DETAILED ACTION
Acknowledgements
This Office Action is in reply to Applicant’s original application filed 29 January 2021.  
Claims 1–20 are currently pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 U.S.C. § 101
35 U.S.C. § 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1–20 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to an abstract idea without significantly more.  
Step 1
Each of claims 1–20 falls within one of the four statutory categories. See MPEP § 2106.03. For example, and each of claims 1–7 falls within category of process; each of claims 8–14 falls within category of machine, i.e., a “concrete thing, consisting of parts, or of certain devices and combination of devices.” Digitech, 758 F.3d at 1348–49, 111 USPQ2d at 1719 (quoting Burr v. Duryee, 68 U.S. 531, 570, 17 L. Ed. 650, 657 (1863)); and each of claims 15–20 is directed to a “computer-readable medium” and therefore falls within category of manufacture.1
Step 2A – Prong 1
Exemplary claim 1 is directed to an abstract idea of managing authentication of a consumer or card holder. Under the broadest reasonable interpretation, the Examiner interprets “transmitting” as communicating. 
The abstract idea is set forth or described by the following italicized limitations: 
1. An enhanced 3D Secure user authentication process, comprising: 
transmitting, by a consumer device processor of a consumer device running a Web Authentication application programming interface (API), a request to a relying party device during a transaction requesting use of an enhanced 3D Secure authentication service; 
receiving, by the consumer device processor from the relying party device, a request to authenticate a consumer by using a specific customer verification method (CVM); 
prompting, by the consumer device processor running the Web Authentication API, the consumer to provide input in accordance with the CVM; 
receiving, by the consumer device processor from an authenticator of the consumer device, input data in accordance with the CVM; 
verifying, by the consumer device processor, the consumer based on the input data; 
generating, by the consumer device processor running the Web Authentication API, an authentication data package; and
transmitting, by the consumer device processor via the Web Authentication API to the relying party device, the authentication data package for processing and forwarding to a 3D Requestor environment.
The italicized limitations above represent certain methods of organizing human activity and/or a mental process (i.e., a process that can be performed mentally and/or with pen and paper). Therefore, the italicized limitations fall within the subject matter groupings of abstract ideas enumerated in Section I of the 2019 Revised Patent Subject Matter Eligibility Guidance.
For example, the limitation “transmitting … a request to a relying party … during a transaction requesting use of an enhanced … authentication service” is a commercial interaction and/or a sales activity. 
For example, the limitation “receiving, by the consumer … from the relying party …, a request to authenticate a consumer by using a specific customer verification method (CVM)” is managing relationships or interactions between people, a sales activity, and/or a commercial interaction. 
For example, the limitation “prompting … the consumer to provide input in accordance with the CVM” is managing relationships or interactions between people, a sales activity, and/or a commercial interaction. 
For example, the limitation “receiving … input data in accordance with the CVM” is a sales activity or commercial interaction.
For example, the limitation “verifying … the consumer based on the input data” is a fundamental economic practice, a sales activity, managing interactions between people, and/or a mental process.
For example, the limitation “generating, , an authentication data package” is a fundamental economic practice, a sales activity, and/or managing interactions between people.
For example, the limitation “transmitting … the authentication data package …” is a fundamental economic practice, a sales activity, and/or managing interactions between people.
Step 2A – Prong 2
Claim 1 does not include additional elements (when considered individually, as an ordered combination, and/or within the claim as a whole) that are sufficient to integrate the abstract idea into a practical application. The additional elements are represented by the following underlined limitations: 
1. An enhanced 3D Secure user authentication process, comprising: 
transmitting, by a consumer device processor of a consumer device running a Web Authentication application programming interface (API), a request to a relying party device during a transaction requesting use of an enhanced 3D Secure authentication service; 
receiving, by the consumer device processor from the relying party device, a request to authenticate a consumer by using a specific customer verification method (CVM); 
prompting, by the consumer device processor running the Web Authentication API, the consumer to provide input in accordance with the CVM; 
receiving, by the consumer device processor from an authenticator of the consumer device, input data in accordance with the CVM; 
verifying, by the consumer device processor, the consumer based on the input data; 
generating, by the consumer device processor running the Web Authentication API, an authentication data package; and
transmitting, by the consumer device processor via the Web Authentication API to the relying party device, the authentication data package for processing and forwarding to a 3D Requestor environment.
The first additional element is “3D Secure,” which is recited in at least the preamble. This element appears to be an adjective to the “user authentication process” and generally link the use of the abstract idea to a particular technological environment. Therefore, this element individually does not provide a practical application.
The second additional element is “by a consumer device processor of a consumer device running a Web Authentication application programming interface (API).” This element appears to limit the “transmitting …” to be performed, at least in-part, by use of a computer running software. This element amounts to mere instructions to implement the abstract idea on a computer and/or mere use of a generic computer component as a tool to perform the abstract idea. Therefore, this element individually does not provide a practical application. 
The third additional element is “device.” This element appears to limit the “relying party” to be performed, at least in-part, by use of a computer. This element amounts to mere use of a generic computer component as a tool to perform the abstract idea. Therefore, this element individually does not provide a practical application. 
The fourth additional element is “by the consumer device processor from the relying party device.” This element appears to limit the “receiving …” to be performed, at least in-part, through a network communication between two computers. This element amounts to mere instructions to implement the abstract idea on a computer and/or mere use of a generic computer component as a tool to perform the abstract idea. Therefore, this element individually does not provide a practical application. 
The fifth additional element is “by the consumer device processor running the Web Authentication API.” This element appears to limit the “prompting …” to be performed, at least in-part, by use of a computer equipped with software. This element amounts to mere instructions to implement the abstract idea on a computer and/or mere use of a generic computer component as a tool to perform the abstract idea. Therefore, this element individually does not provide a practical application. 
The sixth additional element is “by the consumer device processor from an authenticator of the consumer device.” This element appears to limit the “receiving …” to be performed by use of computer hardware and/or software. This element amounts to mere instructions to implement the abstract idea on a computer and/or mere use of a generic computer component as a tool to perform the abstract idea. Therefore, this element individually does not provide a practical application. 
The seventh additional element is “by the consumer device processor.” This element appears to limit the “verifying …” to be performed by a computer. This element amounts to mere instructions to implement the abstract idea on a computer and/or mere use of a generic computer component as a tool to perform the abstract idea. Therefore, this element individually does not provide a practical application. 
The eighth additional element is “by the consumer device processor running the Web Authentication API.” This element appears to limit the “generating …” to be performed, at least in-part, by use of a computer equipped with software. This element amounts to mere instructions to implement the abstract idea on a computer and/or mere use of a generic computer component as a tool to perform the abstract idea. Therefore, this element individually does not provide a practical application. 
The ninth additional element is “by the consumer device processor via the Web Authentication API to the relying party device.” This element appears to limit the “transmitting …” to be performed, at least in-part, through a network communication between two computers. This element amounts to mere instructions to implement the abstract idea on a computer and/or mere use of a generic computer component as a tool to perform the abstract idea. Therefore, this element individually does not provide a practical application. 
The tenth additional element is “for processing and forwarding to a 3D Requestor environment.” This element is an intended result and is therefore not given patentable weight. 
In view of the above, the ten “additional elements” individually do not provide a practical application of the abstract idea. Furthermore, the ten “additional elements” in combination amount to a plurality of devices each with software, where such computers and software amount to mere instructions to implement the abstract idea on a computer(s) and/or mere use of a generic computer component(s) as a tool to perform the abstract idea. Therefore, these elements in combination do not provide a practical application. The combination of additional elements does no more than generally link the use of the abstract idea to a particular technological environment, i.e., an environment of computer hardware/software in communication with one another (a network of computing devices), and for this additional reason, the combination of additional elements does not provide a practical application of the abstract idea.
Step 2B
Claim 1 does not include additional elements, when considered individually and as an ordered combination, that are sufficient to amount to significantly more than the abstract idea. The reasons for reaching this conclusion are substantially the same as the reasons given above in § Step 2A – Prong 2. For brevity only, those reasons are not repeated in this section.
Dependent Claims 1–7
Dependent claims 1–7 fail to cure this deficiency of independent claim 1 (set forth above) and are rejected accordingly. Particularly, claims 1–7 recite limitations that represent (in addition to the limitations already noted above) either the abstract idea or an additional element that is merely extra-solution activity, mere use of instructions and/or generic computer component(s) as a tool to implement the abstract idea, and/or merely limits the abstract idea to a particular technological environment. For example, claim 6 recites “downloading … the [software],” which is merely pre-solution activity, that is not done in an unconventional way. In fact, the Examiner takes Official Notice that downloading software is old and well-known in this art. Furthermore, “downloading … [software]” can be viewed as generally linking the idea to a particular technological environment, e.g., at least in part to providing software to implement the abstract idea. Other limitations of claim 6, e.g., generating keys, are directed to a mathematical concept.
Claims 8–20
Claims 8–20 contain language similar to claims 1–7 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claims 8–20 are also rejected under 35 U.S.C. § 101.  
Claim Rejections - 35 U.S.C. § 103
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1–3, 5, 8–10, 12, 15–18, and 20 are rejected under 35 U.S.C. § 103 as being unpatentable over Kamal et al. (US 2017/0061441 A1) (“Kamal”), in view of Mehta et al. (US 2017/0357957 A1) (“Mehta”).
As per claim 1, Kamal discloses an enhanced 3D Secure user authentication process, comprising: 

receiving, by the consumer device processor from the relying party device, a request to authenticate a consumer by using a specific customer verification method (CVM) ([0040]); 
prompting, by the consumer device processor running the Web Authentication API, the consumer to provide input in accordance with the CVM ([0041]); 
receiving, by the consumer device processor from an authenticator of the consumer device, input data in accordance with the CVM ([0042]); 
verifying, by the consumer device processor, the consumer based on the input data ([0042]); 
generating, by the consumer device processor running the Web Authentication API, an authentication data package ([0042]); and 
transmitting, by the consumer device processor via the Web Authentication API to the relying party device, the authentication data package for processing and forwarding to a 3D Requestor environment ([0042]).
Kamal does not expressly disclose transmitting, by a consumer device processor of a consumer device running a Web Authentication application programming interface (API), a request to a relying party device during a transaction requesting use of an enhanced 3D Secure authentication service.
Mehta teaches transmitting, by a consumer device processor of a consumer device, a request to a relying party device during a transaction requesting use of an enhanced 3D Secure authentication service ([0071]).
Therefore, it would have been obvious to a person having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify process of Kamal to include the request of Mehta in order to effect authentication desired by the user. 
As per claim 2, Kamal/Mehta teach the method of claim 1, wherein generating the authentication data package comprises assembling, by the consumer device processor, credential information data (Kamal, [0042], e.g., “signature” suggests assembly of key information, i.e., a credential) and assertion data (Kamal, [0042], e.g., “result of the authentication process”).
As per claim 3, Kamal/Mehta teach the method of claim 2, further comprising, prior to transmitting the authentication data package to the relying party device, signing, by the consumer device processor, the authentication data package (Kamal, [0042]). 
As per claim 5, Kamal/Mehta teach the method of claim 1, further comprising, prior to transmitting the request to a relying party device requesting use of an enhanced 3D Secure authentication service, registering, by the consumer of the consumer mobile device, to participate in an enhanced 3D Secure service (Kamal, [0030]).
Claims 8–10, 12, 15–18, and 20 contain language similar to claims 1–3 and 5 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claims 8–10, 12, 15–18, and 20 are also rejected under 35 U.S.C. § 103 as unpatentable over the cited references.
Claims 4 and 11 are rejected under 35 U.S.C. § 103 as being unpatentable over Kamal and Mehta, in view of Yossi et al. (GB 2511813 A) (“Yossi”).
As per claim 4, Kamal/Mehta teach the method of claim 3, further comprising: receiving, by the relying party device, the signed authentication package (Kamal, [0042]), but does not expressly teach transmitting, by the relying party device running a relying party Web client to a 3D Server computer of a Requestor environment, the singed authentication package, wherein the signed authentication package is stored for use in future consumer transactions.
Yossi teaches transmitting, by a relying party device, a singed authentication package, wherein the signed authentication package is stored for use in future consumer transactions (page 43, lines 22–29).
Therefore, it would have been obvious to a person having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify process of Kamal to include the transmission/storage of the authentication package for future use to protect against replay attacks. 
Claim 11 contains language similar to claim 4 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claim 11 is also rejected under 35 U.S.C. § 103 as unpatentable over the cited references.
Allowable Subject Matter
Claims 6–7, 13–14, and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB C. COPPOLA whose telephone number is (571)270-3922. The examiner can normally be reached Monday-Friday 8:00-6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on (571) 272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JACOB C. COPPOLA/Primary Examiner, Art Unit 3685                                                                                                                                                                                                        


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Applicant’s specification defines “computer-readable medium” as “any non-transitory storage medium that participates in providing data (for example, computer executable instructions or processor executable instructions) that may be read by a computer, a processor, a mobile device processor or controller, or a like device” (page 5, lines 12–15).