 7 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Melzer in view of Turgeman in further view of US 20110154459 A1 (Kuang).

As per claim 7, combination of Melzer and Turgeman teach all the limitations of claim 1. Melzer also teaches, 
wherein the verification module is further configured to (¶ [0022]) in response to confirming that the user's response to the prompt corresponds to the sensor data (¶ [0022]).

Melzer does not explicitly teach, however, Kuang teaches, 
access one or more passwords securely stored by a third-party password manager (¶ [0159]),
login to one or more of the user's online accounts associated with the one or more passwords (¶ [0122], [0021] “To log on to his/her account”).
It would have been obvious before the effective file date to provide third party trusted credential services of Kuang in Melzer. The motivation would be to improve security associated with transaction authorization.

As per claim 12, combination of Melzer and Turgeman teach all the limitations of claim 1. Melzer also teaches, 
the sensor data comprises sensor data corresponding to the real-time transaction data (¶ [0030] “a deviation that is … up to date routinely actions”).

Melzer does not explicitly teach, however, Kuang teaches, 
the transaction data comprises real-time transaction data for a transaction in process (¶ [0201]).
It would have been obvious before the effective file date to provide third party trusted credential services of Kuang in Melzer. The motivation would be to improve security associated with transaction authorization.


Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Melzer in view of Turgeman in view of Calinov in further view of Kuang.

As per claim 18, combination of Melzer, Turgeman, and Calinov teach all the limitations of claims 13 and 17. Melzer also teaches, 
in response to confirming that the user's response to the prompt corresponds to the sensor data (¶ [0022]).

Melzer does not explicitly teach, however Kuang teaches,
access one or more passwords securely stored by a third-party password manager (¶ [0159]),
login to one or more of the user's online accounts associated with the one or more passwords (¶ [0122] , [0021]).
It would have been obvious before the effective file date to provide third party trusted credential services of Kuang in Melzer. The motivation would be to improve security associated with transaction authorization.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Melzer in view of Turgeman in further view of US 20140207680 A1 (Rephlo).

As per claim 10, combination of Melzer and Turgeman, teach all the limitations of claim 1. Melzer also teaches, 
provide at least a portion of the sensor data (¶ [0022]).

Melzer do not explicitly teach, however, Rephlo teaches, 
an offer module configured to (¶ [0035]),
to a third-party service provider to receive an offer associated with the transaction (¶ [0050]).
It would have been obvious before the effective file date to provide commercial sales activity associated with third party credential services of Rephlo in Melzer. The motivation would be to improve security associated with sales activities.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Melzer in view of Turgeman in further view of US 20140164256 A1 (Booij).

As per claim 11, combination of Melzer and Turgeman teach all the limitations of claim 1. Melzer also teaches, 
the sensor data comprises historical sensor data corresponding to the historical transaction data (¶ [0031]).

Melzer does not explicitly teach, however, Booij teaches,
the transaction data comprises historical transaction data that is aggregated from a plurality of third-party data sources (¶ [0087]).
It would have been obvious before the effective file date to provide historical data of Booij in Melzer. The motivation would be to improve security associated with transaction authorization by broadening resources associated with the historical activities.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BROCK E TURK whose telephone number is (571)272-5626. The examiner can normally be reached Monday-Friday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin Hewitt II can be reached on 571-272-6709. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BROCK E TURK/Examiner, Art Unit 3692           


/EDWARD J BAIRD/Primary Examiner, Art Unit 3692