DETAILED ACTION
Acknowledgements
This action is in response to Applicant’s filing on Oct. 14, 2022, and is made Final. This action is being examined by James H. Miller, who is located in Dallas, Texas, in the central time zone (CST), and who can be reached by email at James.Miller1@uspto.gov or by telephone at (469) 295-9082. 
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. Examiner is available for interviews, generally: M–F, 10 a.m.–4:00 p.m., CST.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Status
The status of claims is as follows: 
Claims 1–6, 8–16, and 18–22 are now pending and examined with Claims 1 and 11 in independent form.
Claims 1–3, 5, 10–13, 15, and 20 are presently amended. 
Claims 7 and 17 are presently cancelled. 
Claims 21 and 22 are presently added.
Response to Amendment
Applicant's Amendment has been reviewed against Applicant’s Specification filed Oct. 31, 2019, [“Applicant’s Specification”] and accepted for examination. No new matter was entered. 

Response to Arguments
35 U.S.C. § 101 Argument
	Applicant argues the claims have been amended so that they no longer recite “the abstract idea exception of certain methods of organizing human activity” and specifically, amended “to remove all limitations relating to commerce.” Applicant’s Reply at *9. Rather, after amendment, the claims are “directed to a system and method for authentication. In addition, Applicant notes that the Claims do not fall under either of the remaining enumerated groupings of abstract ideas because a system and method of authentication is neither a "mathematical concept" nor a "mental process".” Id. at *10.
Applicant argument has been fully considered but is not persuasive for the reason here and in the § 101 rejection below. Applicant’s amendments broaden the claim terms and under BRI and in view of Applicant’s Specification, their character has not materially changed from that of Non-Final Office Action mailed Sept. 7, 2022 [“Non-Final Office Action”]. Accordingly, amended claims has not changed the § 101 legal analysis. For example, “learning … the user’s spending habits and patterns” was amended to “learning … the user’s Applicant’s Specification discloses that the user’s habits and patterns are only those regarding “spending.” Spec., ¶ [0014]. Likewise, “receiving … a transaction request associated with a payment instrument from … a point of sale system” was amended to “receiving … a transaction request associated with an transaction initiation system” and Applicant’s Specification makes clear that the “instrument” is a payment instrument and the “transaction initiation system” is a POS device. Spec., Abstract (“The invention relates to implementing rules based authentication for credit card transactions. The system and method may involve: receiving a transaction request associated with a card product from a user at a point of sale system.”). As the character of the claims has not materially changed, the pending claims recite the same abstract idea exception of certain methods for organizing human activity as recited in the Non-Final Office Action for the same reason. Non-Final Act. at *10; MPEP § 2106.04(a)(2)(II).
35 U.S.C. § 103 Argument
Applicant argues the prior art of record Hammad, does not disclose the limitation “upon receiving an improper authentication input" because an “unusual and/or suspicious transaction” as cited by Examiner is not necessarily “an improper authentication input” or an authentication input at all because “an ‘authentication input’ is actually "information that is intended to determine the authenticity or truthfulness of something.” Applicant’s Reply at *10–1. Applicant further avers that none of the cited prior art cures this deficiency. Id.at *12. Applicant’s argument is not persuasive for the reasons here and in the § 103 rejection below. Applicant appears to misapprehend the Non-Final Office Action mailed Jul. 29, 2022 [“Non-Final Office Action”] and the prior art. 
Applicant’s Specification explains in Fig. 2, an “exemplary flowchart for implementing multiple rules based authentication.” Spec., ¶ [0033]. “At step 218, a user may be authenticated. Authentication of the user may include transmitting an authentication request to the user and then analyzing the authentication input from the user.” Spec., ¶ [0038] (emphasis Examiner). “If the user is not authentication [sic], the transaction may be denied at 220, an alternative [second] authentication mode may be applied at 222 or other action may be performed at step 224. If the [first] authentication input from the user is incorrect, the transaction may be denied. According to another scenario, an embodiment of the present invention may apply an alternative or subsequent [second] authentication request [if the first authentication request is incorrect].” Spec., ¶ [0039] (alternations and emphasis Examiner). Thus, an “improper” authentication input is one that functions to deny the transaction, apply “an alternate [second] authentication mode,” or performs “other action.” The claims recite that “upon receiving the improper authentication input” the following actions are performed: (1) “automatically informing the user of the improper authentication input” (“other action”); and (2) “activating an additional security authentication mode requiring biometric input information” (alternate [second] authentication mode”]. 
Hammad discloses, a graduated security seasoning [“GSS”] apparatus, method, and system that uses historical fraud reports to dynamically set transaction approval triggers. Hammad, ¶ [0030]. Hammad explains that “a failure of [a first] authentication may result not in a full denial of the transaction, but in an escalation of the challenge [second authentication] presented to the entity taking the action.” Hammad, ¶ [0036]. An “escalation of the challenge” is an “escalated security protocol.” Hammad, ¶ [0030]. Hammad explains that security protocols range from low (security protocol set 1), medium (security protocol set 2), high (security protocol set 3), and maximum (security protocol set 4) burden on the user. Hammad, Fig. 8A. Security protocol set 1 “may only require a response from a device of the user, without requiring the user to provide any input for the device to generate a response.” Hammad, ¶ [0033]. Therefore, relevant to the claimed invention, the first failed authentication as disclosed by Hammad cannot be security protocol set 1 (the lowest) because it dos not require the user to input anything.
Second, “the GSS may appropriately escalate (or de-escalate, as the case may be) the security protocol(s) required to mitigate [transaction] risk. Thus, as transaction risk increases, so does the corresponding transaction risk score … [and] the security protocol required to authorize the transaction.” Hammad, ¶ [0032]. For example, “the GSS may escalate the protocols employed from security protocol set 1 to security protocol set 2 (103b).” Hammad, ¶ [0033]. “[T]he GSS may escalate the security protocol set for the entities involved in the transaction to security protocol set 3 (103c) or security protocol set 4 (103d).” Id. Video challenges correspond to the highest level, i.e., security protocol set 4. Hammad, Fig. 8A. Escalation of the security protocol may occur due to “responses to secure authentication requests.” Hammad, ¶ [0031]. Further, “a user suspected of being fraudulent may be asked to engage in any of the security protocols listed in FIG. 8A.” Hammad, ¶ [0051]. Notably, “a user suspected of fraud” suggests a first authentication failed and a second authentication would be presented. Id. Further, relevant to the claimed invention, only an improper security level response (authentication) would increases the security protocol or be asked to engage in another security protocol (because a proper security level response would authenticate the user—not increase security).
Last, Hammad explains that “authentication of a transaction can be done separately from authorization/payment, in any environment (e.g., electronic commerce, mobile payments, person-to-person, etc.)” or “authentication may be integrated into the authorization flow, e.g., as illustrated in FIG. 11A.” Hammad, ¶ [0036]. Therefore, relevant to the claimed invention, the  unusual or suspicious transaction could describe improper authentication because authentication is “integrated into the authorization flow.”
With that as background, Hammad explains that “a failure of [a first] authentication may result not in a full denial of the transaction, but in an escalation of the challenge [second authentication] presented to the entity taking the action.” Hammad, ¶ [0036]. An “escalation of the challenge” is an “escalated security protocol.” Hammad, ¶ [0030]. Hammad further discloses “the GSS may detect an unusual and/or suspicious transaction” and use “the VerifyChat feature to communicate with the user, and verify the authenticity of the originator of the purchase transaction.” Hammad, ¶ [0128].
Would “a failure of [first] authentication” correspond to the “unusual and/or suspicious transaction” as cited in the Non-Final Office Action Hammad, ¶ [0128]?
 
Yes. Hammad explains that transaction risk is determined by a transaction risk score, which is determined by, in part, by “responses to secure authentication requests.” Hammad, ¶ [0031]. A proper response would authenticate the user and an improper response does not. An improper response would increases the transaction risk score in the same way as “an unusual and/or suspicious transaction” and necessitate a second authentication, as here, a video chat challenge. If it was known the first challenge was fraud, then there would be no need for a second authentication challenge. It is also notable that Applicant’s Specification does not recite claim term “improper” at all. Therefore, Examiner interprets “improper authentication input” as a “unusual and/or suspicious transaction” or “failure of a [first] authentication” because it produces the same function as describe in Applicant’s Specification, Spec. ¶ [0039] (cited supra) to deny the transaction, apply “an alternate [second] authentication mode,” or performs “other action” and the same functions recited by the claims, i.e., (1) “automatically informing the user of the improper authentication input”; and (2) “activating an additional security authentication mode requiring biometric input information.”
 Alternatively, Hammad, ¶ [0038], “If, however, there are security protocols [plural] that may mitigate the risk if successfully completed, then the GSS may request the entities involved in the transaction (e.g., user, user device, merchant, merchant device, issuer, acquirer, etc.) to provide security data, e.g., 224, 219. The entities may provide the requested security data, otherwise the GSS may deny the transaction request.” Not providing any requested security data could also be construed as receiving “improper” security protocol input under BRI. Security protocols are authentication input such as user PIN, user password, video challenge, etc. See at least Fig 8A and associated text ¶ [0048] (identifying example security protocols).
Applicant argues the prior art of record Tetali, does not disclose the amended limitation “applying an additional authentication request when the user is not verified."  Applicant’s Reply at *12–3. Further, Hammad does not cure this defect because Hammad does not disclose “an improper authentication input.” Id. at *13. Applicant’s argument is not persuasive.  Hammad discloses “an improper authentication input” as explained supra. Hammad, ¶ [0036]. Hammad further discloses that the limitation at issue. See at Hammad ¶ [0036], “a failure of [first] authentication may result not in a full denial of the transaction, but in an escalation of the challenge [additional authentication] presented to the entity taking the action.” Hammad, ¶ [0128] (video challenge) as further explained in the § 103 rejection below.
Applicant argues new Claims 21 and 22 are not disclosed by the prior art of record. Examiner respectfully disagrees. Hammad discloses a first authentication escalated to a second authentication described by Hammad as a video challenge. Hammad, ¶ [0128]. News Claims 21 and 22 which recite “wherein the verifying the user comprises applying a verification of the authentication" is also disclosed by Hammad, ¶ [0128], “a customer service representative, e.g., agent 2124, may manually determine the authenticity of the user using the video of the user. In some implementations, the GSS may utilize face, biometric and/or like recognition (e.g., using pattern classification techniques) to determine the identity of the user. … the user may not have initiated the transaction, e.g., the transaction is fraudulent. In such implementations, the user may cancel the challenge. The GSS may then cancel the transaction, and/or initiate fraud investigation procedures on behalf of the user.” “[A]pplying a verification of the authentication” is “manually determining the authenticity of the user using the video” is not fraudulent or “determining the identity of the user” is not fraudulent.

Claim Objections
Claim 1 is objected to because of the following informalities.  Appropriate correction is required.
Claim 1: It is believed that a “:” (colon) should be placed after the second “including” at the end of the “authentication rule selection engine” limitation. See Limitation C in the § 101 rejection below.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
 
Claims 1–20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., an abstract idea) without significantly more. 

Analysis
Step 1: Claims 1–20 are directed to a statutory category. Claims 1–10 recite  “a system” and are therefore, directed to the statutory category of “a machine.” Claims 11–20 recite  “a method” and are therefore, directed to the statutory category of “a process.” 
Representative Claim
Claim 1 is representative [“Rep. Claim 1”] and recites, in part, emphasis added by Examiner to identify limitations with normal font indicating the abstract idea exception, bold limitations indicating additional elements, and letters and underline for clarity in describing the limitations:
1. A system 

[A] for implementing a hierarchy of rule-based security authentication modes, the system comprising: 

[B] a memory component that stores one or more user authentication profiles; and

[C] an authentication rule selection engine including a computer processor, coupled to the memory component, the computer processor programmed to perform operations, including[:] 

[D] receiving from a user, via the computer processor, a selection of a plurality of authentication profiles, the authentication profiles including one or more security authentication modes based on one or more attributes for a potential user transaction request; 

[E] learning, via the computer processor, the user's habits and patterns; 

[F] providing, via the computer processor, feedback to the user including one or more suggestions to update the user selection of the plurality of authentication profiles based on the learned user’s spending habits and patterns; 

[G] receiving, via a transaction gateway, a transaction request associated with an instrument from a user at a transaction initiation system;

[H] determining, via the computer processor, a plurality of transaction attributes for the transaction request including a transaction location, a transaction recipient, a transaction type, a transaction amount, and a wifi network for the transaction request; 

[I] determining, via the computer processor, a security authorization mode for the transaction request based on the plurality of transaction attributes;

[J] executing, via the computer processor, an authentication rule for the transaction request; 

[K] transmitting, via a communication network, an authentication request via the security authorization mode based on the authentication rule;

[L] requiring an authorization input from the user responsive to the authentication request; 

[M] upon receiving a proper authentication input, verifying the user and proceeding with the transaction request; and

[N] upon receiving an improper authentication input: 

	[O] automatically informing the user of the improper authentication input via one or more modes of electronic communication;

	[P] activating an additional security authentication mode requiring biometric input information; and

	[Q] applying [transmitting] an additional authentication request when the user is not verified.

Claims are directed to an abstract idea exception.
Step 2A, Prong One: Rep. Claim 1 recites in “implementing a hierarchy of rule-based security authentication modes [for transaction requests],” in the preamble, Limitation A, which recites the abstract idea exception of certain methods of organizing human activity, such as mitigating risk or sales activities. MPEP § 2106.04(a)(2)(II). Limitations D–Q are the required steps to “implement[ ] a hierarchy of rule-based security authentication modes [for transaction requests]” and therefore, recites the same exception. Id. 
Alternatively, Limitations D–Q, also recite the abstract idea exception of mental processes. MPEP § 2106.04(a)(2)(III). These limitations, as drafted, recite a mental process that under the broadest reasonable interpretation, cover performance in the human mind or with pen and paper but for the recitation of the generic computer components indicated in bold. 
For example, but for the generic computer components claim language, the claim encompasses merchant’s setting store policy that transaction amounts over $10,000 and paid using cash, require the presentment of a driver’s license (DL), manager approval, and as required by IRS regulations, the completion of “Form 8300, Report of Cash Payments Over $10,000 Received in a Trade or Business.”1 In this example, “authentication profiles,” as claimed, could be users executing a transaction with cash over $10,000, with cash less than $10,000, with a credit card for any purchase amount, or with a debit card with any purchase amount. The “one or more attributes of a transaction request” are the transaction amount and currency type (cash, credit, or debit) and the “security authentication modes” are for purchasers to show a DL for cash purchases over $10,000 or not (Limitation D). The IRS who sets the $10,000 cash reporting limit or a merchant, could learn user’s buying habits and patterns and provide suggestions (lessons learned) and recommendations (or laws through the legislature) to merchant’s who have lots of purchases with cash greater  than $10,000. Merchants could likewise do the same. (Limitation E). Providing these recommendation could be an paper IRS Bulletin mailed to merchants or a company memo about user’s habits and patterns (Limitation F)2. When an cash transaction greater than $10,000 is made, the merchant determines transaction attributes (Limitations G & H) such that the purchase amount and current type, determines a security authorization mode for the user to show their DL (Limitation I), executing the DL request to the clerk (Limitation J), the clerk seeking manager approval of the transaction (Limitation K). The manager reviews the user’s DL, verifies the user, and proceeds with the transaction (Limitations L & M). If the user does not have their DL (Limitation N), the manager informs the user that a DL is required to complete the transaction per company policy (Limitation O). As a substitute, the user provides their military ID (not DL) (Limitations P & Q). The preceding explanation is merely exemplary. 
In further support that Limitations D–Q may be performed in the human mind or with pen and paper, the transaction request, transaction attributes, authentication profiles, security authentication modes, learning the user’s habits and patterns, and providing feedback to the user, for example, is under BRI, not limited by any particular data structure, may be formatted in any non-computer readable format, and may comprise any information sufficient to identify the relevant information, such as handwritten text. If a claim limitation under BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract idea exception. MPEP § 2106.04(a)(2)(III).
Step 2A, Prong Two: The claims do not contain additional elements that integrate the abstract idea exception into a practical application because the additional elements are mere instructions to apply the abstract idea exception. MPEP § 21-6.05(f). The additional elements are limited to the computer components and indicated in bold, supra. The additional elements are: an authentication rule selection engine including a computer processor, coupled to a memory component, a transaction gateway, a transaction initiation system, a communication network, a wifi network; and “electronic” characterization of a communication.
Regarding the an authentication rule selection engine comprising a computer processor, coupled to a memory component, a transaction gateway, a transaction initiation system, a wifi network, a communication network, and “electronic”  [collectively, “computer components”], Applicant’s Specification does not otherwise describe them or describes them using exemplary language as a generic server, generic user communication device, or part of a generic server or device. The transaction initiation system is interpreted as a POS device and the authentication rule selection engine, transaction gateway, and “electric” characterization of a communication is interpreted as a generic server or user device in view of Applicant’s Specification. Spec., ¶¶ [0026], [0042]. Thus, Examiner assumes Applicant intended merely generic computer and computer components. E.g., Spec. ¶ [0042] (generic server/user devices with generic processor and memory storing instructions); ¶ [0043]–[0048] (describing generic programmed processor, memory, authentication rules selection engine), ¶ [0041] (generic communication network), ¶ [0021] (generic wifi network). 
Limitation B describes the memory component storing data. Limitation C describes the authentication rule selection engine and computer processor, coupled to the memory component. Examiner interprets coupled as “transmitting and receiving data.” Limitation C further describes the computer processor being programmed, which is interpreted as storing software instructions. This takes generic hardware/software and describes the functions of receiving, storing, and transmitting data (instructions) between the processor and memory component, which merely invokes computers or other machinery in its ordinary capacity to receive, store, or transmit data. MPEP § 2106.05(f)(2). Limitations D–Q describe the “computer components,” performing the steps of the claimed invention, which represents the abstract idea itself. Performing the steps of the abstract idea itself simply adds a general purpose computer after the fact to an abstract idea exception, MPEP § 2106.05(f)(2), or generically recites an effect of the judicial exception. MPEP § 2106.05(f)(3). All other computer components function in the way they normally would. For example, the transaction gateway receives transaction requests, transaction requests are initiated (transmitted) from a transaction initiation system, and the communication network and wifi network transmits.
Alternatively, Limitations E & F recite the authentication rule selection engine comprising a computer processor and coupled to a memory component “learning … the user’s spending habits and patterns” (Limitation E) and “providing … feedback to the user, including one or more suggestions to update the user selection of the plurality of authentication profiles based on the learned user's spending habit and patterns” (Limitation F), which recite simple mental process. MPEP § 2106.04(a)(2)(III). These limitations, as drafted, recite a simple mental process that under the broadest reasonable interpretation, cover performance in the human mind or with pen and paper, but for the recitation of the generic computer components. For example, but for the generic computer components claim language, the claim encompasses a consultant speaking with a user about their spending habits and patterns, forming a simple mental judgment about them, and offering suggestions. In further support that Limitations E & F may be performed in the human mind or with pen and paper, the spending habit, patterns, suggestions, and leaning is under BRI, not limited by any particular data structure, may be formatted in any non-computer readable format, and may comprise any information sufficient to identify the relevant information, such as handwritten text and spoken conversation. If a claim limitation under BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract idea exception. MPEP § 2106.04(a)(2)(III). The inventive concept cannot be furnished by an abstract idea exception. MPEP § 2106.05 (citing and quoting RecogniCorp, LLC v. Nintendo Co., 855 F.3d 1322, 1327, 122 USPQ2d 1377 (Fed. Cir. 2017) ("Adding one abstract idea (math) to another abstract idea (encoding and decoding) does not render the claim non-abstract").
Applicant’s Specification discloses “An embodiment of the present invention may rely on artificial intelligence, machine learning and neural networks to analyze user spending habits and patterns and provide a self-learning feature” but no further explanation by Applicant’s Specification of how “artificial intelligence, machine learning and neural networks” are used to accomplish the “learning” is described, as explained in the enablement rejection under § 112(a) in the immediately prior Final Office Action. Spec., ¶ [0014]. However, arguendo, even if a computer were to perform the “learning” by “artificial intelligence, machine learning and neural networks,” and undue experimentation by a PHOSITA was not a concern, this high-level of claiming “learning” reads neatly on “use a computer.” MPEP § 2106.05(f).
Therefore, the additional elements are no more than mere instructions to apply the exception using generic computer components and not a practical application. MPEP § 2106.05(f). The additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on the abstract idea. Accordingly, Rep. Claim 1 is directed to an abstract idea. Rep. Claim 1 is not substantially different than Independent Claim 11 and includes all the limitations of Rep. Claim 1. Independent Claim 11 contains no additional limitations. Therefore, Independent Claim 11 is also directed to the same abstract idea.
Step 2B:  Rep. Claim 1 fails Step 2B because the additional elements are not integrated into a practical application. As discussed with respect to Step 2A, Prong Two, the additional elements in the claim amount to no more than mere instructions to apply the exception using a generic computer/computer components. The same analysis applies here in Step 2B. Mere instructions to apply an exception using a generic computer/computer components cannot provide an inventive concept. MPEP § 2106.05(f).
Claims do not apply the judicial exception in some other meaningful way; a practical application not found in ordered combination of elements.

The pending claims in their ordered combination of elements is not inventive. First, the claims are directed to an abstract idea. Second, each claim element represents a currently available generic computer technology, used in the way in which it is commonly used (individually generic). Last, Applicant’s Specification discloses that the ordered combination of elements is not inventive. Spec., ¶ [0033] (steps may be performed in any order); ¶ [0043]–[0048] (any combination of hardware/software).
	There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. Their collective functions merely provide conventional computer implementation of the abstract idea. Thus, Rep. Claim 1 does not provide an inventive concept. Rep. Claim 1 is not substantially different than Independent Claim 11 and includes all the limitations of Rep. Claim 1. Independent Claim 11 contains no additional limitations. Therefore, Independent Claim 11 also do not recite an inventive concept. 
Dependent Claims Not Significantly More
Dependent claims are dependent on Independent Claims and include all the limitations of the Independent Claims. Therefore, all dependent claims recite the same Abstract Idea. Dependent claims do not contain additional elements that integrate the abstract idea exception into a practical application or recite an inventive concept because the additional elements: (1) are mere instructions to apply the abstract idea exception; and/or (2) further limit the abstract idea exception of the Independent Claims.  The abstract idea cannot provide the inventive concept or practical application. MPEP § 2106.05(I). 
Dependent Claims 2–6, 8–10, 12–16, and 18–22 all recite “wherein” clauses or limitations that further limit the abstract idea of the Independent Claims and contain no additional elements not otherwise analyzed supra. The inventive concept cannot be furnished by an abstract idea exception. MPEP § 2106.05.
Conclusion
Claims 1–6, 8–16, and 18–22 are therefore drawn to ineligible subject matter as they are directed to an abstract idea without significantly more. The analysis above applies to all statutory categories of invention. As such, the presentment of Rep. Claim 1 otherwise styled as another statutory category is subject to the same analysis.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1–20 are rejected under 35 U.S.C. 103 as being unpatentable over Tetali et al. (U.S. Pat. Pub. No. 2018/0293579) [“Tetali”] in view of Arora et al. (U.S. Pat. Pub. No. 2019/0260742) [“Arora”] and further in view of Hammad et al. (U.S. Pat. Pub. No. 2013/0218765) [“Hammad”]

Regarding Claim 1, Tetali discloses
A system for implementing a hierarchy of rule-based security authentication modes, the system comprising: 
(See at least ¶ [0004], The method includes storing, at the authentication computing device, a plurality of user preferences associated with a user account. The user preferences are rule-based preferences that define steps to be taken for authenticating the user for accessing the user account.” The “security authentication modes” are hierarchical (graded or ranked) because the “user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above. ¶ [0017].)

a memory component [Fig. 2, element 212] that stores one or more user authentication profiles [preferences]; and an authentication rule selection engine [Fig. 2, element 212] including a computer processor [Fig. 2, element 216] , coupled to the memory component [Fig. 2, element 212], the computer processor programmed to perform operations, including[:] 
(See at least Fig. 2, “authentication computer device 212,” and associated text ¶ [0043], where the “authentication computer device 212 is configured to store a plurality of user preferences associated with a user account … [and] determine one or more authentication challenges based, at least in part, on the user preferences.” “[D]atabase server 216 is communicatively coupled to a database 220 that stores … user preferences, authentication challenges, issuer preferences, and merchant preferences.” ¶ [0045]. Preferences are authentication rules. As shown in Fig. 2, the database (memory) 220 and database server 215 are communicatively coupled to the authentication computer device 212. Fig. 4 and associated text ¶ [0053] discloses the components of the server computer 212 and 216, shown in Fig. 2. Fig. 5, step 505 (store plurality of user preferences). “The authentication signatures and account information are stored by the authentication computer device as user preferences in a customer profile.” ¶ [0017].)

receiving from a user, via the computer processor, a selection of a plurality of authentication profiles [customer profiles], the authentication profiles, including one or more security authentication modes [authentication challenge] based on one or more attributes for a potential user transaction request; 
(Examiner interprets authentication mode as “PIN, one-time password, biometric, fingerprint, voice recognition, etc.” Spec., ¶ [0013]. Examiner interprets “authentication profile” as the specific authorization mode that is applied based on transaction details. Spec., ¶ [0013] (“a user may apply a 4 digit PIN for local everyday transactions within a predetermined spend limit, e.g., $100.00,” which is an exemplary authentication profile containing the authentication mode of “a 4 digit PIN”). 
See at least ¶ [0047], “When a customer, such as cardholder 122 shown in FIG. 1, enrolls in the service, the customer provides [selects] one or more authentication signatures (e.g., a pin, password, pattern code, digital signature, and biometric signatures). … The authentication signatures and account information are stored by authentication computer device 212 in database 220 as user preferences in a customer profile. The user preferences are rule-based preferences that define steps to be taken for authenticating the user for accessing the user account. In the example embodiment, the customer may customize his or her profile. For example, the customer may specify a preferred type of authentication challenge. The user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above. The customer may also login to authentication computer device 212 using a client system 214 to update or change the user preferences.” See also, the “second example,” ¶ [0022], requiring “a fingerprint authentication challenge [mode] for payment transactions over a certain amount outside of her home town.”)

[…]

receiving, via a transaction gateway [interchange network 128], a transaction request associated with an instrument from the user at a transaction initiation system; 
(Examiner interests “instrument” as a transaction card and “transaction initiation system” as a POS device in view of Applicant’s Specification. Spec., Abstract. 
See at least ¶ [0048], where “authentication computer device 212 and client systems 214 may be utilized to process transaction data relating to purchases a cardholder 122 makes utilizing a transaction card processed by interchange network 128 and issued by the associated issuer 130.” “[C]lient systems 214 may include point-of-sale (POS) devices associated with merchant 124 and used for processing payment transactions. ¶ [0048]. Fig. 5, step 510 (receive authentication request).) 

determining, via the computer processor, a plurality of transaction attributes for the transaction request including a transaction location [geolocation of the POS device], a transaction recipient [merchant preferences], a transaction type, a transaction amount, and a wifi network for the transaction request [IP address]; 
(See at least ¶ [0018], “During a payment transaction with a merchant registered for the payment service, the merchant initiates the transaction through a point of sale (POS) device or a website ecommerce gateway that is in communication with the authentication computer device. The merchant provides a customer identifier (name, username, preliminary authentication, or another unique identifier) to the authentication computer device to enable the authentication computer device to identify the corresponding customer profile. The authentication computer device analyzes the initiated transaction
to determine a type of authentication challenge to present to the customer. More specifically, based on the customer's preferences, the merchant's preferences, a risk assessment performed by the authentication computer device, geo location of the POS device, IP address of the computer device accessing the website, preferences of the issuer bank, and/or other analytics, the authentication computer device selects a type of authentication challenge to present the customer.” “The user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above.” ¶ [0017].)

determining, via the computer processor, a security authorization mode for the transaction request based on the plurality of one or more transaction attributes; 
(See at least Fig. 5, step 515, “determine one or more authentication challenges based at least in part on user preferences.” “Authentication computer device 212 analyzes the user preferences and the authentication request to determine 515 whether or not an authentication challenge is warranted to respond to the authentication request.” ¶ [0062]. The authorization request contains transaction attributes. ¶ [0035]. “Authentication computer device 212 may base the determination 515 of the one or more authentication challenges on at least one of the geographic location of the payment transaction, the transaction type, transaction volume, and amount of the payment transaction. The user may also set preferences based on transaction type, where transactions for fuel and/or parking do not required further authentication challenges, or where other transaction types, such as food and jewelry, would.” ¶ [0062]. ¶ [0060] (payment transaction mode based on location).)

executing, via the computer processor, an authentication rule for the transaction request; transmitting, via a communication network [NFC], an authentication request via the security authorization mode based on the authentication rule; 
(See at least ¶ [0018], “The authentication challenge is presented to the customer via the POS device [executing]. Once the customer has responded, a challenge response is sent back to the authentication computer device.” “In a payment transaction example, a user preference may be that the user indicates that all charges under $10 do not require an authentication challenge.” ¶ [0060], ¶ [0059] (types of authentication rules). Fig. 5, step 520 (“Transmit the one or more authentication challenges to be presented to a user attempting to access the user account”) and associated text ¶ [0063], where “authentication computer device 212 transmits the one or more authentication challenges to client system 214, such as a mobile computer device, a point of sale device, and a user computer device, where client system 214 is configured to present the one or “more authentication challenges to the user.” :client system 214 is in communication with another computer device, such as through a Near Field Communication (NFC) connection.” ¶ [0063].)

requiring an authorization input from the user responsive to the authentication request; 
(See at least ¶ [0063], where “Client system 214 receives the response(s) from the user and transmits those responses to authentication computer device 212.”)


upon receiving a proper authentication input, verifying the user and proceeding with the transaction request; and 
(See at least Fig. 5, step 525, “determine whether to authenticate the user based on a response to the one or more authentication challenges”. ¶ [0063], [0038]) 

[…]

Tetali does not disclose but Arora discloses 
learning, via the computer processor, the user's habits and patterns; 
(See at least ¶ [0081], “The online learning component 124 can receive attributes corresponding to multiple users, user devices, and operating environments included in multiple entity ecosystems. In some examples, the entity ecosystems for each user can be connected to the online learning component 124 via a network. The authentication system 100 can employ the generic learner 116 to learn behaviors and patterns across a
broader user population from other user's exhibiting similar behaviors. In some embodiments, the authentication system 100 need not rely solely on behaviors of a particular user to improve that user's authentication experience. The authentication system 100 can also holistically analyze the behaviors of a broader user population to learn and improve the overall authentication experience over time. To do this, the authentication model implemented by the authentication system 100 can be trained on the user preferences of the entire user population, then fine-tuned after deployment based on user behavior (e.g., trained locally on the user device 104 periodically).” The user specific learner 122 can be used to learn user behavior and patterns based on feedback from user devices for authentication events recorded by the authentication system 100. In other words, user-specific learning can be tied specifically to a particular user's preferences for modifying the authentication rule set 112 to be applicable to that specific user. Certain users may exhibit peculiar behaviors in certain scenarios distinct from other similar users and overall user population.” ¶ [0083]. “the authentication model can be a neural network or can be implemented using neural networks, decision trees, classifiers, or any combination of these.” The behaviors and patterns related authenticating purchase (spending) transactions. ¶ [0031], [0032]. See also Hammad, Fig. 1B and associated text ¶ [0035]; Fig. 7 )

providing, via the computer processor, feedback to the user, including one or more suggestions to update the user selection of the plurality of authentication profiles based on the learned user's spending habit and patterns; 
(See at least ¶ [0083], “The user specific learner 122 can be used to learn user behavior and patterns based on feedback from user devices for authentication events recorded by the authentication system 100…. For example, if the authentication system 100 prompts a user for authentication using a fingerprint authenticator, but the user 106 overrides the prompt and prefers to use iris authentication instead, the authentication system 100 records this event and uses it as a learning event. Learning events can be used to fine tune the authentication model via the user specific learner 122 so that each authentication rule set 112 is specific to each user as deployed on each specific user's device.” “Authentication events” as disclosed by Arora, ¶ [0083], occur contemporaneously with and corresponds to payment (spending) transactions. Arora, ¶¶ [0030], [0031], [0092], [0093]. “As an example of a learning event resulting in rule modification via the user specific learner 122, take the previously discussed example where the authentication system 100 avoids authentication via iris or facial recognition when the user 106 is travelling at high speeds. The user 106 may often travel via tram, such that an accelerometer of the user device 104 determines that the user 106 is travelling at high speeds. The basic heuristically determined rule may request a form of authentication different from facial recognition because the authentication system 100 may assume that the user's travelling speed correlates to inability to successfully or sufficiently capture facial authentication (e.g., user is driving, travel is turbulent, etc.). Over time, the user 106 may continually be faced with requests for an authentication type other than iris or facial authentication while travelling via train at high speeds However, the user 106 may override the rule to provide facial authentication successfully while travelling at high speeds, contrary to the rule. In this example, as a result of the successful facial authentication at high travelling speed, the user specific learner 122 may modify, delete, or reprioritize the rule to accommodate the preferred behavior of the user 106.” (feedback)).
It would have been obvious to one of ordinary skill in the art as of the effective filing date of the claimed invention, to have combined learning the user's spending habits and patterns and providing feedback to the user comprising one of more suggestions to update the user selection of the plurality of authentication profiles as explained in Arora, to the known invention of Tetali, with the motivation to “enhance the security of electronic devices” by “[i]mprov[ing]  method[s] for authenticating [a] user” with “a dynamic learning system for intelligent authentication.” Arora, ¶¶ [0002], [0004].  See also example ¶ [0084] and reasoning for user specific learner 122 to may modify, delete, or reprioritize the rule to accommodate the preferred behavior of the user 106.)

Tetali does not disclose but Hammad discloses 

upon receiving an improper authentication input: 
(See at least ¶ [0036], “a failure of [first] authentication may result not in a full denial of the transaction, but in an escalation of the challenge [additional authentication] presented to the entity taking the action.” The “failure of a [first] authentication is receiving an improper authentication input. ¶ [0036]. Likewise, for the reasons explained in the Response to Argument section, supra, “an unusual and/or suspicious transaction” is an improper authentication input. ¶ [0128].)

automatically informing the user of the improper authentication input via one or more modes of electronic communication; activating an additional security authentication mode requiring biometric input information; and
(See at least ¶ [0036], “a failure of [first] authentication may result not in a full denial of the transaction, but in an escalation of the challenge [additional authentication] presented to the entity taking the action.” “[T]he GSS may detect an unusual and/or suspicious transaction [first improper authentication input]. The GSS may utilize the VerifyChat feature to communicate with the user, and verify the authenticity of the originator of the purchase transaction. In various implementations, the GSS may send electronic mail message, text (SMS) messages, Facebook® messages, Twitter™ tweets, text chat, voice chat, video chat (e.g., Apple Face Time), and/or the like to communicate with the user. For example, the GSS may initiate a video challenge for the user, e.g., 2121. For example, the user may need to present him/her-self via a video chat, e.g., 2122. In some implementations, a customer service representative, e.g., agent 2124, may manually determine the authenticity of the user using the video of the user. In some implementations, the GSS may utilize face, biometric and/or like recognition ( e.g., using pattern classification techniques) to determine the identity of the user.” ¶ [0128]; Fig. 8A (security protocol escalation levels).) The user is informed of the improper authentication by the video challenge. Alternatively, wallet activity is recorded and “the device may generate a wallet activity transmission notification, e.g., 405, for the user, and present the wallet activity transmission notification for the user via a display of the device, e.g., 406.” ¶ [0042]. Alternatively, “Initiating fraud investigation procedures on behalf of the user,” ¶ [0128], also reasonably suggests, teaches, or discloses to a PHOSITA “automatically informing the user of the improper authentication input.” The video challenge is an additional security authentication mode requiring biometric information.)

applying an additional authentication request [video challenge] when the user is not verified.  
(Examiner interprets “when the user is not verified” as recited by the claims as “upon receiving an improper verification request,”
See at least ¶ [0128], “For example, the user may need to present him/her-self via a video chat, e.g., 2122. In some implementations, a customer service representative, e.g., agent 2124, may manually determine the authenticity of the user using the video of the user. In some implementations, the GSS may utilize face, biometric and/or like recognition ( e.g., using pattern classification techniques) to determine the identity of the user.” ¶ [0036].
It would have been obvious to one of ordinary skill in the art as of the effective filing date of the claimed invention, to have combined notifying the user of the improper authentication input and activating and applying an additional security authentication mode, after receiving an improper authentication input, as explained in Hammad, to the known invention of Tetali, with the motivation to reduce fraud. Hammad, ¶¶ [0031], [0036], [0048].

Regarding Claim 2, Tetali, Arora, and Hammad disclose
The system of claim 1 and the transaction initiation system as explained above.
Tetali further discloses
wherein the transaction initiation system comprises an in-person transaction.  
(See at least ¶ [0018], “During a payment transaction with a merchant registered for the payment service, the merchant initiates the transaction through a point of sale (POS) device.”)

Regarding Claim 3, Tetali, Arora, and Hammad disclose
The system of claim 1 and the transaction initiation system as explained above.
Tetali further discloses
wherein the transaction initiation system comprises an online transaction.  
(See at least ¶ [0018], “During a payment transaction with a merchant registered for the payment service, the merchant initiates the transaction through … a website ecommerce gateway that is in communication with the authentication computer device.”)

Regarding Claim 4, Tetali, Arora, and Hammad disclose
The system of claim 1 and the authorization rule as explained above.
Tetali further discloses
wherein the authorization rule comprises location data and transaction amount data.  
(See at least ¶ [0047], where “The user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above.”)

Regarding Claim 5, Tetali, Arora, and Hammad disclose
The system of claim 1 and the authorization rule as explained above.
Tetali further discloses
wherein the authorization rule comprises external third-party data relating to at least one deceitful event.  
(See at least ¶ [0065] where authentication rules comprise “issuer preferences”, and ¶ [0066], where authorization rules comprise “requester (merchant) preferences” in addition to “user preferences.” The issuer and requester preferences are third party data relating to a fraud event. ¶¶ [0002], [0003] (Issuer and requester authentication rules are related to historical fraud events in an attempt to prevent fraud). Authentication challenges during protocol escalation may include calls to third-party identification services (e.g., Idology, Experian, Accurint, 192.com, Dunn & Brad street, etc.). ¶ [0036]; ¶ 0037] (“fraud data recording” of “historical user wallet activity”).

Regarding Claim 6, Tetali, Arora, and Hammad disclose
The system of claim 1 and the authorization request as explained above.
Tetali further discloses
wherein the authentication request comprises a biometric request
(See at least ¶ [0022], describing “a fingerprint authentication challenge for payment transactions over a certain amount outside of her home town.” ¶ [0059].)

Regarding Claim 8, Tetali, Arora, and Hammad disclose
The system of claim 1 and a plurality of authentication rules as explained above.
Tetali further discloses
wherein a plurality of authentication rules is associated with each user.
(See at least Abstract, describing “rule-based preferences that define steps to be taken for authenticating the user for accessing the user account.” ¶ [0065] where authentication rules comprise “issuer preferences”, and ¶ [0066], where authorization rules comprise “requester (merchant) preferences.” User preferences are associated with a single user. Alternatively, ¶¶ [0065], [0066] describe the interplay between issuer, requester, and user preferences for authentication, each rule set associated with a user.)


Regarding Claim 9, Tetali, Arora, and Hammad disclose
The system of claim 1 and the authentication mode as explained above.
Arora further discloses
wherein the security authentication mode is determined based at least in part on artificial intelligence.
(See at least ¶ [0029], where “the online learning component can implement artificial neural networks ( e.g., recurrent neural network)”
The resolution of the remaining Graham factual inquiries to support a conclusion of obviousness that a particular known technique was recognized as part of the ordinary skill in the pertinent art is substantively the same as that presented in Claim 1 supra, and is incorporated in its entirety herein, mutatis mutandis, to support the rejection of Claim 9.

Regarding Claim 10, Tetali, Arora, and Hammad disclose 
The system of claim 1 and the instrument as explained above.
Tetali further discloses
wherein the instrument comprises a card product. 
(See at least ¶ [0068] (payment cards).)

Regarding Claim 11, Tetali discloses
A method for implementing a hierarchy of rule-based security authentication modes, the method comprising 
See at least ¶ [0004], The method includes storing, at the authentication computing device, a plurality of user preferences associated with a user account. The user preferences are rule-based preferences that define steps to be taken for authenticating the user for accessing the user account.” The “security authentication modes” are hierarchical (graded or ranked) because the “user may also set the authentication challenge required based on the type of transaction, the location, the amount of the transaction, and/or any combination of the above. ¶ [0017].
The remaining limitations of Claim 11 are not substantively different than those presented in Claim 1 and are therefore, rejected, mutatis mutandis, based on Tetali, Arora, and Hammad for the same rationale presented in Claim 1 supra.

Regarding Claims 12, 13, 14, 15, 16, 18, 19, and 20, Tetali, Arora, and Hammad disclose
The method of claim 11 as explained above. 
The remaining limitations of Claims 12, 13, 14, 15, 16, 18, 19, and 20, are not substantively different than those presented in Claims 2, 3, 4, 5, 6, 8, 9, and 10, respectively, and are therefore, rejected, mutatis mutandis, based on Tetali, Arora, and Hammad for the same rationale presented in Claims 2, 3, 4, 5, 6, 8, 9, and 10, respectively, supra.

Regarding Claim 21, Tetali, Arora, and Hammad disclose 
The system of claim 1 and verifying the user as explained above.
Tetali further discloses
wherein the verifying the user comprises applying a verification of the authentication.
(See at least ¶ [0128], “a customer service representative, e.g., agent 2124, may manually determine the authenticity of the user using the video of the user. In some implementations, the GSS may utilize face, biometric and/or like recognition (e.g., using pattern classification techniques) to determine the identity of the user. … the user may not have initiated the transaction, e.g., the transaction is fraudulent. In such implementations, the user may cancel the challenge. The GSS may then cancel the transaction, and/or initiate fraud investigation procedures on behalf of the user.” “[A]pplying a verification of the authentication” is “manually determining the authenticity of the user using the video” is not fraudulent or “determining the identity of the user” is not fraudulent.)

Regarding Claim 22, Tetali, Arora, and Hammad disclose 
The method of claim 11 and verifying the user as explained above.
The remaining limitations of Claim 2 are not substantively different than those presented in Claim 21 and are therefore, rejected, mutatis mutandis, based on Tetali, Arora, and Hammad for the same rationale presented in Claim 21 supra.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES H MILLER whose telephone number is (469)295-9082. The examiner can normally be reached M-F 9:30 - 4:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bennett M Sigmond can be reached on (303) 297-4411. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JHM/

/SCOTT C ANDERSON/Primary Examiner, Art Unit 3694                                                                                                                                                                                                        


    
        
            
        
            
        
            
    

    
        1 https://www.irs.gov/pub/irs-pdf/f8300.pdf (Rev. 8-2014)
        2 Of relevant note, the user is not required to do anything with the provided feedback/suggestions. Thus, this limitation as drafted is merely displaying in some way to a user, the provided feedback/suggestions.