DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement

The information disclosure statement (IDS) submitted on 10/29/2020 and 01/28/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections

Claims 4, 6, 8, 12, 16 and 18 are objected to because of the following informalities:

In regards to Claims 4, 6, 8, 12, 16 and 18, the applicant recites the limitation “a result”, this is unclear because “a result” was already previously recited in independent claims. This creates confusion as to which result the applicant is referring. The specification states on Par. (0054) “At step 304, a user-specific digital signature that identifies (e.g., uniquely identifies) the user is generated based on user-specific information, which is obtained from the user as a result of initiating or receiving the request. For instance, the user- specific information may be obtained from an inherence factor and/or an ownership factor associated with the user. Accordingly, the user-specific information may be obtained from an item that is in possession of the user.”;. Therefore, it will be broadly and reasonably interpreted that “a result” is referring to the same “a result” recited in the independent claims. Examiner suggests amending the claims by using the phrase “the” in front of result to recite proper claim limitations and to eliminate confusion. Appropriate correction is required.

In regards to Claim 8, the applicant recites the limitation “ a reference digital signature”, this is unclear because a reference digital signature has already been previously recited in the independent claim. This creates confusion as to which reference digital signature the applicant is referring to. The specification state on Par. (0055) “At step 306, the user is selectively authenticated in accordance with a multi- factor authentication technique that requires multiple factors that are received from the user to match reference factors, which identify a reference user who is authorized to perform the operation with regard to the code, based on whether the user-specific digital signature that identifies the user matches a reference digital signature that identifies the reference user. For instance, the multi-factor authentication technique”. Therefore, it will be broadly and reasonably interpreted that “a reference digital signature” is referring to the same “reference digital signature” recited in the independent claim. Examiner suggests amending the claims by using the phrase “the” in front of reference digital signature to recite proper claim limitations and to eliminate confusion. Appropriate correction is required.

Claim Rejections - 35 USC § 103


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-4, 9-13 and 19-20, is/are rejected under 35 U.S.C. 103 as being unpatentable over  in further Yach et al. (EP No. 1626326 (Retrieved from IDS), hereinafter referred to as “Yach”) in further view of Johnston et al. (GB No. 2517732 (Retrieved from IDS), hereinafter referred to as “Johnston”)

	In regards to Claim 1, Yach teaches a system to use ….. authentication to selectively enable performance of an operation prior to or during release of code, the system comprising: (Par. (0038) “Although a digital signature generated by a signing authority is dependent upon authentication of the application developer and confirmation that the application developer has been properly registered, the digital signature is preferably generated from a hash or otherwise transformed version of the software application and is therefore application-specific.”; authentication (authentication of the application developer and confirmation..) (Par. (0013) “An application developer 12 creates a software application 14 (application Y) for a mobile device that requires access to one or more sensitive APIs on the mobile device. The software application Y 14 may, for example, be a Java application that operates on a Java virtual machine installed on the mobile device. An API enables the software application Y to interface with an application [..]  in such a way as to allow a software application Y to interact with one or more corresponding device resources. Providing access to any API therefore allows a software application Y to interact with associated device resources,”; enable performance of an operation during release of code (application developer creates software application and releases or deploys to other devices)), (Par. (0017) “the code signing authority 16 reviews the software application Y 14, although as described in further detail below, it is contemplated that the code signing authority 16 may also or instead consider the identity of the application developer 12 to determine whether or not the software application Y 14 should be signed. The code signing authority 16 is preferably one or more representatives from the mobile device manufacturer”; authentication [..] enable performance of operation during release of code ( reviews the software application to consider the identity))
memory; and (Figure 6 label 626, 624; (memory))
one or more processors coupled to the memory, the one or more processors configured to: (Figure 6 label 626, 624, 638; (microprocessor coupled to RAM and flash memory))
generate a user-specific digital signature that identifies a user of a code development service based at least in part on user-specific information, (Par. (0018) “then a signature (not shown) for the software application Y 14 is generated by the code signing authority 16 and appended to the software application Y 14. The signed software application Y 22, comprising the software application Y 14 and the digital signature, is then returned to the application developer 12. The digital signature is preferably a tag that is generated using a private signature key 18 maintained solely by the code signing authority 16. For example, according to one signature scheme, a hash of the software application Y 14 may be generated, using a hashing algorithm such as the Secure Hash Algorithm SHA1, and then used with the private signature key 18 to create the digital signature”; generate a user-specific digital signature that identifies a user of a code (signature generated corresponding to software application and the application developer (user of a code/ user-specific))), (Par. (0003) “a digital signature is attached to a software application that identifies the software developer. Once the software is downloaded by a user, the user typically must use his or her judgment to determine whether or not the software application is reliable, based solely on his or her knowledge of the software developer's”; user-specific digital signature that identifies a user of a code (digital signature identifies the software developer)), (Par. (0030) “including a software application Y to which two digital signatures 96E and 96F with corresponding signature identifications 94E and 94F have been appended. In the example system 61, each pair composed of a digital signature and identification, 94E/96E and 94F/96F, corresponds to a model of mobile device 62, API library 78, or associated platform 80. If signature identifications 94E and 94F correspond to different models of mobile device 62, then when a signed software application 70 which includes a software application Y that requires access to a sensitive API library 78 is loaded onto mobile device 62E”; based at least in part on user-specific information (signature identification associated with digital signature linked to mobile devices of user))
which is obtained from the user as a result of initiating a request to perform the operation with regard to the code prior to or during the release of the code or receiving the request from the user prior to or during the release of the code, (Par. (0035) “The target signing request includes the software application or a hash of the software application, a developer identifier, as well as at least one target device identifier which identifies the target device for which a signature is being requested [..] and the digital signature or a signed software application including the digital signature appended to the software application is returned to the developer at step 280.”; which is obtained from the user as a result of initiating a request (signature being requested [..] signature being returned)), (Par. (0014-0015) “the application developer 12 is required to obtain one or more digital signatures from the mobile device manufacturer or other entity that classified any APIs as sensitive, or from a code signing authority 16 acting on behalf of the manufacturer [..] a digital signature is obtained for each sensitive API or library that includes a sensitive API to which the software application requires access.”; which is obtained from the user (digital signature obtained)), (Par. (0035) “a code signing authority for one target device receives a target-signing request from the developer. The target signing request includes the software application or a hash of the software application, a developer identifier, [..] developer was trusted, at step 240 the signing authority determines if it has the target private key corresponding to the submitted target identifier by consulting a private key store such as a target private key database 245. If the target private key is found, then a digital signature for the software application is generated at step 260 and the digital signature or a signed software application including the digital signature appended to the software application is returned to the developer at step 280”; receiving the request from the user during the release of the code (receives a target signing request and returns software application to developer)), (Par. (0066) “a software application created by a software developer, comprising the steps of: receiving the software application from the software developer; reviewing the software application to determine [..] and providing access to the API to software applications for which the appended digital signature is authentic.”; during the release of the code (software application corresponding to provided access to API)) (Examiner Notes: Examiner asserts by using the phrase “or” the applicant is reciting conditional/ optional limitations that are not required to be fully mapped. Examiner broadly and reasonably interprets that if one claimed recitation is mapped within the “or” limitation then the claim is fully met.))
the code including at least one of software code or firmware code; (Par. (0013) “The software application Y 14 may, for example, be a Java application that operates on a Java virtual machine installed on the mobile device”; code including at least one of software code (software applications corresponding to Java))
which identify a reference user who is authorized to perform the operation with regard to the code, (Par. (0033) “If the digital signature is authentic, however, then the description string 88 is preferably displayed in step 112, warning the mobile device user that the software application requires access to a sensitive API, and possibly prompting the user for authorization to execute or load the software application (step 114). When more than one signature is to be verified for a software application, then the steps 104-110 are preferably repeated for each signature before the user is prompted in step 112. If the mobile device user in step 114 authorizes the software application,”; identify a reference user who is authorized to perform operation (digital signature authentic then prompts user for authorization to execute software application))
based at least in part on whether the user-specific digital signature that identifies the user matches a reference digital signature that identifies the reference user; and (Par. (0029) “the appropriate digital signature 96 is located by the virtual machine 64 by matching the signature identifier 92 in the API library 74 or 78 with a signature identification 94 on the signed software application. If the signed software application includes the appropriate digital signature 96, then the virtual machine 64 verifies its authenticity using the public signature key 20. Then, once the appropriate digital signature 96 has been located and verified, the description string 88 is preferably displayed on the mobile device before the software application X or Y is executed and accesses the sensitive API.”; user-specific digital signature matches a digital signature that identifies the reference user ( digital signature is matched with signed software application and its corresponding digital signature))
selectively enable the performance of the operation with regard to the code based at least in part on whether the user is authenticated in accordance with the …. authentication technique. ((Par. (0033) “If the digital signature is authentic, however, then the description string 88 is preferably displayed in step 112, warning the mobile device user that the software application requires access to a sensitive API, and possibly prompting the user for authorization to execute or load the software application (step 114). When more than one signature is to be verified for a software application, then the steps 104-110 are preferably repeated for each signature before the user is prompted in step 112. If the mobile device user in step 114 authorizes the software application,”; enable the performance of the operation [..] based at least in part on whether the user is authenticated ( if digital signature is authenticated user is authorized to execute or lead the software application))
However Yach does not explicitly teach multi-factor authentication, selectively authenticate the user in accordance with a multi-factor authentication technique that requires a plurality of factors that are received from the user to match a plurality of reference factors,
Wherein Johnston teaches multi-factor authentication (Page 3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; multi-factor authentication (biometric data or data representing passcode or PIN for authentication)), (Page 15 lines 10-32 “The user could have the ability to halt this session at any point from the administrator device, for example by initiating a halt button on the administrator device. The code which is created is preferably as a result of a two or three factor authentication with the administrator device.”; multi factor authentication (two or three factor authentication))
selectively authenticate the user in accordance with a multi-factor authentication technique that requires a plurality of factors that are received from the user to match a plurality of reference factors, (Page 1 lines 16-25 “sending a request from the device to access the data, the request including an identification code of a secure element or memory card associated with the device; (ii) verifying, based at least partly on the identification code, whether access to the data is to be allowed or denied”; selectively authenticate a user (request with an identification code that is verified to allow or deny access of a device)), (Page 7 lines 30-5 and Page 8 lines 1-25 “receiving at the device an invitation to access the data, the invitation comprising a password, code or PIN; sending a request from the device to access the data, the request including the password, code or PIN; verifying, based at least partly on the password, code or PIN, whether access to the data is to be allowed or denied [..] a user to send invitations to further devices (his own or those or another user) so that further devices may also access data. These devices (or an identification code associated therewith) need not necessarily be registered with the data in order to be granted access [..] the password, code or PIN is only valid for a specified period of time. Thus, if it is not used within the specified period, access will not be granted based on that password, code or PIN. The period may be up to 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 20, 25, 30, 45, 60, 90 or 120 minutes,”; authenticate the user in accordance with multifactor authentication that requires a plurality of factors (user that is verified based on identification using passwords for access)),(Page 3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; plurality of factors (biometric data or passcodes or PINs)), (Page 17 lines 1-17 “in addition to the correct passcode or PIN, an identification code from the S correct SIM 2 must also be provided for access to the data in a partition Sa, Sb or Sc to be granted. [..]When a user wishes to access a particular partition 3a, 3b, or 3c, they enter the passcode or PIN for that partition 3a, 3b, or 3c by typing on the keypad or touch-sensitive screen of the mobile telephone 1. The entered passcode or PIN is then passed to the SIM 2 where it is passed an encryption algorithm combining it with the SIM identification code to create a hash. [..] The hash is then passed to a processor at the cloud server 4 where it is decrypted to extract the passcode or PIN and identify which partition 3a, Sb or Sc the user is seeking to access. Then, if the hash corresponds to a hash already stored in memory at the cloud server 4 for that partition 3a, 3b or 3c, access to the requested partition 3a, Sb or Sc is allowed and data stored in that partition”; a plurality of factors that are received from the user to match a plurality of reference factors (passcodes or PIN’s corresponding to hash that if corresponding to a hash stored in memory grants access to data))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach to include multi-factor authentication, selectively authenticate the user in accordance with a multi-factor authentication technique that requires a plurality of factors that are received from the user to match a plurality of reference factors because of the analogous concept of secure authentication of software applications in multiple devices. Johnston includes a process of multi-factor authentication this is important because it discourages attackers from implementing malware and other malicious codes because of the multiple factors involved in verifying a user. By implementing an inherence based factor in the authentication users distributing code and personal data can be assured a chain of trust and credibility due to not only biometric elements such as DNA, fingerprint iris, etc. but other methods of authentication such as passwords PINs etc. to further enhance the secure protection and mitigate attacks to code providers and various software development groups. 


In regards to Claim 2, Yach teaches the system of claim 1, wherein the one or more processors are configured to: (Figure 6 label 626, 624, 638; (microprocessor coupled to RAM and flash memory))
generate the user-specific digital signature by generating a hash that is based at least in part on the user-specific information; and (Par. (0018) “For example, according to one signature scheme, a hash of the software application Y 14 may be generated, using a hashing algorithm such as the Secure Hash Algorithm SHA1, and then used with the private signature key 18 to create the digital signature. In some signature schemes, the private signature key is used to encrypt a hash of information to be signed”; generate the user-specific signature ( to create the digital signature) by generating a hash that is based on the user-specific information ( hash of the software may be generated [..] to create the digital signature))
selectively authenticate the user in accordance with the …. authentication technique based at least in part on whether the hash matches a reference hash associated with the reference user. (Par. (0020) “the mobile device 28 calculates a hash of the software application Y 14 in the signed software application Y 22, using the same hashing algorithm as the code signing authority 16, and uses the digital signature and the public signature key 20 to recover the hash calculated by the signing authority 16. The resultant locally calculated hash and the hash recovered from the digital signature are then compared, and if the hashes are the same, the signature is verified. The software application Y 14 can then be executed on the device 28 and access any sensitive APIs for which the corresponding signature(s) have been verified”; on whether the hash matches a reference hash (calculated hash and the hash recovered are then compared [..] if the hashes are the same)), (Par. (0059) “virtual machine may verify the authenticity of the digital signature by generating a hash of the software application to obtain a generated hash, applying the public signature key to the digital signature to obtain a recovered hash, and comparing the generated hash with the recovered hash.”; hash matches a reference hash associated with the reference user (comparing the generated hash with the recovered hash))
However Yach does not explicitly teach multi-factor authentication
Wherein Johnston teaches multi-factor authentication (Page3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; multi-factor authentication (biometric data or data representing passcode or PIN for authentication)), (Page15 lines 10-32 “The user could have the ability to halt this session Fat any point from the administrator device, for example by initiating a halt button on the administrator device. The code which is created is preferably as a result of a two or three factor authentication with the administrator device.”; multi factor authentication (two or three factor authentication))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach for the reasons discussed in the independent claim stated above.

In regards to Claim 3, the combination of Yach and Johnston teach the system of claim 1, Yach further teaches the system of claim 1, wherein the one or more processors are further configured to: (Figure 6 label 626, 624, 638; (microprocessor coupled to RAM and flash memory))
sign the code with the user-specific digital signature. (Par. (0018-0019) “The signed software application Y 22, comprising the software application Y 14 and the digital signature, [..] Once the signed software application Y 22 is loaded on the mobile device 28, each digital signature is preferably verified with a public signature key 20 before the software application Y 14 is granted access to a sensitive API”; sign the code (signed software application) with the user-specific digital signature (software application that is signed includes digital signature)), (Par. (0025) “Each signing authority may for example be responsible for signing software applications for particular sensitive APIs or APIs on a particular model of mobile device or set of mobile devices that supports the sensitive APIs required by a software application. A manufacturer, mobile communication network operator, service provider, or corporate client for example may thereby have signing authority over the use of sensitive APIs”; sign the code (signing software applications))

In regards to Claim 4, Yach does not explicitly teach the system of claim 1, wherein the user-specific information is obtained from an item that is in possession of the user as a result of initiating or receiving the request. 
Wherein Johnston teaches the system of claim 1, wherein the user-specific information is obtained from an item that is in possession of the user as a result of initiating or receiving the request. (Page4 lines 19-27 “the identification codes are preferably an identification codes associated with smart object of the devices. The smart object may be a SIM, SE (secure element), TEE (trusted execution environment), Micro SD, Memory card, USB or Smartcard associated with the device,”; an item (identification codes corresponding to Smartcards/SIM)), (Page13 lines 6-22 “ (i) receiving a request to access the data, the request including an identification code associated with the device and one or more of: a PIN or passcode; and data representing something inherent to the user of the device such as genetic and/or biometric information; (ii) verifying, based on the identification code, and the PIN or passcode and/or data representing something inherent to the user, whether access to the data is to be allowed or denied;”; the user-specific information is obtained from an item (receiving a request with identification code associated with biometric, genetic, inherent to the user)) as a result of receiving the request (receiving a request)), (Examiner Notes: In the instant application the specification on Par. (0075) states that an item for example could be a cell phone with SIM or a smartcard, therefore it will be broadly and reasonably interpreted that an identification code that represents a smartcard meets the claimed limitation))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach for the reasons discussed in the independent claim stated above.


In regards to Claim 9, the combination of Yach and Johnston teach the system of claim 1, Yach further teaches the system of claim 1, wherein the operation comprises at least one of the following: 
checking-in the code to a repository associated with the code development service; 
performing a review of the code; (Par. (0022) “the code signing authority reviews the software application Y to determine whether or not it should be given access to the sensitive API, and either accepts or rejects the software application. The code signing authority may apply a number of criteria to determine whether or not to grant the software application access”; review of the code (reviews the software application))
performing a build of the code; 
signing the code; (Par. (0018-0019) “The signed software application Y 22, comprising the software application Y 14 and the digital signature, [..] Once the signed software application Y 22 is loaded on the mobile device 28, each digital signature is preferably verified with a public signature key 20 before the software application Y 14 is granted access to a sensitive API”; sign the code (signed software application) with the user-specific digital signature (software application that is signed includes digital signature)), (Par. (0025) “Each signing authority may for example be responsible for signing software applications for particular sensitive APIs or APIs on a particular model of mobile device or set of mobile devices that supports the sensitive APIs required by a software application. A manufacturer, mobile communication network operator, service provider, or corporate client for example may thereby have signing authority over the use of sensitive APIs”; sign the code (signing software applications))
releasing the code to end users;
 publishing the code to the end users; or 
deploying the code.

In regards to Claim 10, Yach teaches a method of using .. authentication to selectively enable performance of an operation prior to or during release of code, the method comprising: (Par. (0038) “Although a digital signature generated by a signing authority is dependent upon authentication of the application developer and confirmation that the application developer has been properly registered, the digital signature is preferably generated from a hash or otherwise transformed version of the software application and is therefore application-specific.”; authentication (authentication of the application developer and confirmation..) (Par. (0013) “An application developer 12 creates a software application 14 (application Y) for a mobile device that requires access to one or more sensitive APIs on the mobile device. The software application Y 14 may, for example, be a Java application that operates on a Java virtual machine installed on the mobile device. An API enables the software application Y to interface with an application [..]  in such a way as to allow a software application Y to interact with one or more corresponding device resources. Providing access to any API therefore allows a software application Y to interact with associated device resources,”; enable performance of an operation during release of code (application developer creates software application and releases or deploys to other devices)), (Par. (0017) “the code signing authority 16 reviews the software application Y 14, although as described in further detail below, it is contemplated that the code signing authority 16 may also or instead consider the identity of the application developer 12 to determine whether or not the software application Y 14 should be signed. The code signing authority 16 is preferably one or more representatives from the mobile device manufacturer”; authentication [..] enable performance of operation during release of code ( reviews the software application to consider the identity))
prior to or during the release of the code, initiating a request to perform the operation with regard to the code or receiving the request from a user of a code development service, ((Par. (0013) “An application developer 12 creates a software application 14 (application Y) for a mobile device that requires access to one or more sensitive APIs on the mobile device. The software application Y 14 may, for example, be a Java application that operates on a Java virtual machine installed on the mobile device. An API enables the software application Y to interface with an application [..]  in such a way as to allow a software application Y to interact with one or more corresponding device resources. Providing access to any API therefore allows a software application Y to interact with associated device resources,”; during release of code (application developer creates software application and releases or deploys to other devices)), (Par. (0035) “The target signing request includes the software application or a hash of the software application, a developer identifier, as well as at least one target device identifier which identifies the target device for which a signature is being requested [..] and the digital signature or a signed software application including the digital signature appended to the software application is returned to the developer at step 280.”; initiating a request to perform operation with regards to the code (signature being requested corresponding to software application [..] signature being returned)), (Par. (0014-0015) “the application developer 12 is required to obtain one or more digital signatures from the mobile device manufacturer or other entity that classified any APIs as sensitive, or from a code signing authority 16 acting on behalf of the manufacturer [..] a digital signature is obtained for each sensitive API or library that includes a sensitive API to which the software application requires access.”; which is obtained from the user (digital signature obtained)), (Par. (0035) “a code signing authority for one target device receives a target-signing request from the developer. The target signing request includes the software application or a hash of the software application, a developer identifier, [..] developer was trusted, at step 240 the signing authority determines if it has the target private key corresponding to the submitted target identifier by consulting a private key store such as a target private key database 245. If the target private key is found, then a digital signature for the software application is generated at step 260 and the digital signature or a signed software application including the digital signature appended to the software application is returned to the developer at step 280”; receiving the request from the user during the release of the code (receives a target signing request and returns software application to developer)), (Par. (0066) “a software application created by a software developer, comprising the steps of: receiving the software application from the software developer; reviewing the software application to determine [..] and providing access to the API to software applications for which the appended digital signature is authentic.”; during the release of the code (software application corresponding to provided access to API)) (Examiner Notes: Examiner asserts by using the phrase “or” the applicant is reciting conditional/ optional limitations that are not required to be fully mapped. Examiner broadly and reasonably interprets that if one claimed recitation is mapped within the “or” limitation then the claim is fully met.))
which identify a reference user who is authorized to perform the operation with regard to the code, (Par. (0033) “If the digital signature is authentic, however, then the description string 88 is preferably displayed in step 112, warning the mobile device user that the software application requires access to a sensitive API, and possibly prompting the user for authorization to execute or load the software application (step 114). When more than one signature is to be verified for a software application, then the steps 104-110 are preferably repeated for each signature before the user is prompted in step 112. If the mobile device user in step 114 authorizes the software application,”; identify a reference user who is authorized to perform operation (digital signature authentic then prompts user for authorization to execute software application))
based at least in part on whether the user-specific digital signature that identifies the user matches a reference digital signature that identifies the reference user; and (Par. (0029) “the appropriate digital signature 96 is located by the virtual machine 64 by matching the signature identifier 92 in the API library 74 or 78 with a signature identification 94 on the signed software application. If the signed software application includes the appropriate digital signature 96, then the virtual machine 64 verifies its authenticity using the public signature key 20. Then, once the appropriate digital signature 96 has been located and verified, the description string 88 is preferably displayed on the mobile device before the software application X or Y is executed and accesses the sensitive API.”; user-specific digital signature matches a digital signature that identifies the reference user ( digital signature is matched with signed software application and its corresponding digital signature))
selectively enabling the performance of the operation with regard to the code based at least in part on whether the user is authenticated in accordance with the … authentication technique. (Par. (0033) “If the digital signature is authentic, however, then the description string 88 is preferably displayed in step 112, warning the mobile device user that the software application requires access to a sensitive API, and possibly prompting the user for authorization to execute or load the software application (step 114). When more than one signature is to be verified for a software application, then the steps 104-110 are preferably repeated for each signature before the user is prompted in step 112. If the mobile device user in step 114 authorizes the software application,”; enable the performance of the operation [..] based at least in part on whether the user is authenticated ( if digital signature is authenticated user is authorized to execute or lead the software application))
the code including at least one of software code or firmware code; (Par. (0013) “The software application Y 14 may, for example, be a Java application that operates on a Java virtual machine installed on the mobile device”; code including at least one of software code (software applications corresponding to Java))
generating a user-specific digital signature that identifies the user based at least in part on user-specific information, which is obtained from the user as a result of initiating or receiving the request; (Par. (0018) “then a signature (not shown) for the software application Y 14 is generated by the code signing authority 16 and appended to the software application Y 14. The signed software application Y 22, comprising the software application Y 14 and the digital signature, is then returned to the application developer 12. The digital signature is preferably a tag that is generated using a private signature key 18 maintained solely by the code signing authority 16. For example, according to one signature scheme, a hash of the software application Y 14 may be generated, using a hashing algorithm such as the Secure Hash Algorithm SHA1, and then used with the private signature key 18 to create the digital signature”; generate a user-specific digital signature that identifies a user of a code (signature generated corresponding to software application and the application developer (user of a code/ user-specific))), (Par. (0003) “a digital signature is attached to a software application that identifies the software developer. Once the software is downloaded by a user, the user typically must use his or her judgment to determine whether or not the software application is reliable, based solely on his or her knowledge of the software developer's”; user-specific digital signature that identifies a user of a code (digital signature identifies the software developer)), (Par. (0030) “including a software application Y to which two digital signatures 96E and 96F with corresponding signature identifications 94E and 94F have been appended. In the example system 61, each pair composed of a digital signature and identification, 94E/96E and 94F/96F, corresponds to a model of mobile device 62, API library 78, or associated platform 80. If signature identifications 94E and 94F correspond to different models of mobile device 62, then when a signed software application 70 which includes a software application Y that requires access to a sensitive API library 78 is loaded onto mobile device 62E”; based at least in part on user-specific information (signature identification associated with digital signature linked to mobile devices of user))
However Yach does not explicitly teach multi-factor authentication, selectively authenticating the user in accordance with a multi-factor authentication technique that requires a plurality of factors that are received from the user to match a plurality of reference factors,
Wherein Johnston teaches multi-factor authentication (Page3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; multi-factor authentication (biometric data or data representing passcode or PIN for authentication)), (Page15 lines 10-32 “The user could have the ability to halt this session at any point from the administrator device, for example by initiating a halt button on the administrator device. The code which is created is preferably as a result of a two or three factor authentication with the administrator device.”; multi factor authentication (two or three factor authentication))
selectively authenticating the user in accordance with a multi-factor authentication technique that requires a plurality of factors that are received from the user to match a plurality of reference factors, (Page1 lines 16-25 “sending a request from the device to access the data, the request including an identification code of a secure element or memory card associated with the device; (ii) verifying, based at least partly on the identification code, whether access to the data is to be allowed or denied”; selectively authenticate a user (request with an identification code that is verified to allow or deny access of a device)), (Page7 lines 30-5 and Page8 lines 1-25 “receiving at the device an invitation to access the data, the invitation comprising a password, code or PIN; sending a request from the device to access the data, the request including the password, code or PIN; verifying, based at least partly on the password, code or PIN, whether access to the data is to be allowed or denied [..] a user to send invitations to further devices (his own or those or another user) so that further devices may also access data. These devices (or an identification code associated therewith) need not necessarily be registered with the data in order to be granted access [..] the password, code or PIN is only valid for a specified period of time. Thus, if it is not used within the specified period, access will not be granted based on that password, code or PIN. The period may be up to 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 20, 25, 30, 45, 60, 90 or 120 minutes,”; authenticate the user in accordance with multifactor authentication that requires a plurality of factors (user that is verified based on identification using passwords for access)), (Page3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; plurality of factors (biometric data or passcodes or PINs)), (Page17 lines 1-17 “in addition to the correct passcode or PIN, an identification code from the S correct SIM 2 must also be provided for access to the data in a partition Sa, Sb or Sc to be granted. [..]When a user wishes to access a particular partition 3a, 3b, or 3c, they enter the passcode or PIN for that partition 3a, 3b, or 3c by typing on the keypad or touch-sensitive screen of the mobile telephone 1. The entered passcode or PIN is then passed to the SIM 2 where it is passed an encryption algorithm combining it with the SIM identification code to create a hash. [..] The hash is then passed to a processor at the cloud server 4 where it is decrypted to extract the passcode or PIN and identify which partition 3a, Sb or Sc the user is seeking to access. Then, if the hash corresponds to a hash already stored in memory at the cloud server 4 for that partition 3a, 3b or 3c, access to the requested partition 3a, Sb or Sc is allowed and data stored in that partition”; a plurality of factors that are received from the user to match a plurality of reference factors (passcodes or PIN’s corresponding to hash that if corresponding to a hash stored in memory grants access to data))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach to include multi-factor authentication, selectively authenticate the user in accordance with a multi-factor authentication technique that requires a plurality of factors that are received from the user to match a plurality of reference factors because of the analogous concept of secure authentication of software applications in multiple devices. Johnston includes a process of multi-factor authentication this is important because it discourages attackers from implementing malware and other malicious codes because of the multiple factors involved in verifying a user. By implementing an inherence based factor in the authentication users distributing code and personal data can be assured a chain of trust and credibility due to not only biometric elements such as DNA, fingerprint iris, etc. but other methods of authentication such as passwords PINs etc. to further enhance the secure protection and mitigate attacks to code providers and various software development groups. 



In regards to Claim 11, Yach teaches a system to use …. authentication to selectively enable performance of an operation prior to or during release of code, the system comprising: (Par. (0038) “Although a digital signature generated by a signing authority is dependent upon authentication of the application developer and confirmation that the application developer has been properly registered, the digital signature is preferably generated from a hash or otherwise transformed version of the software application and is therefore application-specific.”; authentication (authentication of the application developer and confirmation..) (Par. (0013) “An application developer 12 creates a software application 14 (application Y) for a mobile device that requires access to one or more sensitive APIs on the mobile device. The software application Y 14 may, for example, be a Java application that operates on a Java virtual machine installed on the mobile device. An API enables the software application Y to interface with an application [..]  in such a way as to allow a software application Y to interact with one or more corresponding device resources. Providing access to any API therefore allows a software application Y to interact with associated device resources,”; enable performance of an operation during release of code (application developer creates software application and releases or deploys to other devices)), (Par. (0017) “the code signing authority 16 reviews the software application Y 14, although as described in further detail below, it is contemplated that the code signing authority 16 may also or instead consider the identity of the application developer 12 to determine whether or not the software application Y 14 should be signed. The code signing authority 16 is preferably one or more representatives from the mobile device manufacturer”; authentication [..] enable performance of operation during release of code ( reviews the software application to consider the identity))
memory; and (Figure 6 label 626, 624; (memory))
one or more processors coupled to the memory, the one or more processors configured to: (Figure 6 label 626, 624, 638 ; (microprocessor coupled to RAM and flash memory))
generate a user-specific digital signature that identifies a user of a code development service based at least in part on one or more inherence identifiers of the user that are captured as a result of initiating a request to perform the operation with regard to the code prior to or during the release of the code or receiving the request from the user prior to or during the release of the code, (Par. (0018) “then a signature (not shown) for the software application Y 14 is generated by the code signing authority 16 and appended to the software application Y 14. The signed software application Y 22, comprising the software application Y 14 and the digital signature, is then returned to the application developer 12. The digital signature is preferably a tag that is generated using a private signature key 18 maintained solely by the code signing authority 16. For example, according to one signature scheme, a hash of the software application Y 14 may be generated, using a hashing algorithm such as the Secure Hash Algorithm SHA1, and then used with the private signature key 18 to create the digital signature”; generate a user-specific digital signature that identifies a user of a code (signature generated corresponding to software application and the application developer (user of a code/ user-specific))), (Par. (0018) “For example, according to one signature scheme, a hash of the software application Y 14 may be generated, using a hashing algorithm such as the Secure Hash Algorithm SHA1, and then used with the private signature key 18 to create the digital signature. In some signature schemes, the private signature key is used to encrypt a hash of information to be signed”; generate the user-specific signature ( to create the digital signature) by generating a hash ( hash of the software may be generated [..] to create the digital signature)), (Par. (0035) “The target signing request includes the software application or a hash of the software application, a developer identifier, as well as at least one target device identifier which identifies the target device for which a signature is being requested [..] and the digital signature or a signed software application including the digital signature appended to the software application is returned to the developer at step 280.”; based on at least one or more inherence identifiers which identify the user (target device with identifier and result of initiating a request (signature being requested [..] signature being returned)), 
(Examiner notes: In the instant application the specification states on Par. (0007) that an inherence identifier indicates something that the user is or does. Therefore, it will be broadly and reasonably interpreted that the generated user-specific digital signature is based on one or more inherence identifiers represent something a user is (a target device with a corresponding identifier. Examiner suggests amending the claims to further define what inherence identifier represent to enhance the scope of the claims. Examiner further notes that by using the phrase “or” the Applicant is reciting optional or conditional limitations that do not to be fully met. Examiner broadly and reasonably interprets if only one or the limitations within the phrase “or” is mapped then the claimed limitation is met.))

the code including at least one of software code or firmware code, each inherence identifier indicating something that the user is or does; and (Par. (0013) “The software application Y 14 may, for example, be a Java application that operates on a Java virtual machine installed on the mobile device”; code including at least one of software code (software applications corresponding to Java)), (Par. (0035) “The target signing request includes the software application or a hash of the software application, a developer identifier, as well as at least one target device identifier which identifies the target device for which a signature is being requested [..] and the digital signature or a signed software application including the digital signature appended to the software application is returned to the developer at step 280.”; each  inherence identifiers indicating something that the user is (target device with identifier that identifies what device the user is)),
selectively enable the performance of the operation with regard to the code based at least in part on whether the user-specific digital signature that identifies the user matches a reference digital signature that identifies a reference user who is authorized to perform the operation with regard to the code. (Par. (0033) “If the digital signature is authentic, however, then the description string 88 is preferably displayed in step 112, warning the mobile device user that the software application requires access to a sensitive API, and possibly prompting the user for authorization to execute or load the software application (step 114). When more than one signature is to be verified for a software application, then the steps 104-110 are preferably repeated for each signature before the user is prompted in step 112. If the mobile device user in step 114 authorizes the software application,”; selectively enable the performance of the operation)), (Par. (0029) “the appropriate digital signature 96 is located by the virtual machine 64 by matching the signature identifier 92 in the API library 74 or 78 with a signature identification 94 on the signed software application. If the signed software application includes the appropriate digital signature 96, then the virtual machine 64 verifies its authenticity using the public signature key 20. Then, once the appropriate digital signature 96 has been located and verified, the description string 88 is preferably displayed on the mobile device before the software application X or Y is executed and accesses the sensitive API.”; whether the user-specific digital signature matches a digital signature that identifies the reference user ( digital signature is matched with signed software application and its corresponding digital signature)), (Par. (0033) “If the digital signature is authentic, however, then the description string 88 is preferably displayed in step 112, warning the mobile device user that the software application requires access to a sensitive API, and possibly prompting the user for authorization to execute or load the software application (step 114). When more than one signature is to be verified for a software application, then the steps 104-110 are preferably repeated for each signature before the user is prompted in step 112. If the mobile device user in step 114 authorizes the software application,”; a reference user who is authorized to perform operation with regard to the code( if digital signature is authenticated user is authorized to execute or lead the software application))
However Yach does not explicitly teach inherence-based authentication
Wherein Johnston teaches inherence-based authentication (Page3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; inherence based authentication (biometric data or data representing passcode or PIN for authentication)), (Page15 lines 10-32 “The user could have the ability to halt this session at any point from the administrator device, for example by initiating a halt button on the administrator device. The code which is created is preferably as a result of a two or three factor authentication with the administrator device.”; inherence-based authentication (something inherent to the user))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach to include inherence-based authentication because of the analogous concept of secure authentication of software applications in multiple devices. Johnston includes a process of multi-factor authentication this is important because it discourages attackers from implementing malware and other malicious codes because of the multiple factors involved in verifying a user. By implementing an inherence based factor in the authentication users distributing code and personal data can be assured a chain of trust and credibility due to not only biometric elements such as DNA, fingerprint iris, etc. but other methods of authentication such as passwords PINs etc. to further enhance the secure protection and mitigate attacks to code providers and various software development groups. 

In regards to Claim 12, claim 12 recites similar limitations to the system of dependent claim 2 and the teachings of Yach and Johnston address all the limitations discussed in dependent claim 2 and are thereby rejected under the same grounds. 

In regards to Claim 13, Yach teaches the system of claim 11, wherein the one or more processors are configured to: (((Figure 6 label 626, 624, 638; (microprocessor coupled to RAM and flash memory))
the … authentication technique including a first factor that requires the user-specific digital signature that identifies the user to match the reference digital signature that identifies the reference user who is authorized to perform the operation with regard to the code. (Par. (0029) “the appropriate digital signature 96 is located by the virtual machine 64 by matching the signature identifier 92 in the API library 74 or 78 with a signature identification 94 on the signed software application. If the signed software application includes the appropriate digital signature 96, then the virtual machine 64 verifies its authenticity using the public signature key 20. Then, once the appropriate digital signature 96 has been located and verified, the description string 88 is preferably displayed on the mobile device before the software application X or Y is executed and accesses the sensitive API.”; user-specific digital signature matches a digital signature that identifies the reference user ( digital signature is matched with signed software application and its corresponding digital signature)), (Par. (0033) “If the digital signature is authentic, however, then the description string 88 is preferably displayed in step 112, warning the mobile device user that the software application requires access to a sensitive API, and possibly prompting the user for authorization to execute or load the software application (step 114). When more than one signature is to be verified for a software application, then the steps 104-110 are preferably repeated for each signature before the user is prompted in step 112. If the mobile device user in step 114 authorizes the software application,”; identify a reference user who is authorized to perform operation (digital signature authentic then prompts user for authorization to execute software application))
However Yach does not explicitly teach selectively enable the performance of the operation with regard to the code based at least in part on whether the user satisfies a plurality of factors of a multi- factor authentication technique, multi-factor authentication technique.
Wherein Johnston teaches selectively enable the performance of the operation with regard to the code based at least in part on whether the user satisfies a plurality of factors of a multi- factor authentication technique, (Page4 lines 5-25 “has data access software code installed on it for accessing the data. Preferably, in order to install the data access software code, the device must register with the system for example by submitting information related to at least an identification code”; selectively enable the performance of the operation with regard to the code (access and install software code) based in part on whether the user satisfies a plurality of factors (by submitting information related to at least an identification code)), (Page12 lines 15-30 “an identification code associated with the device and one or more of: a PIN or passcode; and data representing something inherent to the user of the device such as genetic and/or biometric information; (ii) verifying, based on the identification code, and the PIN or passcode and/or data representing something inherent to the user, whether access to the data is to be allowed or denied”; plurality of factors of a multi authentication technique (identification node associated with biometric/genetic data and passcode/PIN that is verified))
multi-factor authentication technique (Page3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; multi-factor authentication (biometric data or data representing passcode or PIN for authentication)), (Page15 lines 10-32 “The user could have the ability to halt this session at any point from the administrator device, for example by initiating a halt button on the administrator device. The code which is created is preferably as a result of a two or three factor authentication with the administrator device.”; multi factor authentication (two or three factor authentication))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach for the reasons discussed in the independent claim stated above.

In regards to Claim 19, the combination of Yach and Johnston teach the system of claim 11, Yach further teaches the system of claim 11, wherein the operation comprises at least one of the following: 
checking-in the code to a repository associated with the code development service;
 performing a review of the code; (Par. (0022) “the code signing authority reviews the software application Y to determine whether or not it should be given access to the sensitive API, and either accepts or rejects the software application. The code signing authority may apply a number of criteria to determine whether or not to grant the software application access”; review of the code (reviews the software application))
performing a build of the code; 
signing the code; Par. (0018-0019) “The signed software application Y 22, comprising the software application Y 14 and the digital signature, [..] Once the signed software application Y 22 is loaded on the mobile device 28, each digital signature is preferably verified with a public signature key 20 before the software application Y 14 is granted access to a sensitive API”; sign the code (signed software application) with the user-specific digital signature (software application that is signed includes digital signature)), (Par. (0025) “Each signing authority may for example be responsible for signing software applications for particular sensitive APIs or APIs on a particular model of mobile device or set of mobile devices that supports the sensitive APIs required by a software application. A manufacturer, mobile communication network operator, service provider, or corporate client for example may thereby have signing authority over the use of sensitive APIs”; sign the code (signing software applications))
releasing the code to end users; 
publishing the code to the end users; or 
deploying the code.

	In regards to Claim 20, Yach does not explicitly teach the system of claim 11, wherein the one or more inherence identifiers of the user represent at least one of the following: a face of the user; a fingerprint of the user; a voice of the user; an iris of an eye of the user; or a pattern of key press intervals of the user.
Wherein Johnston teaches the system of claim 11, wherein the one or more inherence identifiers of the user represent at least one of the following: 
a face of the user; 
a fingerprint of the user; (Page3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; inherence identifier of the user: fingerprint)),
a voice of the user; 
an iris of an eye of the user; Page3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; inherence identifier of the user: iris)),
or a pattern of key press intervals of the user.
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach for the reasons discussed in the independent claim stated above.


Claim 5-6, is/are rejected under 35 U.S.C. 103 as being unpatentable over  in further Yach et al. (EP No. 1626326 (Retrieved from IDS), hereinafter referred to as “Yach”) and Johnston et al. (GB No. 2517732 (Retrieved from IDS), hereinafter referred to as “Johnston”) in further view of Blinn et al. (U.S Pub. No. 20170149774 , hereinafter referred to as “Blinn”)

	In regards to Claim 5, Yach does not explicitly teach the system of claim 1, wherein the one or more processors are configured to: selectively authenticate the user in accordance with the multi-factor authentication technique based at least in part on whether one or more inherence factors, which identify the user and which were captured during an attempt of the user to log into a computing device, an application, or a service, match one or more respective reference inherence factors that identify the reference user.
Wherein Johnston teaches the system of claim 1, wherein the one or more processors are configured to: selectively authenticate the user in accordance with the multi-factor authentication technique based at least in part on whether one or more inherence factors, (Page3 lines 5-25) “data representing S something inherent to a user of the device, and step (ii) may also comprise verifying based on the data representing something inherent to the user of the device whether access to the data is to be allowed or denied. Thus, two-or three-factor authentication may be required in order to access the data and only authorised users may be granted access to the data [..] The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data, for example.”; selectively authenticate the user in accordance with multi-factor authentication ( two-or-thee factor authentication of a user corresponding to verifying data based on inherent of the user) based at least in part on whether one or more inherent factors (data that is verified represents biometric information like fingerprint or iris))
which identify the user and which were captured during an attempt of the user to log into a computing device, an application, or a service, (Page20 lines 10-25 “allow access to a partition to a user then they will send a signal from the administrator device to the access controller confirming their agreement for the device to be registered against the partition so that the device can access the partition   [..] When the user opens or logs into the application for accessing the partitions, they can access the partition(s) by entering the PIN or passcode or data representing something inherent to the user that corresponds to that partition.”; identify the user (access to a user) which were captured during an attempt to log into an application (when the user opens or log into the application by entering PIN or passcode))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach to include multi-factor authentication based on inherence factors because of the analogous concept of secure authentication of software applications in multiple devices. Johnston includes a process of multi-factor authentication this is important because it discourages attackers from implementing malware and other malicious codes because of the multiple factors involved in verifying a user. By implementing an inherence based factor in the authentication users distributing code and personal data can be assured a chain of trust and credibility due to not only biometric elements such as DNA, fingerprint iris, etc. but other methods of authentication such as passwords PINs etc. to further enhance the secure protection and mitigate attacks to code providers and various software development groups. 
However Yach and Johnston do not explicitly teach match one or more respective reference inherence factors that identify the reference user.
Wherein Blinn teaches match one or more respective reference inherence factors that identify the reference user. (Par. (0055) “an authentication factor comprises a unique data associated with the user (something the user is), a non-limiting example of this unique data may comprise biometric data associated with the user. Such biometric data may comprise any biometric data collected about the user, and may be gathered from, as non-limiting examples, a thumbprint scanner, a capillary distribution scanner, a retinal scanner, a DNA scanner, an implanted microchip, and/or any other means of gathering biometric data identifying a specific individual [..] by confirming a match for the biometric data via user or other records stored in data storage 130. If not authenticated, an alert may be transmitted and displayed to the user.”; match one or more respective reference inherence factors (match biometric data such as DNA, thumbprint, retinal etc. to records stored) that identify the reference user (identifying a specific individual corresponding to authentication))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Blinn within the teaching of Yach and Johnston to include matching inherence factors that identify the reference user because of the analogous concept of multi-factor authentication in the software development cycle. Blinn includes a process in which inherence factors are matched to identify a user this is important because it provides a technique in the software development cycle such as within the build, integration, testing or deployment step to verify code providers that they are in fact the trusted entity in communication. This helps mitigate malware or intrusion on the software code by using specific biometric data as factors to establish trust, therefore only the entity with the valid inherence factors such as DNA, facial features etc. can be fully authenticated without fear of compromise or harm.

In regards to Claim 6, the combination of Yach and Johnston teach the system of claim 1, Yach further teaches the system of claim 5, wherein the one or more processors are configured to: ((Figure 6 label 626, 624, 638; (microprocessor coupled to RAM and flash memory))
generate the user-specific digital signature by generating a hash that is based at least in part on the user-specific information, which is obtained from the user as a result of initiating or receiving the request, and (Par. (0018) “For example, according to one signature scheme, a hash of the software application Y 14 may be generated, using a hashing algorithm such as the Secure Hash Algorithm SHA1, and then used with the private signature key 18 to create the digital signature. In some signature schemes, the private signature key is used to encrypt a hash of information to be signed”; generate the user-specific signature ( to create the digital signature) by generating a hash that is based on the user-specific information ( hash of the software may be generated [..] to create the digital signature)), (Par. (0035) “The target signing request includes the software application or a hash of the software application, a developer identifier, as well as at least one target device identifier which identifies the target device for which a signature is being requested [..] and the digital signature or a signed software application including the digital signature appended to the software application is returned to the developer at step 280.”; which is obtained from the user as a result of initiating a request (signature being requested [..] signature being returned)),
selectively authenticate the user in accordance with the …. authentication technique based at least in part on whether the hash matches a reference hash associated with the reference user. ((Par. (0020) “the mobile device 28 calculates a hash of the software application Y 14 in the signed software application Y 22, using the same hashing algorithm as the code signing authority 16, and uses the digital signature and the public signature key 20 to recover the hash calculated by the signing authority 16. The resultant locally calculated hash and the hash recovered from the digital signature are then compared, and if the hashes are the same, the signature is verified. The software application Y 14 can then be executed on the device 28 and access any sensitive APIs for which the corresponding signature(s) have been verified”; on whether the hash matches a reference hash (calculated hash and the hash recovered are then compared [..] if the hashes are the same)), (Par. (0059) “virtual machine may verify the authenticity of the digital signature by generating a hash of the software application to obtain a generated hash, applying the public signature key to the digital signature to obtain a recovered hash, and comparing the generated hash with the recovered hash.”; hash matches a reference hash associated with the reference user (comparing the generated hash with the recovered hash))
However Yach does not explicitly teach that is further based at least in part on the one or more inherence factors, which identify the user and which were captured during the attempt of the user to log into the computing device, the application, or the service; and multi-factor authentication
Wherein Johnston teaches that is further based at least in part on the one or more inherence factors, (Page3 lines 5-25) “data representing S something inherent to a user of the device, and step (ii) may also comprise verifying based on the data representing something inherent to the user of the device whether access to the data is to be allowed or denied. Thus, two-or three-factor authentication may be required in order to access the data and only authorised users may be granted access to the data [..] The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data, for example.”; further based at least in part on the one or more inherent factors (data that is verified represents biometric information like fingerprint or iris))
which identify the user and which were captured during the attempt of the user to log into the computing device, the application, or the service; and ((Page20 lines 10-25 “allow access to a partition to a user then they will send a signal from the administrator device to the access controller confirming their agreement for the device to be registered against the partition so that the device can access the partition   [..] When the user opens or logs into the application for accessing the partitions, they can access the partition(s) by entering the PIN or passcode or data representing something inherent to the user that corresponds to that partition.”; identify the user (access to a user) which were captured during an attempt to log into an application (when the user opens or log into the application by entering PIN or passcode))
multi-factor authentication (Page3 lines 5-35 “The data representing something inherent to the user of the device may comprise data representing genetic and/or biometric information about the user such as a fingerprint or iris data [..] The data specifying the partition could comprise one or more of: a PIN or passcode; and data representing something inherent to the user of the device. The data representing something inherent to the user of the device could comprise data representing genetic and/or biometric information”; multi-factor authentication (biometric data or data representing passcode or PIN for authentication)), (Page15 lines 10-32 “The user could have the ability to halt this session at any point from the administrator device, for example by initiating a halt button on the administrator device. The code which is created is preferably as a result of a two or three factor authentication with the administrator device.”; multi factor authentication (two or three factor authentication))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach and Blinn to include multi-factor authentication, identify the user and which were captured during the attempt of the user to log in based on inherence factors because of the analogous concept of secure authentication of software applications in multiple devices. Johnston includes a process of multi-factor authentication this is important because it discourages attackers from implementing malware and other malicious codes because of the multiple factors involved in verifying a user. By implementing an inherence based factor in the authentication users distributing code and personal data can be assured a chain of trust and credibility due to not only biometric elements such as DNA, fingerprint iris, etc. but other methods of authentication such as passwords PINs etc. to further enhance the secure protection and mitigate attacks to code providers and various software development groups. 



Claim 7 and 17, is/are rejected under 35 U.S.C. 103 as being unpatentable over  in further Yach et al. (EP No. 1626326 (Retrieved from IDS), hereinafter referred to as “Yach”) and Johnston et al. (GB No. 2517732 (Retrieved from IDS), hereinafter referred to as “Johnston”) in further view of Bower et al. (U.S Pub. No. 20200236116 , hereinafter referred to as “Bower”)

	In regards to Claim 7, the combination of Yach and Johnston do not explicitly teach the system of claim 1, wherein the one or more processors are configured to: selectively authenticate the user in accordance with the multi-factor authentication technique based at least in part on whether a device identifier of a computing device of the user from which the request is received matches a reference device identifier.
	Wherein Bower teaches the system of claim 1, wherein the one or more processors are configured to: (Par. (0003) “The apparatus includes a processor of a secured server and a memory that stores code executable by the processor. The code is executable by the processor to receive from a mobile device a request”; processor))
selectively authenticate the user in accordance with the multi-factor authentication technique based at least in part on whether a device identifier of a computing device of the user from which the request is received matches a reference device identifier. (Par. (0054) “the received request may include identifying information of the data processing device 110. For example, the identifying information may include a serial number, a model number, an assigned identifier, etc. associated with the data processing device [..] The user credentials may be in the form of a username and password, a data token, a fingerprint scan, a retina scan, a facial scan, or other biometric authorization data.”; selectively authenticate the user in accordance with multi factor authentication (biometric authentication) based in at least part on whether device identifier ].] from which the request is received ( received request with identifying information about device such as identifier)), (Par. (0062) “he mobile device 108 is in proximity to the data processing device 110, the access apparatus 102 uses multifactor authentication to help ensure that a person with a mobile device 108 is both an authorized user and is close to the data processing device 110,” multi-factor authorization)), (Par. (0065) “The information verification module 304 may return an identifier of a data processing device 110 when a match to stored proximity information is found and the proximity module 206 or information verification module 304 may determine if the identifier matches the data processing device 110 for which a user of the mobile device 108 is seeking access”; request is received matches a reference device identifier (identifier of a device matches [..] determine if the identifier matches))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Bower within the teaching of Yach and Johnston to include multi-factor authentication based on a device identifier that is matched because of the analogous concept of inherence-based authentication in a network. Bower includes a process in which a multi-factor authentication matches the device ID of one computing device with a reference device ID. This is important because it discourages malware attackers attempting to load malicious content in the software code, by having multi-factors such as a matching of device ID and biometric comparisons it adds an extra layer of protection on the system. This allows software developers and code providers to fully verify each other before deploying and distributing code. This maintains the integrity of the system as a whole and establishes trust in communication.  

In regards to Claim 17, the combination of Yach and Johnston do not explicitly teach the system of claim 13, wherein the multi-factor authentication technique includes a second factor that requires a device identifier of a computing device of the user from which the request is received to match a reference device identifier.
Wherein Bower teaches the system of claim 13, wherein the multi-factor authentication technique includes a second factor that requires a device identifier of a computing device of the user from which the request is received to match a reference device identifier. ((Par. (0054) “the received request may include identifying information of the data processing device 110. For example, the identifying information may include a serial number, a model number, an assigned identifier, etc. associated with the data processing device [..] The user credentials may be in the form of a username and password, a data token, a fingerprint scan, a retina scan, a facial scan, or other biometric authorization data.”; multi factor authentication (biometric authentication) includes a second factors (fingerprint, retinal scan etc.)based in at least part on whether device identifier [..] from which the request is received ( received request with identifying information about device such as identifier)), (Par. (0062) “he mobile device 108 is in proximity to the data processing device 110, the access apparatus 102 uses multifactor authentication to help ensure that a person with a mobile device 108 is both an authorized user and is close to the data processing device 110,” multi-factor authorization)), (Par. (0065) “The information verification module 304 may return an identifier of a data processing device 110 when a match to stored proximity information is found and the proximity module 206 or information verification module 304 may determine if the identifier matches the data processing device 110 for which a user of the mobile device 108 is seeking access”; request is received matches a reference device identifier (identifier of a device matches [..] determine if the identifier matches))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Bower within the teaching of Yach and Johnston for the reasons discussed in dependent claim 7 stated above.

Claims 8 and 18, is/are rejected under 35 U.S.C. 103 as being unpatentable over  in further Yach et al. (EP No. 1626326 (Retrieved from IDS), hereinafter referred to as “Yach”) and Johnston et al. (GB No. 2517732 (Retrieved from IDS), hereinafter referred to as “Johnston”) in further view of Androulaki et al. (U.S Pub. No. 20200327100, hereinafter referred to as “Androulaki”)

	In regards to Claim 8, Yach does not explicitly teach the system of claim 1, wherein a first subset of users is authorized to perform the operation in a first environment; wherein a second subset of the users is authorized to perform the operation in a second environment and is not authorized to perform the operation in the first environment; wherein the user-specific information is obtained from the user as a result of initiating or receiving the request to perform the operation with regard to the code in the first environment prior to or during the release of the code; and wherein the one or more processors are configured to: authenticate the user in accordance with the multi-factor authentication technique based at least in part on the user-specific digital signature that identifies the user matching a reference digital signature that identifies the reference user who is included in the first subset; and enable the performance of the operation with regard to the code in the first environment based at least in part on the user being authenticated in accordance with the multi-factor authentication technique.
	Wherein Johnston teaches wherein the user-specific information is obtained from the user as a result of initiating or receiving the request to perform the operation with regard to the code in the first environment prior to or during the release of the code; and (Page4 lines 19-27 “the identification codes are preferably an identification codes associated with smart object of the devices. The smart object may be a SIM, SE (secure element), TEE (trusted execution environment), Micro SD, Memory card, USB or Smartcard associated with the device,”; an item (identification codes corresponding to Smartcards/SIM)), (Page13 lines 6-22 “ (i) receiving a request to access the data, the request including an identification code associated with the device and one or more of: a PIN or passcode; and data representing something inherent to the user of the device such as genetic and/or biometric information; (ii) verifying, based on the identification code, and the PIN or passcode and/or data representing something inherent to the user, whether access to the data is to be allowed or denied;”; the user-specific information is obtained from an item (receiving a request with identification code associated with biometric, genetic, inherent to the user)) as a result of receiving the request (receiving a request)), (Examiner Notes: In the instant application the specification on Par. (0075) states that an item for example could be a cell phone with SIM or a smartcard, therefore it will be broadly and reasonably interpreted that an identification code that represents a smartcard meets the claimed limitation)), (Page1 lines 1-10 “System for accessing data from multiple devices The present invention relates to the field of data access. More specifically, it relates to a system for accessing data from multiple devices”; first environment (system))
enable the performance of the operation with regard to the code in the first environment based at least in part on the user being authenticated in accordance with the multi-factor authentication technique. (Page4 lines 5-25 “has data access software code installed on it for accessing the data. Preferably, in order to install the data access software code, the device must register with the system for example by submitting information related to at least an identification code”; selectively enable the performance of the operation with regard to the code (access and install software code) based in part on whether the user satisfies a plurality of factors (by submitting information related to at least an identification code)), (Page12 lines 15-30 “an identification code associated with the device and one or more of: a PIN or passcode; and data representing something inherent to the user of the device such as genetic and/or biometric information; (ii) verifying, based on the identification code, and the PIN or passcode and/or data representing something inherent to the user, whether access to the data is to be allowed or denied”; plurality of factors of a multi authentication technique (identification node associated with biometric/genetic data and passcode/PIN that is verified)), (Page1 lines 1-10 “System for accessing data from multiple devices The present invention relates to the field of data access. More specifically, it relates to a system for accessing data from multiple devices”; first environment (system))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Johnston within the teaching of Yach to include multi-factor authentication in regards to a request for code because of the analogous concept of secure authentication of software applications in multiple devices. Johnston includes a process of multi-factor authentication this is important because it discourages attackers from implementing malware and other malicious codes because of the multiple factors involved in verifying a user. By implementing an inherence based factor in the authentication users distributing code and personal data can be assured a chain of trust and credibility due to not only biometric elements such as DNA, fingerprint iris, etc. but other methods of authentication such as passwords PINs etc. to further enhance the secure protection and mitigate attacks to code providers and various software development groups. 
However Yach and Johnston do not explicitly teach the system of claim 1, wherein a first subset of users is authorized to perform the operation in a first environment; wherein a second subset of the users is authorized to perform the operation in a second environment and is not authorized to perform the operation in the first environment; wherein the one or more processors are configured to: authenticate the user in accordance with the multi-factor authentication technique based at least in part on the user-specific digital signature that identifies the user matching a reference digital signature that identifies the reference user who is included in the first subset; and
Wherein Androulaki teaches the system of claim 1, wherein a first subset of users is authorized to perform the operation in a first environment; (Par. (0004) “reference second data to be accessed by a subset of the plurality of validating peer nodes that have access to the first blockchain and a processor to perform one or more of create,”; first subset of user (subset of validating peer nodes) is authorized to perform the operation in the first environment ( in the first blockchain the nodes are given access to perform))
wherein a second subset of the users is authorized to perform the operation in a second environment and is not authorized to perform the operation in the first environment; (Par. (0053) “The one or more keys to allow the validating peer nodes VP1 and VP3 in the subset to access the data of the second blockchain 140, or the validating peer nodes VP1 and VP3 in the subset may transmit information to append a block to the second blockchain”; second subset of users (validating peer nodes in the subset of second blockchain) is authorized to perform the operation in a second environment (access to data and transmitting information in second blockchain)), (Par. (0045) “The second blockchain 140 is in the same network as the first blockchain, but, for example, may be managed by and accessible to only subset of the nodes 120 of the first blockchain 130. Copies of the ledger (or second blockchain) are distributed for storage in or access by only the network nodes 120 in the subset.”; is not authorized to perform the operation in the first environment (managed and accessible to only subset of nodes in the first blockchain (second subset of nodes cannot manage or authorized to perform operations because only first subset of nodes in first blockchain can))
to the blockchain network processor 332 through a peer node 312. Before proceeding with any transactions, the peer node 312 retrieves”; processor))
authenticate the user in accordance with the multi-factor authentication technique based at least in part on the user-specific digital signature that identifies the user matching a reference digital signature that identifies the reference user who is included in the first subset; and (Par. (0065-0066) “  the signature is valid, and (d) that the submitter (client 260, in the example) is properly authorized to perform the proposed operation on that channel. [..] the application of the client 260 inspects/verifies the endorsing peers signatures and compares [..] is the same. If the chaincode only queried the ledger, the application would inspect the query response and would typically not submit the transaction”; authenticate the user (client is properly authorized) based at least in part on user specific digital signature matching a reference digital signature (digital signature is verified and compared)), (Par. (0070) “Meanwhile, a user attempting to drive chaincode may be required to verify their credentials on the traditional data source 330. To confirm the user's authorization, chaincode”; multi-factor authentication (verify credentials)), (Par. (0055) “Cryptographic trust services 218 may be used to verify transactions such as asset exchange transactions and keep information private.”; multi-factor authentication (verify transaction)), (Par. (0051) “two or more sub blockchains assigned to different subsets of validating peer nodes VP1-VP4 in the network. The validating peer nodes in the different subsets may all be different or one or more may be commonly shared among the subsets”; in the first subset (subset of validating peer nodes))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Androulaki within the teaching of Yach and Johnston to include multi-factor authentication using a first and second environment and multiple subsets of users to determine authorization because of the analogous concept of identity verification in a network. Androulaki includes a process of a first and second subset of users that have different authorization to operate in the environment. This is important because it regulates access and does not allow entities with lower permissions to modify or alter code or data before distribution. This adds an enhance layer of secure protection and versatility by controlling subset of users in multiple environments. This proves important in the deployment of software applications and giving code providers high assurances that only authorized users in a certain environment have access. This leads to the mitigation and prevention of malware attacks and compromise. 

	In regards to Claim 18, claim 18 recites similar limitations to claim 8 and the teachings of Yach, Johnston and Androulaki address all the limitations discussed in dependent claim 8 and are thereby rejected under the same grounds. 

Claim 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over  in further Yach et al. (EP No. 1626326 (Retrieved from IDS), hereinafter referred to as “Yach”) and Johnston et al. (GB No. 2517732 (Retrieved from IDS), hereinafter referred to as “Johnston”) in further view of Streit et al. (U.S Pub. No. 20200228336, hereinafter referred to as “Streit”)

	In regards to Claim 14, the combination of Yach and Johnston do not explicitly teach the system of claim 13, wherein the multi-factor authentication technique includes a second factor that requires information stored in an item that is in possession of the user to match reference information associated with the user.
	Wherein Streit teaches the system of claim 13, wherein the multi-factor authentication technique includes a second factor that requires information stored in an item that is in possession of the user to match reference information associated with the user. (Par. (0016-0021) “authentication credentials can be based on identifying characteristics (e.g., user's fingerprint, retina scan, physical properties, facial characteristics, [..]  random biometric requests (e.g., voice identification coupled with identification of random words or syllables)) as part of a multi-factor authentication. According to one embodiment, imaging and facial recognition is executed in conjunction with random liveness testing of a separate biometric (e.g., voice identification [..] privacy enabled authentication credentials (e.g., biometrics (e.g., privacy enabled facial recognition and/or voice identification)) can be used in conjunction with the liveness augmented authentication”; multi-factor authentication technique (multi-factor authentication) includes a second factor that requires information stored in an item (credentials storing or including  two factors, fingerprints, retinal, facial, voice recognition etc. of biometrics)), (Par. (0026) “hat the biometric input is generated by the individual seeking authentication (i.e., not pre-recorded or faked biometric signaling). In some embodiments, the authentication system is configured to request randomly selected instances (e.g., system random selection) of a biometric input or behavioral information (e.g., randomly selected words and/or actions by the user) [..] received voice information or user action information to determine an identity match, while processing the received voice information or action information to ensure that received voice information matches the randomly selected words. In various embodiments, the authentication system is able to validate that an identity match”; that is in possession of the user to match reference information associated with the user ( biometric input such as voice, fingerprint or other actions is matched with user identity)) (Examiner notes: In the instant application the specification on Par. (0075) states that an item can be for examples an ID card or security card) and that reference information can be an identifier of the user. Therefore, it will be broadly and reasonably interpreted that second factor information stored within an item is biometric input such as fingerprint, iris, DNA etc. stored on a credential and used to match with a user identity))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Streit within the teaching of Yach and Johnston to include a second factor in the multi factor authentication that is stored in an item to match with the user because of the analogous concept of inherence based authentication. Streit includes a process of matching a second factor stored in an item to an associated user. This is vital because it adds another enhanced layer of identity verification by using a second factor that is inherent to the user. By comparing biometric data such as DNA, face, etc. Code providers in the deployment stage of the software cycle can be assured no tampering has occurred based on the match of the accurate user and their second factor stored in an item. This helps mitigate malware attacks and provides high assurances that the user is indeed not forged or with a compromised account.

Claims 15 and 16, is/are rejected under 35 U.S.C. 103 as being unpatentable over  in further Yach et al. (EP No. 1626326 (Retrieved from IDS), hereinafter referred to as “Yach”) and Johnston et al. (GB No. 2517732 (Retrieved from IDS), hereinafter referred to as “Johnston”) in further view of Royyuru  et al. (U.S Pub. No. 20170085563, hereinafter referred to as “Royyuru”)

	In regards to Claim 15, the combination of Yach and Johnston do not explicitly teach the system of claim 13, wherein the multi-factor authentication technique includes a second factor that requires one or more second inherence identifiers, which identify the user and which were captured during an attempt of the user to log into a computing device, an application, or a service, to match one or more respective reference inherence identifiers that identify the reference user.
	Wherein Royyuru teaches the system of claim 13, wherein the multi-factor authentication technique includes a second factor that requires one or more second inherence identifiers, which identify the user and (Par. (0033) “establishing a strong multi-factor authentication process. The issuer may then authorize the strongly authenticated transaction.”; multi-factor authentication technique)), (Par. (0022) “When a user wishes to access a restricted page (or other page requiring user credentials) of a website, the biometric mobile application may be launched such that it prompts the user to provide a biometric input. For example, the launching of a website may trigger the mobile authentication application to open the biometric mobile application to the prompt screen. The biometric input is then authenticated by the biometric mobile application, and the user credentials are provided to the website. Such two-factor biometric authentication provides a further layer of security”; second factor that requires one or more second inherence identifiers which identify the user ( credentials that prompt biometric input in order to authenticate an identify user who has access)), (Par. (0026) “Biometric sensors 112 may include fingerprint sensors, microphones for receiving audio inputs such as a voice sample, retinal scanners, cameras and software configured for facial recognition and/or retinal scanning, and and/or other biometric sensors.”; one or more second inherence identifiers ( biometric sensors include fingerprints, audio, voice scanners, retinal etc.))
which were captured during an attempt of the user to log into a computing device, an application, or a service, to match one or more respective reference inherence identifiers that identify the reference user. (Par. (0044-0045) “For example, a user may register a fingerprint and/or other biometric input for use in logging into the mobile device and/or for use with other mobile applications. A user of the mobile device may be authenticated based on the comparison of the received biometric input and the stored biometric input at block 412. In some embodiments, the received biometric input [..] after the received biometric input is matched with the stored biometric input, the user credentials”; which were captured during an attempt of the user to log into a computing device an application (fingerprint or biometric used in logging into the mobile device/application) to match one or more respective reference inherence identifiers (match the biometric input) that identifies the reference user (corresponding to user credentials)), (Par. (0004) “receiving the biometric input using a biometric sensor of the mobile device and comparing the received biometric input with a stored biometric input. The stored biometric input may be stored on the memory of the mobile device.”; to match one or more respective reference inherence identifiers (comparing the received biometric input with a stored biometric input associated with user of mobile device))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Royyuru within the teaching of Yach and Johnston to include a second factor of the multi-factor authentication based on a second inherence identifier that is matched to identify a user because of the analogous concept of inherence based authentication. Royyuru includes a process in which a second inherence factor with an identifier is matched to identify a user. This is important because it provides a multi-step verification that identifies valid users based on more than one biometric or inherent factor. This proves vital in instances in which attackers load malware on software code and impersonate code providers. By having a multi-factor authentication using and matching inherence identifier with the accurate user it mitigates and prevents tampering as well a compromise of data because of the complexity of how a user can be identified in multiple ways before distribution of data. 

In regards to Claim 16, the combination of Yach and Johnston teach the system of claim 11, Yach further teaches the system of claim 15, wherein the one or more processors are configured to: (Figure 6 label 626, 624, 638; (microprocessor coupled to RAM and flash memory))
generate the user-specific digital signature by generating a hash that is based at least in part on the one or more inherence identifiers, which identify the user and which are captured a result of initiating or receiving the request, and (Par. (0018) “For example, according to one signature scheme, a hash of the software application Y 14 may be generated, using a hashing algorithm such as the Secure Hash Algorithm SHA1, and then used with the private signature key 18 to create the digital signature. In some signature schemes, the private signature key is used to encrypt a hash of information to be signed”; generate the user-specific signature ( to create the digital signature) by generating a hash ( hash of the software may be generated [..] to create the digital signature)), (Par. (0035) “The target signing request includes the software application or a hash of the software application, a developer identifier, as well as at least one target device identifier which identifies the target device for which a signature is being requested [..] and the digital signature or a signed software application including the digital signature appended to the software application is returned to the developer at step 280.”; based on at least one or more inherence identifiers which identify the user (target device with identifier and result of initiating a request (signature being requested [..] signature being returned))(Examiner notes: In the instant application the specification states on Par. (0007) that an inherence identifier indicates something that the user is or does. Therefore, it will be broadly and reasonably interpreted that the generated user-specific digital signature is based on one or more inherence identifiers represent something a user is (a target device with a corresponding identifier))
selectively enable the performance of the operation with regard to the code based at least in part on whether the hash matches a reference hash associated with the reference user. (Par. (0033) “If the digital signature is authentic, however, then the description string 88 is preferably displayed in step 112, warning the mobile device user that the software application requires access to a sensitive API, and possibly prompting the user for authorization to execute or load the software application (step 114). When more than one signature is to be verified for a software application, then the steps 104-110 are preferably repeated for each signature before the user is prompted in step 112. If the mobile device user in step 114 authorizes the software application,”; enable the performance of the operation( if digital signature is authenticated user is authorized to execute or lead the software application)), (Par. (0020) “the mobile device 28 calculates a hash of the software application Y 14 in the signed software application Y 22, using the same hashing algorithm as the code signing authority 16, and uses the digital signature and the public signature key 20 to recover the hash calculated by the signing authority 16. The resultant locally calculated hash and the hash recovered from the digital signature are then compared, and if the hashes are the same, the signature is verified. The software application Y 14 can then be executed on the device 28 and access any sensitive APIs for which the corresponding signature(s) have been verified”; on whether the hash matches a reference hash (calculated hash and the hash recovered are then compared [..] if the hashes are the same)), (Par. (0059) “virtual machine may verify the authenticity of the digital signature by generating a hash of the software application to obtain a generated hash, applying the public signature key to the digital signature to obtain a recovered hash, and comparing the generated hash with the recovered hash.”; whether the hash matches a reference hash associated with the reference user (comparing the generated hash with the recovered hash))
However Yach and Johnston do not explicitly teach that is further based at least in part on the one or more second inherence identifiers of the user, which were captured during the attempt of the user to log into the computing device, the application, or the service; and 
Wherein Royyuru teaches that is further based at least in part on the one or more second inherence identifiers of the user, which were captured during the attempt of the user to log into the computing device, the application, or the service; and ((Par. (0026) “Biometric sensors 112 may include fingerprint sensors, microphones for receiving audio inputs such as a voice sample, retinal scanners, cameras and software configured for facial recognition and/or retinal scanning, and and/or other biometric sensors.”; one or more second inherence identifiers ( biometric sensors include fingerprints, audio, voice scanners, retinal etc.)), (Par. (0044-0045) “For example, a user may register a fingerprint and/or other biometric input for use in logging into the mobile device and/or for use with other mobile applications. A user of the mobile device may be authenticated based on the comparison of the received biometric input and the stored biometric input at block 412. In some embodiments, the received biometric input [..] after the received biometric input is matched with the stored biometric input, the user credentials”; which were captured during an attempt of the user to log into a computing device an application (fingerprint or biometric used in logging into the mobile device/application) to match one or more respective reference inherence identifiers (match the biometric input) that identifies the reference user (corresponding to user credentials)), (Par. (0004) “receiving the biometric input using a biometric sensor of the mobile device and comparing the received biometric input with a stored biometric input. The stored biometric input may be stored on the memory of the mobile device.”; to match one or more respective reference inherence identifiers (comparing the received biometric input with a stored biometric input associated with user of mobile device))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Royyuru within the teaching of Yach and Johnston for the reasons discussed in dependent claim 15 stated above. 


Relevant Prior Art

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Brooks; Richard (U.S Pub. No. 20210029151) “Methods For Verification Of Software Object Authenticity And Integrity”. Considered this reference because it addressed software applications and authenticating by using inherence identifiers and various factors.

HIGH; Donald R. (U.S Pub. No. 20190268159) “SYSTEM AND METHOD FOR A DIGITAL IDENTITY SYSTEM”. Considered this application because it relates to verifying the identity of firmware or software code users and providers based on multi-factor authentication. 

McFarland, JR.; (U.S Pub.  No. 20210397431) “EXECUTION OF TRANSPORT SOFTWARE UPDATE”. Considered this application because it addressed comparing hash values and device ID’s of software code to identify a valid user .

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN A HUSSEIN whose telephone number is (571)272-3554. The examiner can normally be reached on 7:30am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/H.A.H./Examiner, Art Unit 2497                                                                                                                                                                                                        /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497