DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on August 25, 2022 has been entered.

Response to Amendment
Claims 1, 9, and 17 have been amended.  Claims 5 and 13 have been canceled.  Claims 1-4, 6-12, and 14-20 are pending and are provided to be examined upon their merits.

Response to Arguments
Applicant's arguments filed August 25, 2022 have been fully considered but they are not persuasive.  A response is provided below in bold where appropriate.
Applicant argues 35 USC §112 Rejection, starting pg. 7 of Remarks:
REJECTIONS UNDER 35 U.S.C. §112
Claims 1-4, 6-12, and 14-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre- AIA ), first paragraph, as failing to comply with the written description requirement. Applicant disagrees. The Office Action alleges that “detecting, by the mobile device...” and “determining, by the mobile device...” is not taught by the specification. In particular, the Office Action states that “the FSP device detects capabilities of the use device.” See Office Action, p. 11. Applicant agrees that the specification teaches that the FSP device detects capabilities of the user device. However, this feature is taught as part of a process of FIG. 9. Furthermore, the specification recites that “one or more steps of process 900 may be implemented by other components of system 100 (shown or not shown}, including biometric database 150 and/or user device 110.” See Specification, { [108]. Accordingly, the written description contemplates performing the “detecting ...” feature at issue at a mobile device. Applicant has removed the “determining ...” feature from the independent claims rending the rejection of this feature moot.

From Applicant’s argument above…
>>”See Office Action, p. 11. Applicant agrees that the specification teaches that the FSP device detects capabilities of the user device. However, this feature is taught as part of a process of FIG. 9.”<<

Respectfully, there is no detecting step in Fig. 9.  If there is, Applicant is requested point to the exact reference number that is being referred to and the Examiner will further consider.

From Applicant’s argument above…
>>”Furthermore, the specification recites that “one or more steps of process 900 may be implemented by other components of system 100 (shown or not shown}, including biometric database 150 and/or user device 110.” See Specification, ¶ [108].”<<

From para. [108]…
“Figure 9 shows an exemplary financial authorization process, consistent with disclosed embodiments. Process 900 may be performed by processor 210 of, for example, FSP device 120 executing instructions encoded on a computer-readable medium storage device. It is to be understood, however, that one or more steps of process 900 may be implemented by other components of system 100 (shown or not shown}, including biometric database 150 and/or user device 110. At step 910, FSP device 120 may receive transaction data. In one aspect, FSP 120 may receive transaction data from user device 110. As an example, user device 110 may execute a mobile application associated with the financial service provider associated with FSP device 120. User device 100 may transmit transaction data via network 140 to FSP device 120. Transaction data may be entered and transmitted manually per transaction into user device 110 by a user, for example by typing it on a keyboard or other input device (not shown). Transaction data may also be entered and transmitted automatically, for example, by a mobile application on user device 110.” [108]

Therefore, the above is not teaching detecting authenticating capabilities.

In addition, the specification recites:

The form of authentication data provided by the user may be dependent on the type of user device 110 the user is operating. For example, certain user devices may have a fingerprint scanner, but not a retina scanner. FSP device 120 may detect the capabilities of user device 110 when prompting the user to enter authentication data. See Specification, ¶ [113].

This above recitation in combination with the recitation of ¶ [108] supports that the mobile device is able to “detect the authenticating capabilities of the mobile device.” In addition, because the mobile devices may include “fingerprint scanners, but not retina displays,” a person skilled in the art would understand that the detection occurs based on “physical components” of the mobile device. Accordingly, the specification discloses “detecting, by the mobile device based on physical components of the mobile device, authenticating capabilities of the mobile device.”

Respectfully, for a mobile device to detect authenticating capabilities of the mobile device based on physical components, it would have to run software of some type to determine what authenticating capabilities are available.  However, if the device has built in authentication technology such as finger print reader, there is no reason to even detect the capability as it already exists.  In any event, no teaching of detecting can be found.

The Office Action further alleges that “selecting, by the mobile device, a plurality of authentication options ...” is not described in the specification. In particular, the Office Action alleges that “the FSP determines if there is a tier required for a transaction.” See Office Action, p. 13. Applicant disagrees. The recitation above is taught as part of a process 1000 of FIG. 10. In addition, the specification recites that “that one or more steps of process 1000 may be implemented by other components of system 100 (shown or now shown), including biometric database 150 and/or user device 110.” See Specification, ¶ [115]. Accordingly, this feature is supported by the originally filed specification.

From para. [115]…
“Figure 10 shows an exemplary multi-tiered authentication process 1000, consistent with disclosed embodiments. Process 1000 may be performed by processor 210 of, for example, FSP device 120 executing instructions encoded on a computer- readable medium storage device. It is to be understood, however, that one or more steps of process 1000 may be implemented by other components of system 100 (shown or now shown), including biometric database 150 and/or user device 110.” [115]

Therefore Fig. 10 may be performed by a processor.

From the amended claim…
“selecting, by the mobile device based on the authenticating capabilities of the mobile device, a plurality of authentication options, wherein each option of the plurality of authentication options fulfills a corresponding authentication requirement for the authentication tier or one or more authentication tiers below the authentication tier;”

Therefore selecting a plurality of authentication options by the mobile device.

Respectfully, exactly what step (reference number) in Fig. 10 is selecting by the mobile device a plurality of authentication options?  Based on the above, the rejection is respectfully maintained.  

Applicant argues 35 USC §101 Rejection, starting pg. 8 of Remarks:
REJECTIONS UNDER 35 U.S.C. §101

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Applicant submits that claims 1-20 are patent- eligible, at least, because amended independent claims 1, 9, and 17 integrate any abstract idea into a practical application. In particular, the claims recite a mechanism for using multiple tiers of authentication by detecting authenticating capabilities of a client device and using those authenticating capabilities to select authentication options for each tier for authenticating a user. In particular, the claims recite:

receiving, by the mobile device from the server, an authentication request comprising authentication requirements that include an authentication tier;

detecting, by the mobile device based on physical components of the mobile device, authenticating capabilities of the mobile device; and

selecting, by the mobile device based on the authenticating capabilities of the mobile device, a plurality of authentication, wherein each option of the plurality of authentication options fulfills a corresponding authentication requirement for the authentication tier or one or more authentication tiers below the authentication tier;

The above technical features enable a multi-tier authentication mechanism to perform user authentication. Accordingly, the claims integrate any abstract idea into a practical application. 

Receiving an authentication request is itself abstract as is selecting authentication capabilities.  The detecting step is unsupported in the disclosure, and even if it were taught, it is at a high level of generality.  Therefore the rejection is respectfully maintained.

REJECTIONS UNDER 35 U.S.C. §103

U.S. Patent No. US 10163105 (“Ziraknejad”) and U.S. Pat. App. Pub. No. 2013/0109357 (“Ganatra’’), whether taken alone or in combination do not show or render obvious “detecting, ... based on physical components of the mobile device, authenticating capabilities of the mobile device,” as required by amended independent claims 1, 9, and 17. The Office Action alleges that this feature is inherently taught by Ziraknejad because Ziraknejad discusses different examples of client device requests to the user. See Office Action, p. 15 citing Ziraknejad, col. 2, Il. 19-30. Applicant disagrees. The MPEP requires that “inherent characteristic necessarily flows from the teachings of the applied prior art. See MPEP 2112 IV. However, in this case, the client device may just include all the physical components needed to provide requests to the user. Thus, no detection is required. Ganatra merely enables detection of a physical component of a user device and, like Ziraknejad, does not discuss detecting “authenticating capabilities,” as the claims require.

Ganatra teaches detecting hardware components. 

From Ganatra…
Mobile device can detect available components…
“Referring to hardware component 103 (microphone) in FIG. 1, a hardware component of a mobile device can be an external hardware device that can be connected to the mobile device. A hardware component is available if the hardware component is not turned off (e.g., when a lens cover of a digital camera component is removed), or if the hardware component is properly connected to the mobile device (e.g., when a microphone is plugged into the mobile device). In some implementations, a mobile device can detect available components by consulting a local hardware stack or by running a software polling program that polls connection ports. A connection port can be, for example, a socket, a Universal Serial Bus (USB) port, or a Personal Area Network (PAN) to which the mobile device is connected using Bluetooth technology. In some other implementations, a mobile device can detect available hardware components by running a hardware detection program that is triggered by the physical insertion of a hardware device.” [0036]

Operating system can identify hardware components…
“In addition, operating system 154 can identify instructions for identifying one or more properties for each of the identified hardware component 108. For example, operating system 154 for mobile device 200 can identify hardware component 108d microphone. Operating system 154 on mobile device 200 can identify different properties for different hardware components 108. For instance, a model of mobile device 200 can include a larger storage component than another model of mobile device 200. As result of this example difference, operating system 154 can configure a property of media player application 112a differently for the different models of mobile device 200. In connection with identifying applications 112 and associated properties, operating system 154 can automatically configure applications 112 and associated properties for execution by the different models of mobile device 200. Further, during an application program download process, the device model/type, as well as other information on hardware components, can be sent to server 130. As mentioned above, software stack 104 can, in some implementations, enable the development of a single software stack 104 that can be loaded in one or more different devices and automatically configure one or more of the applications 112 to execute on the different devices.” [0059]

Include biometric sensor and other sensing devices…
“Sensors, devices and subsystems can be coupled to peripherals interface 306 to facilitate multiple functionalities. For example, a motion sensor 310, a light sensor 312, and a proximity sensor 108j can be coupled to peripherals interface 306 to facilitate the orientation, lighting and proximity functions. Other sensors 316 can also be connected to peripherals interface 306, such as a temperature sensor, a biometric sensor, or other sensing device, to facilitate related functionalities.” [0073]

Furthermore, Ziraknejad and Ganatra, whether taken alone or in combination, do not show or render obvious “selecting, by the mobile device based on the authenticating capabilities of the mobile device, a plurality of authentication options ...,” as recited by amended independent claims 1,9, and 17. Ziraknejad discusses several examples of biometric authentication that a client device can perform including “voice sample, fingerprint, retina scan, and/or facial scan.” See Ziraknejad, col. 2, Il. 19-30. Furthermore, Ziraknejad discusses an authentication server determining “that the individual using the client device 110 should be biometrically authenticated as the user 120 based on the risk level.” See Ziraknejad, col. 8, ll. 5-23. However, Ziraknejad is silent on selecting authentication options not only based on “authenticating capabilities of the mobile device” as the claims require, but Ziraknejad’s system performs the risk analysis on an authentication server 150. Thus, Ziraknejad’s authentication server is unable to select authentication options based on “authenticating capabilities of the mobile device” as there is no disclosure of discovering authenticating capabilities from the server device. Ganatra is used for other features of the claims, and, like Ziraknejad, does not show or render obvious the subject matter at issue. Although, Ganatra discusses that a “server can identify an available hardware component,” Ganatra is silent on these components being related to authenticating capabilities of the mobile device. Accordingly, the combination of Ziraknejad and Ganatra would, at best, yield a system that enables a server to identify hardware components of a client device, but would not be able to determine whether those hardware components represent authenticating capabilities of a client device.

From Zirkanejad…
Example of client device may display a prompt for voice and display an option for the user to provide biometric information (therefore by the mobile device select options)…
“In some implementations, the system 100 may also enable the user 120 to select which type of biometric authentication to use. For example, if the client device 110 receives a request for voice input from the authentication server 150, the client device 110 may display a prompt for voice input and also display an option for the user 120 to provide biometric information that may be considered more secure, e.g., providing fingerprint scan, a facial scan, or an iris scan. In some implementations, the client device 110 may receive an indication of which types of biometric authentication that the authentication server 150 will accept based on the risk level and may allow the user 120 to select from the types of biometric authentication.” (col. 10, lines 1-13)

Accordingly, independent claims 1, 9, and 17 and their respective dependent claims are patentable over the art of record.

Based on the above response, the rejection is respectfully maintained but modified for the claim amendments.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-4, 6-12, and 14-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
Claims 1-4, 6-12, and 14-20 are directed to a system, method, or product, which are statutory categories of invention.  (Step 1: YES).
The Examiner has identified method Claim 9 as the claim that represents the claimed invention for analysis and is similar to system Claim 1 and product Claim 17.  Claim 9 recites the limitations of:
A computer-implemented method for authenticating mobile devices, the method comprising:
transmitting, from a mobile device to a server, a transaction request for a transaction;
receiving, at the mobile device from the server, an authentication request comprising authentication requirements that include an authentication tier;
detecting, by the mobile device based on physical components of the mobile device, authenticating capabilities of the mobile device;
selecting, by the mobile device based on the authenticating capabilities of the mobile device, a plurality of authentication options, wherein each option of the plurality of authentication options fulfills a corresponding authentication requirement for the authentication tier or one or more authentication tiers below the authentication tier; 
iteratively generating for display on a display of the mobile device a prompt for user input for the authentication tier and the one or more authentication tiers below the authentication tier in order based on each selected authentication option;
transmitting authentication data from the mobile device to the server, the authentication data generated based on the user input; and
receiving, at the mobile device, an authentication confirmation.

These above limitations, under their broadest reasonable interpretation, cover performance of the limitation as certain methods of organizing human activity.  The claim recites elements, highlighted in bold above, which covers performance of the limitation as a fundamental economic practice (e.g. selecting authentication options, which is mitigating risk) and commercial interaction (e.g. transmitting a transaction request).  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation as a fundamental economic practice or commercial interaction, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.  Claims 1 and 17 are also abstract for similar reasons. (Step 2A-Prong 1: YES. The claims are abstract)
This judicial exception is not integrated into a practical application. In particular, the claims only recite: mobile device, memory devices, communication device, processors, server, physical components of the mobile device (Claim 1); mobile device, processors, server, physical components of the mobile device (Claim 9); computer-readable medium, mobile device, processors, server, physical components of the mobile device (Claim 17) The computer hardware is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer component.  Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they  do not impose any meaningful limits on practicing the abstract idea. The step of detecting, by the mobile device physical components of the mobile device does not appear to be supported in the disclosure and is claimed at a high level of generality.  The step of generating for display a prompt for user input, even if not abstract, is essentially requesting using a computing device, user input for authentication, which appears to be based on various existing capabilities of a device and could be many different things (e.g. see para. [073] where prompt could be an email, text, pop-up, etc. message), therefore using existing computer capabilities for communication of information to users.  Therefore claims 1, 9, and 17 are directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when considered separately and as an ordered combination, they do not add significantly more (also known as an “inventive concept”) to the exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a computer hardware amounts to no more than mere instructions to apply the exception using a generic computer component.  Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.  The detecting based on physical components step does not appear to be taught in the disclosure as claimed.  The generating a display for a prompt, as indicated by Applicant’s own disclosure, appears to be using known prompting capabilities such as email, text, pop-up, etc. messages.  Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they  do not impose any meaningful limits on practicing the abstract idea.  Steps such as transmitting and receiving are steps that are considered insignificant extra solution activity and mere instructions to apply the exception using general computer components (see MPEP 2106.05(d), II). Thus claims 1, 9, and 17 are not patent eligible. (Step 2B: NO. The claims do not provide significantly more)  
Dependent claims 2-4, 6-8, 10-12, 14-16, and 18-20 further define the abstract idea that is present in their respective independent claims 1, 9, and 17 and thus correspond to Certain Methods of Organizing Human Activity and hence are abstract for the reasons presented above.  Claims 2, 3, 6, 8, 10, 11, 14, 16,  18, and 19 recite steps that are themselves abstract (related to either authentication or transaction), Claim 4, 12, and 20 further limit determining capabilities of the mobile device, but where the determining could be performed by a person.  Claims 7 and 15 further limit the authentication data to comprise fingerprint detection, facial recognition (could be done by a person), etc., where the different types of data are just limiting the transmitting authentication data based on user input, therefore further limiting an abstract idea of transmitting authentication data, and where the authentication data generated is at a high level of generality.  Therefore, the dependent claims do not include any additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination.  Therefore, the claims 2-4, 6-8, 10-12, 14-16, and 18-20 are directed to an abstract idea.  Thus, the claims 1-4, 6-12, and 14-20 are not patent-eligible.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-4, 6-12, and 14-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 9 has “detecting, by the mobile device based on physical component of the mobile device, authenticating capabilities of the mobile device; determining, by the mobile device, a set of authentication options associated with the authenticating capabilities of the mobile device;” where no teaching of either: 1) a mobile device detecting authenticating capabilities based on physical component can be found in the disclosure; and 2) based on the detecting by the mobile device authenticating capabilities, then determining by a mobile device a set of authentication options associated with the capabilities of the mobile device.  There is also no teaching of doing both steps.
The disclosure teaches:
“The user may provide authentication data via user device 110, and FSP 120 may receive the authentication data (step 940). The form of authentication data provided by the user may be dependent on the type of user device 110 the user is operating. For example, certain user devices may have a fingerprint scanner, but not a retina scanner. FSP device 120 may detect the capabilities of user device 110 when prompting the user to enter authentication data. Alternatively, FSP device 120 may prompt the user with a plurality of choices of authentication data the user may choose to enter, and the user may then select the option that corresponds with the capabilities of his or her particular user device 110.” [0113]

Therefore either: 1) the FSP device detects capabilities of the use device, prompting user to enter authentication data; OR 2) the FSP device prompts the user with a plurality of choices of authentication data the user may choose to enter, and the user selects the options that corresponds with the capabilities of the user’s particular device. Claims 1 and 17 have a similar problem. 

Claim 9 has “selecting, by the mobile device based on the authenticating capabilities of the mobile device, a plurality of authentication options, wherein each option of the plurality of authentication options fulfills a corresponding authentication requirement for the authentication tier or one or more authentication tiers below the authentication tier;” where no teaching of mobile device selecting authentication options can be found.  
The disclosure teaches:
“At step 1005, as also discussed with reference to FIG. 9, FSP device 120 may determine an authentication tier level for a particular transaction. Each transaction may be associated with a tier level. Additionally, different users associated with different user device(s) 110 may have a different tier level associated with each transaction. In certain aspects, different users may be customer(s) or potential customers of the financial service provider associated with FSP device 120. The tier level may indicate how many data security points must be verified before FSP device 120 may authorize the requested transaction. Security data points may include, for example, a username and password, a GPS location, a phone number or device identifier, or other data associated with user identification (e.g., SureSwipesM or the like). Security data points may additionally include biometric data, such as, for example, fingerprint, retina or iris scan, heartbeat or pulse pattern, facial recognition, voice recognition, or palm vein scan. Each data security point may correspond to a different tier. For example, biometric data may relate to a higher tier (more secure) than a username and password (less secure).” [0116]

Therefore, the FSP determines if there is a tier required for a transaction.  Claims 1 and 17 have a similar problem.

Claims 2-4, 6-8, 10-12, 14-16, and 18-20 are further rejected as they depend from their respective independent claims.

Examiner Request
The Applicant is requested to indicate where in the specification there is support for amendments to claims should Applicant amend.  The purpose of this is to reduce potential 35 U.S.C. §112(a) or §112 1st paragraph issues that can arise when claims are amended without support in the specification.  The Examiner thanks the Applicant in advance.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-4, 6-12, and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No. US 10163105 to Ziraknejad et al. Pub. No. US 2013/0109357 to Ganatra et al.
Regarding claims 1, 9, and 17
(claim 9) A computer-implemented method for authenticating mobile devices, the method comprising:
transmitting, from a mobile device to a server, a transaction request for a transaction;

Ziraknejad et al. teaches:
Provide (transmitting) a transaction request to a server from a client (mobile) device…
“The client device 110 may then provide the transaction request to the authentication server 150 (220). For example, the client device 110 may determine that the user “JANE DOE” is currently logged in on the client device 110 and has credentials to open the secured door, and may then provide a transaction request to the authentication server 150 that the user “JANE DOE” wishes to unlock the secured door. The transaction request may include risk profile information that describes the motion of the client device 110 during the past minute, which includes motion while scanning the QR code.” (col. 11, lines 61-67 to col. 12, lines 1-3)

receiving, at the mobile device from the server, an authentication request comprising authentication requirements that include an authentication tier;

Provide a request to the client device (receiving at the mobile device) and server may provide (therefore receiving from) a request for biometric (authentication) information…
“The authentication server 150 may provide a request for biometric information based on the risk level (240). For example, based on determining that there is a high risk level that the individual using the client device 110 is not the user 120, the authentication server 150 may provide a request to the client device 110 for fingerprint authentication and a pin code.” (col. 12, lines 15-21)

Receiving request at client for low and high risk level (tier)…
“For example, lower risk levels may be associated with authentication that is more convenient but less secure, and higher risk levels may be associated with authentication that is less convenient but more secure. In a particular example, in response to determining a low risk level, the authentication server 150 may provide the client device 110 a request for voice authentication by having the individual currently using the client device 110 speak some randomly generated numbers. In response to a high risk level, the authentication server 150 may provide the client device 110 a request for voice, fingerprint, and facial authentication.” (col. 8, lines 5-23)

detecting, by the mobile device based on physical components of the mobile device, authenticating capabilities of the mobile device;

Client device request say something (therefore inherently detecting capabilities) using a microphone (physical component) of a mobile device, in order to authenticate a user…
“The system may biometrically authenticate users by a voice sample, fingerprint, retina scan, and/or facial scan. For example, the client device may request that the user say something and capture what the user says using a microphone in the client device. In another example, the client device may request that the user place a finger on a fingerprint scanner of the client device. In yet another example, the client device may request that the user position a camera for scanning the user's retina and/or face. The system may then authenticate the user's identity by comparing the biometric information received by the client device with biometric information that was previously associated with the user.” (col. 2, lines 19-30) Inherent with client device request user to say something or place a finger is the client device detecting physical components of the device.

“In more detailed examples, the client device 110 may receive a request from the authentication server 150 where the request indicates that the client device 110 should prompt the individual using the client device 110 to say a predetermined number of random digits, e.g., the numbers “9-1-5-4,” for the authentication server 150 to verify that the voice matches a pre-stored representation of the user's voice stored by the authentication server 150. In response, the client device 110 may display a prompt, “To authenticate yourself for the transaction, please say the following random numbers: 9-1-5-4.”” (col. 5, lines 61-67 to col. 6, lines 1-4)

Risk profile may describe the client device…
“The transaction request that the client device 110 provides to the authentication server 150 may also include risk profile information. Risk profile information may describe the client device 110 or the individual using the client device 110. For example, the risk profile information may indicate orientation and motion of the client device 110 during the past minute as the client device 110 moved while the individual was walking. In a different example, the risk profile information may indicate the orientation and motion of the client device 110 as an optical machine-readable representation was scanned. In another example, the risk profile information may indicate how each character of an alphanumeric code was input into the client device 110. In yet another example, the risk profile information may indicate the orientation, height, and length of time that the user 120 held the client device 110 to capture a sound signal.” (col. 5, lines 18-33)

See Detection below.

selecting, by the mobile device based on the authenticating capabilities of the mobile device, a plurality of authentication options, wherein each option the plurality of authentication options fulfills a corresponding authentication requirement for the authentication tier or one or more authentication tiers below the authentication tier;

The client device may request (selecting by mobile device) an authentication option from voice or finger (therefore plurality of options)…
“The system may biometrically authenticate users by a voice sample, fingerprint, retina scan, and/or facial scan. For example, the client device may request that the user say something and capture what the user says using a microphone in the client device. In another example, the client device may request that the user place a finger on a fingerprint scanner of the client device. In yet another example, the client device may request that the user position a camera for scanning the user's retina and/or face. The system may then authenticate the user's identity by comparing the biometric information received by the client device with biometric information that was previously associated with the user.” (col. 2, lines 19-30)

Where the above voice or finger would be for an authentication level (tier)…
“For example, lower risk levels may be associated with authentication that is more convenient but less secure, and higher risk levels may be associated with authentication that is less convenient but more secure. In a particular example, in response to determining a low risk level, the authentication server 150 may provide the client device 110 a request for voice authentication by having the individual currently using the client device 110 speak some randomly generated numbers. In response to a high risk level, the authentication server 150 may provide the client device 110 a request for voice, fingerprint, and facial authentication.” (col. 8, lines 5-23)

Client device may request (therefore determining by a mobile device) user say something, etc. (authenticating) associated with microphone, scanner, etc. (authenticating capabilities) of the client (mobile) device…
“The system may biometrically authenticate users by a voice sample, fingerprint, retina scan, and/or facial scan. For example, the client device may request that the user say something and capture what the user says using a microphone in the client device. In another example, the client device may request that the user place a finger on a fingerprint scanner of the client device. In yet another example, the client device may request that the user position a camera for scanning the user's retina and/or face. The system may then authenticate the user's identity by comparing the biometric information received by the client device with biometric information that was previously associated with the user.” (col. 2, lines 19-30)

Example of client device may display a prompt for voice and display an option for the user to provide biometric information (therefore by the mobile device select options)…
“In some implementations, the system 100 may also enable the user 120 to select which type of biometric authentication to use. For example, if the client device 110 receives a request for voice input from the authentication server 150, the client device 110 may display a prompt for voice input and also display an option for the user 120 to provide biometric information that may be considered more secure, e.g., providing fingerprint scan, a facial scan, or an iris scan. In some implementations, the client device 110 may receive an indication of which types of biometric authentication that the authentication server 150 will accept based on the risk level and may allow the user 120 to select from the types of biometric authentication.” (col. 10, lines 1-13)

iteratively generating for display on a display of the mobile device a prompt for user input for the authentication tier and the one or more authentication tiers below the authentication tier in order based on each selected authentication option;

Prompt and display for authentication option including for finger and pin (therefore generating prompt on client device)…
“The client device 110 may prompt the user for the requested biometric information (250). For example, the client device 110 may display a prompt “Please scan your finger” followed by the prompt “please enter your pin code.” The client device 110 may then receive the biometric input in response to the prompt. For example, the client device 110 may receive a fingerprint scan along with an entered pin code.” (col. 12, lines 22-29)  Inherent with display is generating the display.

Example of additional request (therefore iteratively generating a prompt for authentication tier input)…
“In some implementations, the transaction provider 130 may request additional biometric authentication from the user. For example, after the transaction provider 130 receives an initial confirmation of the user's identity from the authentication server 150, the transaction provider 130 may receive a transaction request of withdrawing $5,000 from the user's bank account and determine that based on the amount and type of the transaction, that the transaction provider 130 also wants confirmation of authentication by facial recognition.” (col. 10, lines 14-23)

transmitting authentication data from the mobile device to the server, the authentication data generated based on the user input; and

Client (mobile) device send (transmitting) biometric input (authentication data) to server…
“The client device 110 may then send the biometric input to the authentication server 150 (260). For example, the client device 110 may send the fingerprint scan and the entered pin code to the authentication server 150.” 

receiving, at the mobile device, an authentication confirmation.

One example of receiving an authentication confirmation…
“In some implementations, the authentication server 150 may provide a confirmation of identity to the client device 110 for the client device 110 to provide to the transaction provider 130. For example, the authentication server 150 may provide a confirmation to the client device 110 and based on the confirmation, the client device 110 may then generate an alphanumeric code, a sound signal, or an optical machine-readable representation that is received by the transaction provider 130.” (col. 12, lines 44-52)

“Various customer devices are used by respective customers to interact with an authentication entity, such as a banking platform. Such customer devices include personal computers, cell phones, land phones, and PDAs (personal digital assistants), for example. The interaction might include an Internet session between a customer's computer and a banking platform, for example. In conjunction with such interaction, it is beneficial to authenticate the customer device, However, known techniques for authenticating such customer devices are lacking.” (col. 1, lines 11-20)

“The invention may provide processing to address the situation where a customer uses different devices to access the particular server. For example, the server might keep track of the particular device used, and track reissued cookies accordingly. The invention may use the particular attributes of a customer's computer (device) in others ways, such as looking for particular device attributes in conjunction with authentication. Various other features are provided by the invention.” (col. 3, lines 26-33)

Detection
Ziraknejad et al. teaches mobile device and biometric.  They do not teach detect  physical (hardware) component of a mobile device.

Ganatra et al. also in the business of mobile device and biometric teaches:
Mobile device can detect available components…
“Referring to hardware component 103 (microphone) in FIG. 1, a hardware component of a mobile device can be an external hardware device that can be connected to the mobile device. A hardware component is available if the hardware component is not turned off (e.g., when a lens cover of a digital camera component is removed), or if the hardware component is properly connected to the mobile device (e.g., when a microphone is plugged into the mobile device). In some implementations, a mobile device can detect available components by consulting a local hardware stack or by running a software polling program that polls connection ports. A connection port can be, for example, a socket, a Universal Serial Bus (USB) port, or a Personal Area Network (PAN) to which the mobile device is connected using Bluetooth technology. In some other implementations, a mobile device can detect available hardware components by running a hardware detection program that is triggered by the physical insertion of a hardware device.” [0036]

“A hardware component can be a smart hardware component. A smart hardware component can notify the mobile device whether the hardware component is available. In some implementations, a built-in hardware device can be programmatically activated or deactivated. For example, a mobile device 102 can have a "do not disturb" function that specifies at which time a loud speaker is available. During the "do not disturb" time, the loud speaker appears unavailable even though the loud speaker is built into mobile device 102.” [0037]

Operating system can identify hardware components…
“In addition, operating system 154 can identify instructions for identifying one or more properties for each of the identified hardware component 108. For example, operating system 154 for mobile device 200 can identify hardware component 108d microphone. Operating system 154 on mobile device 200 can identify different properties for different hardware components 108. For instance, a model of mobile device 200 can include a larger storage component than another model of mobile device 200. As result of this example difference, operating system 154 can configure a property of media player application 112a differently for the different models of mobile device 200. In connection with identifying applications 112 and associated properties, operating system 154 can automatically configure applications 112 and associated properties for execution by the different models of mobile device 200. Further, during an application program download process, the device model/type, as well as other information on hardware components, can be sent to server 130. As mentioned above, software stack 104 can, in some implementations, enable the development of a single software stack 104 that can be loaded in one or more different devices and automatically configure one or more of the applications 112 to execute on the different devices.” [0059]

Include biometric sensor and other sensing devices…
“Sensors, devices and subsystems can be coupled to peripherals interface 306 to facilitate multiple functionalities. For example, a motion sensor 310, a light sensor 312, and a proximity sensor 108j can be coupled to peripherals interface 306 to facilitate the orientation, lighting and proximity functions. Other sensors 316 can also be connected to peripherals interface 306, such as a temperature sensor, a biometric sensor, or other sensing device, to facilitate related functionalities.” [0073]

It would have been obvious to one of ordinary skill in the art at the time of filing to include in the method and system of Ziraknejad et al. the ability to detect hardware capabilities as taught by Ganatra et al. since the claimed invention is merely a combination of old elements and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Further motivation is provided by Ganatra et al. who teaches the benefit of detecting and providing software capabilities according to hardware components.

Regarding claims 2, 10, and 18
(claim 10) The computer-implemented method of claim 9, further comprising transmitting a customer identifier from the mobile device.

Ziraknejad et al. teaches:
Examples of signature (customer identifier)…
“The client device 110 may also receive a request from the authentication server 150 for non-biometric input from the user 120. For example, the client device 110 may receive a request from the authentication server 150 where the request indicates that the client device 110 should prompt the user 120 to enter a password, a pin number, or a signature, etc. The client device 110 may then receive the non-biometric input from the user 120 and provide the non-biometric information based on the non-biometric input to the authentication server 150.” (col. 6, lines 31-40)

Regarding claims 3, 11 and 19
(claim 11) The computer-implemented method of claim 9, wherein the authentication requirements comprise requirements for multi-tiered authentication.

{From Applicant’s specification on multi-tiered authentication…

“At step 930, FSP device 120 may determine an authentication tier level associated with the transaction. Each transaction may be associated with a tier level. Additionally, each user may have a different tier level associated with each transaction. The tier level may indicate how many data security points must be verified before FSP device 120 may authorize the requested transaction. Security data points may include, for example, a username and password, a GPS location, a phone number or device identifier, or other data associated with user identification methods (e.g., SureSwipe8 or the like). Security data points may additionally include biometric data, such as, for example, fingerprint, retina or iris scan, heartbeat or pulse pattern, facial recognition, voice recognition, or palm vein scan. Each data security point may correspond to a different tier. For example, biometric data may relate to a higher tier (more secure) than a username and password (less secure).” [111]

Therefore, multi-tiered would be more than one security input.}

Ziraknejad et al. teaches:
Biometric and non-biometric (multi-tiered) authentication…
“The authentication server 150 may be one or more computing devices that authenticate the user 120 using variable biometrics. The authentication server 150 may store biometric information regarding the user 120. For example, the authentication server 150 may store a representation of a voice of the user 120, an image of the user's face, a scan of a user's fingerprint, or a scan of a user's iris. The authentication server 150 may also store non-biometric information for identifying the user 120. For example, the authentication server 150 may store a password, a pin number, or a signature for the user 120. The authentication server 150 may receive and store the biometric and non-biometric information for the user 120 when the user 120 initially registers to use the system 100 or during an update of the stored information.” (col. 6, lines 39-55)

Regarding claims 4, 12, and 20
(claim 12) The computer-implemented method of claim 11, further comprising determining the capabilities of the mobile device corresponding to an authentication tier level associated with the authentication requirements.

Ziraknejad et al. teaches:
Example of voice (authentication requirement) for medium risk (tier level), etc.
“The system may also vary the type of biometric information used to authenticate the user. The system may use more secure but less convenient forms of biometric authentication as the risk that the individual using the client device is not the user increases. For example, for low risk, the system may only use voice recognition, for medium risk, the system may use finger print scanning, for high risk, the system may use facial scanning, and for very high risk, the system may use a combination of voice recognition, finger print scanning, and facial scanning.” (col. 2, lines 31-40)

Another example of authentication based on tier level…
“The authentication server 150 may determine that the individual using the client device 110 should be biometrically authenticated as the user 120 based on the risk level. The authentication server 150 may provide requests for varying biometric information based on the determined risk level. The type and amount of biometric authentication requested by the authentication server 150 for the different risk levels may balance convenience with security. For example, lower risk levels may be associated with authentication that is more convenient but less secure, and higher risk levels may be associated with authentication that is less convenient but more secure. In a particular example, in response to determining a low risk level, the authentication server 150 may provide the client device 110 a request for voice authentication by having the individual currently using the client device 110 speak some randomly generated numbers. In response to a high risk level, the authentication server 150 may provide the client device 110 a request for voice, fingerprint, and facial authentication.” (col. 8, lines 5-23)

The combined references teach determining capabilities of a mobile device.  They also teach tier levels of capabilities.  They do not teach determining capabilities corresponding to tier level.

Ganatra et al. also in the business of mobile device and biometric teaches:

Server can identify (detect) hardware component of mobile device…
“In some implementations, a server receives an application update request from a mobile device. The request can include a specification of the mobile device and a license. The server can identify an available hardware component of the mobile device based on the specification. The server can identify an access privilege of the hardware component based on the license. The server can further identify an application that utilizes the available hardware component of the mobile device and is accessible under the identified access privilege. The server can recommend the application in response to the application update request.” [0004]

Where identify is based on different capabilities of the mobile device such as microphone, camera, etc…
“Update request 122 can include specification 107 of mobile device 102. The specification of mobile device 102 can include information on the capability of mobile device 102 (e.g., whether mobile device 102 has a built-in camera, a built-in microphone, or a built in Global Positioning System (GPS) receiver). The capability of mobile device 102 can be determined by the hardware components of mobile device 102 and a software stack, which will be described in detail in reference to FIG. 2A.” [0018]

Include biometric sensor and other sensing devices…
“Sensors, devices and subsystems can be coupled to peripherals interface 306 to facilitate multiple functionalities. For example, a motion sensor 310, a light sensor 312, and a proximity sensor 108j can be coupled to peripherals interface 306 to facilitate the orientation, lighting and proximity functions. Other sensors 316 can also be connected to peripherals interface 306, such as a temperature sensor, a biometric sensor, or other sensing device, to facilitate related functionalities.” [0073]

It would have been obvious to one of ordinary skill in the art at the time of filing to include in the method and system of the combined references the ability to detect different hardware capabilities as taught by Ganatra et al. since the claimed invention is merely a combination of old elements and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Further motivation is provided by the combined references that benefit by using different hardware capabilities that correspond to different tier levels.  The combined references benefit by being able to determine hardware components available for different biometric tier levels.

Regarding claims 6 and 14
(claim 14) The computer-implemented method of claim 11, wherein a different customer associated with a different user device has a different tier level associated with the transaction.

Ziraknejad et al. teaches:
Example of customer not requiring biometric information based on recent use (therefore someone else would have to provide information)…
“In some implementations, the authentication server 150 may store information regarding previous authentications of the user 120 and may determine not to even provide a request for biometric information to the client device 110 based on stored information regarding previous authentications. For example, the authentication server 150 may store information indicating that the individual using the client device 110 was voice authenticated as the user 120 thirty minutes beforehand and so may provide the confirmation of authentication to the transaction provider 130 without requesting the client device 110 for voice input.” (col. 10, lines 57-67)

Regarding claims 7 and 15
(claim 15) The computer-implemented method of claim 9, wherein the authentication data comprises one or more of fingerprint detection, retina scan, iris scan, heartbeat pattern detection, facial recognition, voice recognition, or palm vein scan.

Ziraknejad et al. teaches:
Various biometric data including fingerprint scanner…
“The client device 110 may be a computing device that obtains biometric input from the user 120. For example, the client device 110 may be a mobile phone that includes (i) a microphone that can capture speech from the user 120, (ii) a camera that can capture an image of the user's face or iris, and/or (iii) a fingerprint scanner that can generate a representation of a user's fingerprint. The client device 110 may also include other sensors that capture information regarding the client device 110 or the user 120. For example, the client device 110 may include one or more motion sensors that may capture orientation, acceleration, and/or velocity information of the client device 110 and one or more GPS sensors that may capture a position, e.g., latitude, longitude, and elevation, of the client device 110.” (col. 4, lines 49-62)

Regarding claims 8 and 16
(claim 16) The computer-implemented method of claim 9, further comprising providing a notification on a display of the mobile device reflecting results of authentication.

Ziraknejad et al. teaches:
Another example of display…
“In response to receiving a confirmation the transaction may be performed, the transaction provider 130 may complete the transaction. For example, in response to receiving a confirmation from the authentication server 150 that the individual using the client device 110 is biometrically authenticated as “JOHN DOE,” the transaction provider 130 may display the bank balance for “JOHN DOE.”” (col. 4, lines 42-48)


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENNETH BARTLEY whose telephone number is (571)272-5230. The examiner can normally be reached Mon-Fri: 7:30 - 4:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Kalinowski can be reached on (571) 272-6771. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH BARTLEY/Primary Examiner, Art Unit 3693