Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the claims filed 2/02/2021.  Claims 1-4 and 6-20 are pending.  Claims 1 (a non-transitory CRM), 11 (a method), and 17 (a machine) are independent.  Claims 1, 3, 4, 7-9, 11, 14-17 are amended.

Response to Arguments
Applicant's arguments filed 9/26/2022 have been fully considered but they are not persuasive. 
On page 9 of the remarks Applicant states: “the cited references fail to teach or suggest ‘perform a first validation action by authenticating a username and password of the user to gain access to an application on the computing device.’”
Applicant acknowledges that Shah discloses username/password authentication and, therefore, Applicant appears to argue the latter part of the limitation: “to gain access to an application on the computing device.”
This argument is not persuasive as the claimed “access” is not defined. 

Geupel discloses an initial authentication (biometric) of a user upon which further actions are conditioned, see Geupel ¶ 44.  Separately, Shah discloses a username/password authentication performed on a device, see Shah ¶¶ 227 and 88. Thus, the combination of Geupel in view of Shah reasonably discloses a client side username/password authentication on which further actions are conditioned, i.e. “the result of the smartphone's internal fingerprint comparison…. The online banking server 10 checks the user authentication data and, given a positive result, encrypts the transaction file with a symmetrical key, which is also stored on card 9, or signs the transaction file with a private key, the corresponding public key to which is stored on card 9 (step SC). The online banking server 10 sends the encrypted or signed transaction file to the mobile app 7 (step SD′). The mobile app 7 packs the transaction file into an APDU command” See Geupel ¶ 44.  
Since the further acts of the application of Geupel require an authentication of the user in ¶ 44, said authentication gains the user access to the further steps provided by the application.  Such as packing the transaction file into an APDU command.
The claims as presented describe an authentication system that solely performs authentication.  In such a system it is reasonable to interpret the “access” to be the further required authentications of the claims.
Thus, the combination of Geupel in view of Shah reasonably renders obvious the combination of features presented in the amendment filed 9/26/2022.

Examiner notes that Applicant’s disclosure outlines a particular use case in which a user must authenticate to an application in order to view a notification.  The exemplary embodiment being that of Applicant’s figure 2A where a card provider application issues a notification of potentially fraudulent activity.  The user is then able to authenticate/validate the potentially fraudulent purchase by connecting the payment card to the terminal over a short range wireless connection to allow authentication/validation of the purchase to the card provider.
The cited combination of Geupel in view of Shah does not disclose requiring authentication to view a notification.  Nor does the combination describe validating a purchase transaction.  However, the combination of Geupel in view of Shah does disclose a plurality of authentications where further acts are conditioned on passing the initial authentication. 


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 11-16 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 	
Claim 11 requires: 
“and executing the application in response to validating the username and the password”
	The conditional execution of “the application” does not appear to be disclosed in Applicant’s specification.  Also, if the application is executed in response to an authentication, then the application did not perform the authentication.  Applicant’s specification appears to solely disclose the application, or a component of the application, performing the authentication:
Applicant’s ¶ 19: “The card owner is asked to sign into an application executing on their mobile device, and to scan a physical token associated with their card (e.g., a contactless chip capable of wireless communication with the mobile device, such as NFC”
Applicant’s ¶ 69: “the user may log into the client application using any suitable means (e.g., a username/password combination, biometric authentication, etc.).”
	See also ¶¶ 81, 47.

	In summary, Applicant’s specification appears to disclose “the application” performing the username/password validation.  Applicant’s specification does not appear to disclose “the application” is executed in response to said validation.
	Note that claim 17 states “continue to execute the first application” which is analogous to the requirement of claim 1 “gain access to an application”.  Each of which requires authentication to perform some other act with the application and not to launch the application.

	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 6-8, 11, 13-15, and 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Geupel, US 2018/0276647 (filed 2017-03), in view of Shah et al., US 2016/0087957 (filed 2014-04). 
As to claims 1, Geupel discloses a CRM comprising:
(as to the hardware of claims 11 and 17: “A suitable smartphone therein assumes the function of a debit/credit card point-of-sale terminal capable of wireless short-range data transmission (NFC).” Geupel ¶ 7)
(“transmitting initial transaction data from a web server to a display unit connected to the data network via said data network, and a01) local visual and/or acoustic displaying of the initial transaction data thereon, particularly visually displaying as bar code or QR code on a provider website” Geupel ¶ 29)
Receive, by a computing device, a request from a validation server; (“a01) local visual and/or acoustic displaying of the initial transaction data thereon, particularly visually displaying as bar code or QR code on a provider website, or a02) forwarding the initial transaction data via Google or Apple Push Notification service to the user terminal,” Geupel ¶ 29)
perform a first validation action by authenticating (“The mobile app 7 establishes a mutually authenticated encrypted TLS communication channel with the online banking server 10 and sends the user authentication data over same to the online banking server 10; i.e. the result of the smartphone's internal fingerprint comparison or PIN.” Geupel ¶ 44) … of the user to gain access to an application on the computing device, on a computing device, an identity of the user; (“The mobile app 7 displays the transaction data to the user, requesting the user to confirm the transaction within the framework of a fingerprint or PIN input” Geupel ¶ 44)
perform, by the application on the computing device, a second validation action, wherein the second validation action comprises receiving, via a short-range communication protocol, a code from a contactless card;  (“The online banking server 10 checks the user authentication data and, given a positive result… The online banking server 10 sends the encrypted or signed transaction file to the mobile app 7 (step SD′).
The mobile app 7 packs the transaction file into an APDU command without decrypting or processing it and forwards it to the card 9 via NFC (step SE′).
The card 9 receives the APDU command and decrypts the transaction file if the online banking server 10 uses symmetrical keys or respectively checks the transaction file signature if the online banking server 10 uses asymmetrical keys (step SP).
The card 9 generates a digital signature or cryptogram respectively, e.g. Message Authentication Code (MAC), for the transaction file pursuant to the common standards and transmits same in APDU format to the mobile app 7 (step SG′). Lastly, a final transaction file, which includes the transaction signature, is generated in the mobile app 7 and transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44.  See also Geupel ¶ 26)
Generate, by the application on the computing device, a validation response package … and the code retrieved from the physical token; and (“a final transaction file, which includes the transaction signature, is generated in the mobile app 7 and transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44.  Recall that the “transaction file” is generated based on checking the user’s fingerprint and on the data received over NFC in ¶ 44)
Communicate, by the application on the computing device, the response package to the validation server. (“transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44)


	Geupel does not explicitly disclose:
the request associated with a user account associated with a user
a username and password
	Identifying the user
	
	Shah discloses a multi-factor authentication system that may be used for online banking (Shah ¶ 54).  Shah discloses:
the request associated with a user account associated with a user (“The browser may communicate with the SP 104, and the communication may include a user ID that is associated with the user 107.” Shah ¶ 153. “the MFAS 106 determines the types and strengths of the authentication factors that can be performed to achieve the required assurance level. The MFAS 106 may further identify authentication agents that can perform the required authentications.” Shah ¶ 154. “the authentication factors can be performed locally or they can be split such that some factors are performed locally on the UE 102 and others are performed on the IdP 106.” Shah ¶ 58. See Figures 7A-C for an example of multi factor authentication flow.)
a username (“the user enters the OpenID URL/username. … The OpenID servlet 2002 accesses the user DB JSON file 2006 to check for the existence of the user identifier. The Multi Factor Orchestration (MFO) 1706 fetches the required user info from the JSON file 2006, including the auth factors for the user,” Shah ¶ 227. Authentication begins with entry of username for lookup of required authentication factors. See also ¶ 65) and password (“The last example listed above is a different scheme in which a password is locally requested from the user 107. A local authentication agent may authenticate the user 107 in this case, for example, by hashing the password provided by the user 107” Shah ¶ 88.)
	Identifying the user (“At 744 a, the MFAP 110 consolidates the first, second, and third authentication assertions to create a consolidated assertion for multiple authentication factors. The MFAP 110 signs the consolidated assertion. The MFAP 110 may further compute an aggregate achieved assurance level and freshness level.” Shah ¶ 159. “an assertion also contain various data representing information elements that may represent, for example: specific details of the executed multi-factor authentication, the user identity that has been authenticated, or other contextual information.” Shah ¶ 126).

	A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Geupel with Shah by associating the authentication with a user account and including data that indicates a user account in the multi factor authentication of Geupel.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to associate the authentication and associated data with a user account/identifier in order for the authentication server to know which user and user account was being authenticated. 

	As to claim 11, Geupel discloses a method comprising:
processing, by a computing device, a request from a validation server, (“a01) local visual and/or acoustic displaying of the initial transaction data thereon, particularly visually displaying as bar code or QR code on a provider website, or a02) forwarding the initial transaction data via Google or Apple Push Notification service to the user terminal,” Geupel ¶ 29)…; 
performing, by the computing device, a first validation action on the computing device, the first validation action comprising validating (“The mobile app 7 establishes a mutually authenticated encrypted TLS communication channel with the online banking server 10 and sends the user authentication data over same to the online banking server 10; i.e. the result of the smartphone's internal fingerprint comparison or PIN.” Geupel ¶ 44) … associated with the user to access an application, (“The mobile app 7 displays the transaction data to the user, requesting the user to confirm the transaction within the framework of a fingerprint or PIN input” Geupel ¶ 44) …; 
performing, by the application on the computing device, a second validation action, the second validation action comprising … to provide a physical token within a short-range communication range of the computing device, and receiving a code from the physical token based on a short-range communication protocol; (“The online banking server 10 checks the user authentication data and, given a positive result… The online banking server 10 sends the encrypted or signed transaction file to the mobile app 7 (step SD′).
The mobile app 7 packs the transaction file into an APDU command without decrypting or processing it and forwards it to the card 9 via NFC (step SE′).
The card 9 receives the APDU command and decrypts the transaction file if the online banking server 10 uses symmetrical keys or respectively checks the transaction file signature if the online banking server 10 uses asymmetrical keys (step SP).
The card 9 generates a digital signature or cryptogram respectively, e.g. Message Authentication Code (MAC), for the transaction file pursuant to the common standards and transmits same in APDU format to the mobile app 7 (step SG′). Lastly, a final transaction file, which includes the transaction signature, is generated in the mobile app 7 and transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44.  See also Geupel ¶ 26)
generating, by the application on by the computing device, a validation response package … and the code receiving from the physical token; and (“a final transaction file, which includes the transaction signature, is generated in the mobile app 7 and transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44.  Recall that the “transaction file” is generated based on checking the user’s fingerprint and on the data received over NFC in ¶ 44)
sending, by the application on by the computing device, the response package to the validation server. (“transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44)

Geupel does not disclose:
the request associated with a user account associated with a user 
a username and a password
and executing the application in response to validating the username and the password
presenting a prompt
identifying the user

Shah discloses:
the request associated with a user account associated with a user (“The browser may communicate with the SP 104, and the communication may include a user ID that is associated with the user 107.” Shah ¶ 153. “the MFAS 106 determines the types and strengths of the authentication factors that can be performed to achieve the required assurance level. The MFAS 106 may further identify authentication agents that can perform the required authentications.” Shah ¶ 154. “the authentication factors can be performed locally or they can be split such that some factors are performed locally on the UE 102 and others are performed on the IdP 106.” Shah ¶ 58. See Figures 7A-C for an example of multi factor authentication flow.)
a username (“the user enters the OpenID URL/username. … The OpenID servlet 2002 accesses the user DB JSON file 2006 to check for the existence of the user identifier. The Multi Factor Orchestration (MFO) 1706 fetches the required user info from the JSON file 2006, including the auth factors for the user,” Shah ¶ 227. Authentication begins with entry of username for lookup of required authentication factors. See also ¶ 65) and password (“The last example listed above is a different scheme in which a password is locally requested from the user 107. A local authentication agent may authenticate the user 107 in this case, for example, by hashing the password provided by the user 107” Shah ¶ 88.)
and executing the application in response to validating the username and the password (“The application 2500 includes one or more activities that can be launched as authentication factors by a main activity 2502. The one or more activities include a Sim Auth activity 2504, a Smart OpenID activity 2506, and a Biokey activity 2508. Each of the activities 2504, 2506, and 2508 can also be referred to as authentication factor activities.” Shah ¶ 232. Launching an authentication factor component in response to completion of the previous factor as in Shah figures 26)
presenting a prompt (“prompts the user” Shah ¶¶ 243 and 245)
identifying the user (“At 744 a, the MFAP 110 consolidates the first, second, and third authentication assertions to create a consolidated assertion for multiple authentication factors. The MFAP 110 signs the consolidated assertion. The MFAP 110 may further compute an aggregate achieved assurance level and freshness level.” Shah ¶ 159. “an assertion also contain various data representing information elements that may represent, for example: specific details of the executed multi-factor authentication, the user identity that has been authenticated, or other contextual information.” Shah ¶ 126).

	A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Geupel with Shah by associating the authentication with a user account and including data that indicates a user account in the multi factor authentication of Geupel for determination of a local password authentication.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to associate the authentication and associated data with a user account/identifier in order for the authentication server to know which user and user account was being authenticated and whether to require local password authentication. 

	As to claim 17, Geupel discloses a machine comprising:
a memory storing instructions for one or more applications; and a hardware processor circuit configured to execute the instructions to: (as to the hardware of claims 11 and 17: “A suitable smartphone therein assumes the function of a debit/credit card point-of-sale terminal capable of wireless short-range data transmission (NFC).” Geupel ¶ 7)
receive, by a first application of the one or more applications, a request from a validation server,…; (“a01) local visual and/or acoustic displaying of the initial transaction data thereon, particularly visually displaying as bar code or QR code on a provider website, or a02) forwarding the initial transaction data via Google or Apple Push Notification service to the user terminal,” Geupel ¶ 29)
perform, by the first application of the one or more applications a first validation action on a computing device based on an identity of the user, the first validation action comprising the processor to validate (“The mobile app 7 establishes a mutually authenticated encrypted TLS communication channel with the online banking server 10 and sends the user authentication data over same to the online banking server 10; i.e. the result of the smartphone's internal fingerprint comparison or PIN.” Geupel ¶ 44)    … of the user …; (“The mobile app 7 displays the transaction data to the user, requesting the user to confirm the transaction within the framework of a fingerprint or PIN input” Geupel ¶ 44)
perform, by the first application, a second validation action by … to provide a physical token within a short-range communication range of the computing device, and scanning a code from the physical token based on a short-range communication protocol; ;  (“The online banking server 10 checks the user authentication data and, given a positive result… The online banking server 10 sends the encrypted or signed transaction file to the mobile app 7 (step SD′).
The mobile app 7 packs the transaction file into an APDU command without decrypting or processing it and forwards it to the card 9 via NFC (step SE′).
The card 9 receives the APDU command and decrypts the transaction file if the online banking server 10 uses symmetrical keys or respectively checks the transaction file signature if the online banking server 10 uses asymmetrical keys (step SP).
The card 9 generates a digital signature or cryptogram respectively, e.g. Message Authentication Code (MAC), for the transaction file pursuant to the common standards and transmits same in APDU format to the mobile app 7 (step SG′). Lastly, a final transaction file, which includes the transaction signature, is generated in the mobile app 7 and transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44.  See also Geupel ¶ 26)
generate, by the first application, a validation response package … and the code retrieved from the physical token; (“a final transaction file, which includes the transaction signature, is generated in the mobile app 7 and transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44.  Recall that the “transaction file” is generated based on checking the user’s fingerprint and on the data received over NFC in ¶ 44)
and send, by the first application, the response package to the validation server. (“transmitted to the online banking server 10 (step SH′).” Geupel ¶ 44)

	Geupel does not disclose:
the request associated with a user account associated with a user 
a username and a password
to continue to execute the first application
presenting a prompt
identifying the user

	Shah disclose:
the request associated with a user account associated with a user (“The browser may communicate with the SP 104, and the communication may include a user ID that is associated with the user 107.” Shah ¶ 153. “the MFAS 106 determines the types and strengths of the authentication factors that can be performed to achieve the required assurance level. The MFAS 106 may further identify authentication agents that can perform the required authentications.” Shah ¶ 154. “the authentication factors can be performed locally or they can be split such that some factors are performed locally on the UE 102 and others are performed on the IdP 106.” Shah ¶ 58. See Figures 7A-C for an example of multi factor authentication flow.)
a username (“the user enters the OpenID URL/username. … The OpenID servlet 2002 accesses the user DB JSON file 2006 to check for the existence of the user identifier. The Multi Factor Orchestration (MFO) 1706 fetches the required user info from the JSON file 2006, including the auth factors for the user,” Shah ¶ 227. Authentication begins with entry of username for lookup of required authentication factors. See also ¶ 65) and password (“The last example listed above is a different scheme in which a password is locally requested from the user 107. A local authentication agent may authenticate the user 107 in this case, for example, by hashing the password provided by the user 107” Shah ¶ 88.)
to continue to execute the first application (“The application 2500 includes one or more activities that can be launched as authentication factors by a main activity 2502. The one or more activities include a Sim Auth activity 2504, a Smart OpenID activity 2506, and a Biokey activity 2508. Each of the activities 2504, 2506, and 2508 can also be referred to as authentication factor activities.” Shah ¶ 232. Continuing to execute the various authentication factor components in response to completion of the previous factor as in Shah figures 26)
presenting a prompt (“prompts the user” Shah ¶¶ 243 and 245)
identifying the user (“At 744 a, the MFAP 110 consolidates the first, second, and third authentication assertions to create a consolidated assertion for multiple authentication factors. The MFAP 110 signs the consolidated assertion. The MFAP 110 may further compute an aggregate achieved assurance level and freshness level.” Shah ¶ 159. “an assertion also contain various data representing information elements that may represent, for example: specific details of the executed multi-factor authentication, the user identity that has been authenticated, or other contextual information.” Shah ¶ 126).

	A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Geupel with Shah by associating the authentication with a user account and including data that indicates a user account in the multi factor authentication of Geupel for determination of a local password authentication.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to associate the authentication and associated data with a user account/identifier in order for the authentication server to know which user and user account was being authenticated and whether to require local password authentication. 



	As to claim 2, Geupel in view of Shah discloses the CRM of claim 1 and further discloses:
wherein the short-range communication protocol is a near field communication (NFC) protocol. (“The mobile app 7 packs the transaction file into an APDU command without decrypting or processing it and forwards it to the card 9 via NFC (step SE′).
…
The card 9 generates a digital signature or cryptogram respectively, e.g. Message Authentication Code (MAC), for the transaction file pursuant to the common standards and transmits same in APDU format to the mobile app 7 (step SG′).” Geupel ¶ 44.  See also Geupel ¶ 26)

As to claim 4 Geupel in view of Shah discloses the CRM of claim 1 and further discloses:
wherein the contactless card comprising, a debit card, a rewards card, or a credit card. (“By linking NFC-enabled debit and credit cards to a customer's NFC-enabled terminal (smartphone) … It realizes a simple method for activating a signature function on bank cards for authorizing money transfers.” Geupel ¶ 17)

As to claims 6 and 13 Geupel in view of Shah discloses the CRM/method of claims 1 and 11 and further discloses:
further storing instructions to cause the processor to receive and process an escalated validation request, the escalated validation request comprising a requested validation action. (Escalation being the performance of a plurality of authentications – multi-factor authentication: “the MFAS 106 determines the types and strengths of the authentication factors that can be performed to achieve the required assurance level. The MFAS 106 may further identify authentication agents that can perform the required authentications.” Shah ¶ 154. “the authentication factors can be performed locally or they can be split such that some factors are performed locally on the UE 102 and others are performed on the IdP 106.” Shah ¶ 58. See Figures 7A-C for an example of multi factor authentication flow.)

As to claims 7, 14, and 18 Geupel in view of Shah discloses the CRM/method/machine of claims 6, 13, and 17 but does not disclose:
wherein the requested validation action comprises a request to provide a security question, and the medium further storing instructions to cause the processor to: present, vai the application and on a display of the computing device, the security question; receive, by the application, a response to the security question; and communicate, by the application, the response to the validation server.

Shah further discloses:
wherein the requested validation action comprises a request to provide a security question, and the medium further storing instructions to cause the processor to: present, via the application and on a display of the computing device, the security question; 
 (“a banking application may request a high assurance level…. the IdP may perform a challenge-response protocol to increase the assurance level to the desired level, at the cost of inconvenience to the user. It is inconvenient to the user because the user may have to answer security questions so that the user is further verified (e.g., What is your mother's maiden name? What is the name of your first pet? Where were you born? etc.).” Shah ¶ 123) receive, by the application, a response to the security question; and communicate, by the application, the response to the validation server. (“The authentication carried out at 728 may involve a number of round-trip messaging, which may also include Challenge-Response messages, for example. An assertion, such as a first assertion for example, may be generated by the first authentication server 706 a upon a successful authentication.” Shah ¶ 155.  Authenticating a client via question based challenge response at a server.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Geupel in view of Shah with Shah by determining and performing sufficient authentications to achieve a desired assurance level.  A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Geupel in view of Shah with Shah in order to provide for increased security for sensitive operations, Shah ¶ 123, by obtaining a required assurance level, Shah ¶ 154.


As to claims 8, 15, and 19 Geupel in view of Shah discloses the CRM/method/machine of claims 6, 14, and 17 and further discloses:
wherein the requested validation action (“the MFAS 106 determines the types and strengths of the authentication factors that can be performed to achieve the required assurance level. The MFAS 106 may further identify authentication agents that can perform the required authentications.” Shah ¶ 154.) comprises a request to provide a biometric input, and the medium further storing instructions to cause the processor to: receive, by the application and via a biometric device of the computing device, the biometric input; (“The mobile app 7 displays the transaction data to the user, requesting the user to confirm the transaction within the framework of a fingerprint or PIN input” Geupel ¶ 44)

Geupel in view of Shah does not disclose:
and communicate, by the application, the biometric input to the validation server.

Shah further discloses:
and transmit the biometric input to the validation server. (“the first authentication server 706 a may carry out an authentication. The authentication may also require input from the user 107. For example, the authentication may comprise an authentication of the user of the browser 704 (e.g., a biometric of the user)” Shah ¶ 155. “the authentication factors can be performed locally or they can be split such that some factors are performed locally on the UE 102 and others are performed on the IdP 106.” Shah ¶ 58. See Figures 7A-C for an example of multi factor authentication flow.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Geupel in view of Shah with Shah by performing a biometric authentication at an authentication server, i.e. the biometric authentication of Geupel or an additional biometric.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Geupel in view of Shah with Shah in order to provide for increased security for sensitive operations, Shah ¶ 123, by obtaining a required assurance level, Shah ¶ 154.

Claims 3 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Geupel, US 2018/0276647 (filed 2017-03), in view of Shah et al., US 2016/0087957 (filed 2014-04), and Hammad et al., US 2012/0018506 (filed 2011-05). 
As to claims 3, 12 Geupel in view of Shah discloses the CRM/method of claim 1 and 11 but does not disclose:
wherein the code is a counter stored on the physical token that is incremented each time the code is read from the contactless card.

Hammad discloses: 
wherein the code is a counter stored on the contactless card (“Portable consumer devices encompass credit cards, charge cards, debit cards, bank cards” Hammad ¶ 33) that is incremented each time the code is read from the physical token. (“The variable datum may comprise, or may be accompanied by, a counter value that indicates the number of times the portable consumer device has generated the variable datum; the counter value may assist the authorization entity in retrieving the variable datum from the entity's computer-readable medium, or in generating the variable datum from the algorithm.” Hammad ¶ 34. “The counter reduces the chances of a fraudster guessing the cryptogram value.” Hammad ¶ 61. See also Hammad ¶ 112)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Geupel in view of Shah with Hammad by providing a counter value in the transaction file and transaction signature of Geupel.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Geupel in view of Shah with Hammad in order to use an incremented counter value to reduce the change of a fraudster guessing the value of the signature of Geupel, Hammad ¶ 61. 

Claims 9, 10, 16, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Geupel, US 2018/0276647 (filed 2017-03), in view of Shah et al., US 2016/0087957 (filed 2014-04), and Drolshagen et al., US 2017/0019400 (filed 2015-06). 
As to claims 9, 16, and 20 Geupel in view of Shah discloses the CRM/method/machine of claims 6, 14, and 17 but does not disclose:
wherein the requested validation action comprises a request to provide a photograph, and the medium further storing instructions to cause the processor to: receive, by the application, the photograph from a camera of the computing device; generate a response to the escalated validation request, the response including the photograph; and communicate, by the application the response to the validation server.

Drolshagen discloses:
wherein the requested validation action comprises a request to provide a photograph, and the medium further storing instructions to cause the processor to: (“First, the User is instructed to take a picture or a short video of him/her with their mobile device (“User photo”). The User can be allowed to repeat this process until the User is satisfied with the image. The User is then given a limited number of minutes to take a photograph of their government identification card” Drolshagen ¶ 21) 
receive the photograph from a camera of the computing device; (“The User is then given a limited number of minutes to take a photograph of their government identification card (“ID Card photo”), such as, for example, a driver's license, a state ID card, a passport, a school ID, or any such identification device, which has a photograph of the User.” Drolshagen ¶ 21)
generate a response to the escalated validation request, the response including the photograph; and (“A verification engine on the server 105 isolates the User's image from the ID (“ID photo”) and isolates personal data from the text and/or bar code on the ID.” Drolshagen ¶ 64)
transmit the response to the validation server. (see Drolshagen Fig. 2, transmitting the picture to the server for validation: “A verification engine on the server 105 isolates the User's image from the ID (“ID photo”) and isolates personal data from the text and/or bar code on the ID.” Drolshagen ¶ 64. See Drolshagen Fig. 7 showing images being sent to server.).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Geupel in view of Shah with Drolshagen by performing an authentication using a drivers license and facial image of the user.  It would have been obvious to a person of ordinary skill in the art to combine Geupel in view of Shah with Drolshagen in order to confirm the liveliness of the user, i.e. not a spoofed biometric, Drolshagen ¶ 65. 

As to claim 10 Geupel in view of Shah and Drolshagen discloses the CRM of claim 9 and further discloses:
wherein the photograph is a picture of an identification associated with the user. (“The User is then given a limited number of minutes to take a photograph of their government identification card (“ID Card photo”), such as, for example, a driver's license, a state ID card, a passport, a school ID, or any such identification device, which has a photograph of the User.” Drolshagen ¶ 21)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Matthews et al., US 11,410,160 disclosing authenticating an online transaction using a separate device.
Grigg et al., US 2015/0227724, discloses varying levels of authentication based on which banking function is attempted.
		

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/Examiner, Art Unit 2492