Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 3-8, 10-15, and 17-21 is/are rejected under 35 U.S.C. 102(a)(2) as being antedated by United States Patent Application Publication No.: US 2022/0129903 A1 (SAMBHAR et al.).

As Per Claim 1: SAMBHAR et al. teaches: A computing platform, comprising:
 at least one processor;
 a communication interface communicatively coupled to the at least one processor; and
 a memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:

- receive a request to process an event;
	(SAMBHAR et al., Paragraph [0081], “At step 610, a user may initiate a transaction. The transaction may include a merchant location, service provider, financial institution, online transaction, etc. For example, the user may enter an ATM or login to bank portal to carry out a transaction. The user may also initiate an interaction for access or other action. The description is not limited to transactions but may include other forms of access, authentication, verification, etc.”).

- receive, from a first computing device, user identifying data of a user;
	(SAMBHAR et al., Paragraph [0082], “At step 612, the ATM machine and/or system may recognize the user. This may involve an initial level of user identification through a biometric verification, user credentials, user identifier, password, associated payment instrument, card instrument, etc. According to another embodiment of the present invention, this initial user identification may be optional.”).


- responsive to receiving the user identifying data, retrieve, from a database, user data and user computing device data associated with the user, the user computing device being a pre-registered device;
- generate, based on the user data, an interactive authentication data request;
- transmit the generated interactive authentication data request to the user computing device;
- receive, from the user computing device, authentication response data;
	(SAMBHAR et al., Paragraph [0051], “When making purchases, a QR code or other merchant identifying code may be used in conjunction with the request for an OTP to ensure that the card is being used at a proper location. For example, a code may be requested by a user's pre-registered device or from a user's financial account portal accessible on any device with proper connectivity.”).
	(SAMBHAR et al., Paragraph [0083], “At step 614, the bank system may identify a list of IoT devices. For example, the system may provide a list of IoT enabled devices associated with the user on a user display. In this example, the user may select using a touchscreen or other input. Other forms of interaction and input may be implemented. For example, the user may proactively identify a group of IoT devices. According to another example, the system may also identify IoT devices that are not specific to the user. These devices may be public or semi-public devices that the user has interacted with, such devices may include devices at airports, car rentals, taxis, hotels, other travel-type areas, government buildings, etc.”).
	(SAMBHAR et al., Paragraph [0084], “At step 616, the user may select a required predetermined number of devices for the available options. For example, user may select 4 devices, such as a car, laptop, television and refrigerator. User may select only the required number of devices for the devices which the user has listed with the account. The system may require variations based on the user associated IoT devices. For example, the system may also require a predetermined order of devices for user authentication. In this example, the system may require a combination of three devices in a particular order. According to another example, the system may require more devices, e.g., four devices, but an order may not be required. Also, the system may require a combination of IoT devices from different locations, in order words, the system may not accept devices all from the user's home. Based on a risk level and/or other data, the system may require more detailed information and/or a higher number of IoT devices for authentication. For lower risk and/or routine interactions, the system may ask for less detailed IoT input, or a lower number of IoT devices, for example. In addition, the user may designate one device as a device that is not part of the authentication so that when the device is selected, the system is alerted that the interaction is a fraudulent (or the customer is under duress and is signaling for assistance). Other variations of user input may be specified.”).

- compare the authentication response data to pre-stored authentication data of the user from the user data;
- responsive to determining, based on the comparing, that the authentication response data matches the pre-stored authentication data:
- authenticating the user;
 generating a first authentication output;
 transmitting the first authentication output to at least one of: the first computing device and the user computing device; and
 processing the requested event; and
- responsive to determining, based on the comparing, that the authentication response data does not match the pre-stored authentication data:
- denying the request to process the event;
- generating a second authentication output different from the first authentication output; and
- transmitting the second authentication output to at least one of: the first computing device and the user computing device.
	(SAMBHAR et al., Paragraph [0085], “At step 618, the system may verify that the selected devices are associated with user's profile. If not, the system may allow the user to try again. If yes, the system may connect to the devices and transmit requests, at step 620. For example, the system may access details (e.g., device identifier, IP address, authentication details, etc.) to connect to those devices over a network connection, e.g., a Cloud connection, through authentication. For example, a Cloud connection may identify the device using the device identifier and may send a corresponding request to an appropriate sensor network using gateways and/or other components.”).
	(SAMBHAR et al., Paragraph [0086], “At step 622, each device may verify user interaction. This may involve verifying a last log-in within a predetermined period of time, e.g., whether user logged-on, activated and/or other interacted with the device in last 24 hours (or other time period). A device may verify other data as well, including last interaction, type of interaction, other associated actions with other devices, etc. Each device may provide interaction data, via a hash or other response.”).
	(SAMBHAR et al., Paragraph [0087], “At step 624, upon a successful verification of user, the given device may provide a response (e.g., a required hash) to the Cloud which may then respond back to the system. For example, a hash may be generated using a custom hardware installed on the device or it may be any unique serial number of the device (e.g., a car's engine number, chassis number, television display's serial number, etc.) Also, a bank system may use the hashes provided by each of the user selected devices to verify the user. The bank system may store the device's unique hash in its own data store for verification. Another option is to generate the required unique hash for each device and assign to it at the time of activating the device with the account. Accordingly, upon successful authentication, the user may perform a transaction on a given banking platform/system. Other types of response data and/or secured data may be implemented.”).
	(SAMBHAR et al., Paragraph [0038], “User IoT Device 122 may represent various IoT devices associated with the user. IoT devices may include devices, appliances, automobiles, home control devices and/or any device capable of sending and/or receiving network signals and/or data. IoT devices may include entrance portals (e.g., security devices that grant or deny access, etc.). IoT devices may include devices in common or public areas, e.g., hotel lobby, airport, tolls, etc. For example, a user may check-in at a hotel or enter a hotel room with an authorized room key. This information may be used to confirm user authentication in a local area.”).

As Per Claim 3: The rejection of claim 1 is incorporated and further SAMBHAR et al. teaches: 
- the user data and user computing device data are captured during a registration process before receiving the request to process the event.
	(SAMBHAR et al., Paragraph [0051], “When making purchases, a QR code or other merchant identifying code may be used in conjunction with the request for an OTP to ensure that the card is being used at a proper location. For example, a code may be requested by a user's pre-registered device or from a user's financial account portal accessible on any device with proper connectivity.”).

As Per Claim 4: The rejection of claim 1 is incorporated and further SAMBHAR et al. teaches: 
- the interactive authentication data request includes a request for at least one of: a username and password, one-time passcode, personal identification number, or biometric data.
	(SAMBHAR et al., Paragraph [0007], “According to one embodiment, the invention relates to an authentication system that comprises: a memory that stores and manages account data and interaction data associated with a customer; an interface that communicates with one or more devices associated with the customer; and a computer processor, coupled to the memory and the interface. The computer processor is programmed to: receive a signal indicating an initiation of a transaction by the customer; generate a one-time PIN for the customer; transmit the one-time PIN to the customer; and authenticate the transaction upon receipt of the one-time PIN from the customer.”).
	(SAMBHAR et al., Paragraph [0023], “An embodiment of the present invention is directed to user authentication that incorporates a fingerprint generated based on the user's IoT enabled devices. The IoT based fingerprint may be used alone and/or with a user's biometric, credentials and/or other form of identification. The system may verify the IoT based fingerprint and then enable the user to proceed with a transaction.”).
	(SAMBHAR et al., Paragraph [0082], “At step 612, the ATM machine and/or system may recognize the user. This may involve an initial level of user identification through a biometric verification, user credentials, user identifier, password, associated payment instrument, card instrument, etc. According to another embodiment of the present invention, this initial user identification may be optional.”).

As Per Claim 5: The rejection of claim 1 is incorporated and further SAMBHAR et al. teaches: 
- responsive to receiving the authentication response data, analyze the authentication response data to determine whether it includes a trigger.
	(SAMBHAR et al., Paragraph [0084], “At step 616, the user may select a required predetermined number of devices for the available options. For example, user may select 4 devices, such as a car, laptop, television and refrigerator. User may select only the required number of devices for the devices which the user has listed with the account. The system may require variations based on the user associated IoT devices. For example, the system may also require a predetermined order of devices for user authentication. In this example, the system may require a combination of three devices in a particular order. According to another example, the system may require more devices, e.g., four devices, but an order may not be required. Also, the system may require a combination of IoT devices from different locations, in order words, the system may not accept devices all from the user's home. Based on a risk level and/or other data, the system may require more detailed information and/or a higher number of IoT devices for authentication. For lower risk and/or routine interactions, the system may ask for less detailed IoT input, or a lower number of IoT devices, for example. In addition, the user may designate one device as a device that is not part of the authentication so that when the device is selected, the system is alerted that the interaction is a fraudulent (or the customer is under duress and is signaling for assistance). Other variations of user input may be specified.”).
	Designated duress alert.

As Per Claim 6: The rejection of claim 5 is incorporated and further SAMBHAR et al. teaches: 
- responsive to determining that the authentication response data includes a trigger, executing one or more duress functions before comparing the authentication response data to the pre-stored authentication data; and responsive to determining that the authentication response data does not include a trigger, comparing the authentication response data to the pre-stored authentication data.
	(SAMBHAR et al., Paragraph [0084], “At step 616, the user may select a required predetermined number of devices for the available options. For example, user may select 4 devices, such as a car, laptop, television and refrigerator. User may select only the required number of devices for the devices which the user has listed with the account. The system may require variations based on the user associated IoT devices. For example, the system may also require a predetermined order of devices for user authentication. In this example, the system may require a combination of three devices in a particular order. According to another example, the system may require more devices, e.g., four devices, but an order may not be required. Also, the system may require a combination of IoT devices from different locations, in order words, the system may not accept devices all from the user's home. Based on a risk level and/or other data, the system may require more detailed information and/or a higher number of IoT devices for authentication. For lower risk and/or routine interactions, the system may ask for less detailed IoT input, or a lower number of IoT devices, for example. In addition, the user may designate one device as a device that is not part of the authentication so that when the device is selected, the system is alerted that the interaction is a fraudulent (or the customer
	(SAMBHAR et al., Paragraph [0085], “At step 618, the system may verify that the selected devices are associated with user's profile. If not, the system may allow the user to try again. If yes, the system may connect to the devices and transmit requests, at step 620. For example, the system may access details (e.g., device identifier, IP address, authentication details, etc.) to connect to those devices over a network connection, e.g., a Cloud connection, through authentication. For example, a Cloud connection may identify the device using the device identifier and may send a corresponding request to an appropriate sensor network using gateways and/or other components.”).
	(SAMBHAR et al., Paragraph [0086], “At step 622, each device may verify user interaction. This may involve verifying a last log-in within a predetermined period of time, e.g., whether user logged-on, activated and/or other interacted with the device in last 24 hours (or other time period). A device may verify other data as well, including last interaction, type of interaction, other associated actions with other devices, etc. Each device may provide interaction data, via a hash or other response.”).

As Per Claim 7: The rejection of claim 5 is incorporated and further SAMBHAR et al. teaches: 
- a presence of a predefined duress character in the authentication response data or an additional character in the authentication response data.
	(SAMBHAR et al., Paragraph [0084], “At step 616, the user may select a required predetermined number of devices for the available options. For example, user may select 4 devices, such as a car, laptop, television and refrigerator. User may select only the required number of devices for the devices which the user has listed with the account. The system may require variations based on the user associated IoT devices. For example, the system may also require a predetermined order of devices for user authentication. In this example, the system may require a combination of three devices in a particular order. According to another example, the system may require more devices, e.g., four devices, but an order may not be required. Also, the system may require a combination of IoT devices from different locations, in order words, the system may not accept devices all from the user's home. Based on a risk level and/or other data, the system may require more detailed information and/or a higher number of IoT devices for authentication. For lower risk and/or routine interactions, the system may ask for less detailed IoT input, or a lower number of IoT devices, for example. In addition, the user may designate one device as a device that is not part of the authentication so that when the device is selected, the system is alerted that the interaction is a fraudulent (or the customer is under duress and is signaling for assistance). Other variations of user input may be specified.”).
	The designated additional device.


As Per Claims 8 and 10-14: Claims 8 and 10-14 are substantially a restatement of the computing platform of claims 1 and 3-7 as a method and are rejected for substantially the same reasoning.

As Per Claims 15 and 17-21: Claims 15 and 17-21 are substantially a restatement of the computing platform of claims 1 and 3-7 as a non-transitory computer-readable media and are rejected for substantially the same reasoning.

Claim Rejections - 35 USC § 102/103
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 2, 9, and 16 is/are rejected under 35 U.S.C. 102(a)(2) as antedated by or, in the alternative, under 35 U.S.C. 103 as obvious over United States Patent Application Publication No.: US 2022/0129903 A1 (SAMBHAR et al.).



As Per Claim 2: The rejection of claim 1 is incorporated and further *** doesn’t explicitly teach: the user identifying data of the user is received via user input provided by a user other than the user.
	However the examiner is giving official notice that this limitation as presented is little more than happenstance and human interaction. In common understanding, while in poor form, even asking a friend to hit an ok button due to ones hands being full would qualify.
	Examiner considers that the limitation may still fall under 35 USC 102 as no functional technical element of the invention is being affected by this limitation substantially presenting non-function descriptive material.

As Per Claim 9: The rejection of claim 8 is incorporated and further claim 9 is substantially a restatement of the computing platform of claim 2 as a method and is rejected under substantially the same reasoning.

As Per Claim 16: The rejection of claim 15 is incorporated and further claim 16 is substantially a restatement of the computing platform of claim 2 as a non-transitory computer-readable media and is rejected under substantially the same reasoning.

Additional Prior Art
United States Patent Application Publication No.: US 2018/0357645 A1 (Caution et al.). provided another authentication system analogous to the field of endeavor.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170. The examiner can normally be reached 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BENJAMIN A KAPLAN/Examiner, Art Unit 2434