Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 13-15, 17, 23, 26, and 29 have been amended. Claims 13-32 have been examined.

Response to Arguments
2.	Applicant’s arguments with respect to claims 13 and 23 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Objections
3.	Claim 23 is objected to because of the following informalities:
In lines 2 and 4 of claim 23 there are two separate instances of “a first entity”.
Appropriate correction is required.

4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

5.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.


Claim Rejections - 35 USC § 103
6.	Claims 13, 15-18, 21, 23, 25, 27 and 29-30 are rejected under 35 U.S.C. 103 as being unpatentable over Sprague et al. (U.S. Patent Application Publication 2015/0089568; hereafter “Sprague”), and further in view of Arnald et al. (U.S. Patent Application Publication 2014/0324654; hereafter “Arnald”) and further in view of Sharma et al. (U.S. Patent Application Publication 2013/0087620; hereafter “Sharma”), and further in view of Kayyidavazhiyil et al. (U.S. Patent 9,805,182; hereafter “Kayyidavazhiyil”).
	For claim 13, Sprague teaches a method for authorizing access by a user to a digital asset of a first entity (note paragraph [0078], third party service providers 192), comprising:
	storing a unique, unchanging hardware identifier indicative of a mobile device of the user in a database of a second entity (note paragraphs [0114]-[0115] and [0119], MAC address of user mobile device is stored by identity server 190) that is independent from the first entity and the mobile device (note paragraph [0079] and Fig. 1D, identity server 190 is independent of relying party third party service provider 192 and user mobile device 150);
	the first entity thereafter prompting the user (note paragraph [0081], step 186, third party service provider 192 may prompt user to provide additional context information for a higher trust score) to read the authentication key of the authentication tag applied to the physical object with the mobile device to generate scanned key data (note paragraphs [0094] and [0103], additional trust score context verification tests include scanning and decoding a QR code); and
	determining if the scanned key data read by the mobile device matches [the key data stored in the database of the second entity], and allowing access by the user to the digital asset only if the scanned key data read by the mobile device matches [the key data stored in the database of the second entity] (note paragraph [0082], [0103] and [0128], a device ID and context verification factor, e.g. QR code scan, are aggregated into a trust score which if it is high enough, will allow access to the third party service provider digital asset).

	Sprague differs from the claimed invention in that they fail to teach:
	storing key data from an authentication key of an authentication tag in the database of the second entity, the authentication key uniquely identifying the user;
	applying the authentication tag to a physical and authorizing only the mobile device having the unique, unchanging hardware identifier to read the authentication key of the authentication tag

	Arnald teaches:
	storing key data from an authentication key of an authentication tag in the database of the second entity (note paragraphs [0025]-[0026], service provider stores file which includes identification cardholder data ID), the authentication key uniquely identifying the user (note paragraph [0015], data is unique for identifying cardholder);
	applying the authentication tag to a physical (note paragraph [0028], barcode comprising identification cardholder ID is applied to banking card) and authorizing only the mobile device having the unique, unchanging hardware identifier to read the authentication key of the authentication tag (note paragraphs [0029] and [0033], scanned identification cardholder data ID and device ID are compared with stored data as part of user authentication)

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the user device ID and scanning a barcode for device authentication of Sprague and the storing barcode identification information and device ID for authentication of Arnald. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of a authentication a user making a request for a website that requires the user device ID and scanning a QR code (Sprague) where the ID information stored in the barcode and the user device ID are stored by the provider for use in the authentication request (Arnald).


	The combination of Sprague and Arnald differs from the claimed invention in that they fail to teach:
	the authentication key including a first dataset comprised of a random distribution of three-dimensional elements and a second dataset comprised of machine-readable data elements

	Sharma teaches:
	storing key data from an authentication key of an authentication tag in the database of the second entity (note paragraph [0029], pattern signature is stored in database), the authentication key (note paragraphs [0030]-[0031], authentication of object) including a first dataset comprised of a random distribution of three-dimensional elements (note paragraph [0029], step 100 random distribution of three-dimensional elements on label) and a second dataset comprised of machine-readable data elements (note paragraph [0029], step 106, two-dimensional symbol encoded with address)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine combination of Sprague and Arnald and the label with two datasets of Sharma. It would have been obvious because a simple substitution of one known element (label with random 3D elements and 2D address code of Sharma) for another (card with barcode of the combination of Sprague and Arnald) would yield the predictable results of a card with a barcode used for user login (the combination of Sprague and Arnald) that has a label containing random 3D elements and a 2D code used as address (Sharma) where the user scans the label and sends the scan with their device ID for authentication.


	The combination of Sprague, Arnald and Sharma differs from the claimed invention in that they fail to teach:
	reading a session identification code provided by the first entity using the mobile device in response to the user requesting access to the digital asset

	Kayyidavazhiyil teaches:
	reading a session identification code provided by the first entity using the mobile device (note column 6, lines 25-33, user scans pattern and extracts session identifier) in response to the user requesting access to the digital asset (note column 6, lines 8-18, server returns bar code encoded with session identifier), the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data (note column 6, lines 25-39, user to prompted to generate authentication key);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Sprague, Arnald and Sharma and the authentication session identifier of Kayyidavazhiyil to form a system that generates a session identification code (Kayyidavazhiyil) which prompts the user to create an authentication key message generated by scanning a membership card (Sprague and Arnald). One of ordinary skill would have been motivated to combine Sprague, Arnald, Sharma and Kayyidavazhiyil because it would allow the server to avoid confusing one authentication session with another and prevent a fraudster from gaining access to the protected resource by trying to time an access attempt with the access attempt of a legitimate user (note column 7, lines 10-20 of Kayyidavazhiyil).


	For claim 23, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil teaches a system for authorizing access by a user to a digital asset of a first entity (note paragraph [0078] of Sprague, third party service providers 192), the user retaining a mobile device with a unique, unchanging hardware identifier (note paragraphs [0114]-[0115] and [0119] of Sprague, MAC address of user mobile device), comprising:
	a first entity possessing the digital asset (note paragraph [0078] of Sprague, third party service providers 192);
	a second entity independent from the first entity and the mobile device (note paragraph [0079] and Fig. 1D of Sprague, identity server 190 is independent of relying party third party service provider 192 and user mobile device 150) that stores both the unique, unchanging hardware identifier of the mobile device (note paragraphs [0114]-[0115] and [0119] of Sprague, MAC address of user mobile device is stored by identity server 190) and the key data from an authentication key of an authentication tag in a database (note paragraphs [0025]-[0026] of Arnald, service provider stores file which includes identification cardholder data ID and mobile device ID), the authentication key including a first dataset comprised of a random distribution of three-dimensional elements (note paragraph [0029] of Sharma, step 100 random distribution of three-dimensional elements on label) and a second dataset comprised of machine-readable data elements (note paragraph [0029] of Sharma, step 106, two-dimensional symbol encoded with address), the authentication key uniquely identifying the user (note paragraph [0015] of Arnald, data is unique for identifying cardholder);
	a physical object having the authentication tag with the authentication key (note paragraph [0028] of Arnald, barcode comprising identification cardholder ID is applied to banking card), the authentication key capable of only being read by the mobile device having the unique, unchanging hardware identifier (note paragraphs [0029] and [0033] of Arnald, scanned identification cardholder data ID and device ID are compared with stored data as part of user authentication); and
	a computing device independent from the mobile device (note column 5, lines 48-50 of Kayyidavazhiyil, client device; paragraph [0080] and Fig. 1D of Sprague, additional user context), a display of the computing device displaying a session identification code provided by the first entity in response to the user requesting access to the digital asset through the computing device (note column 6, lines 8-18 of Kayyidavazhiyil, server returns bar code encoded with session identifier), the first entity prompting the user to read the authentication key with the mobile device to generate scanned key data (note paragraph [0081] of Sprague, step 186, third party service provider 192 may prompt user to provide additional context information for a higher trust score) upon the mobile device reading the session identification code displayed on the display (note column 6, lines 25-39 of Kayyidavazhiyil, user to prompted to generate authentication key), the first entity allowing access by the user to the digital asset only if the scanned key data read by the mobile device matches the key data stored in the database of the second entity (note paragraph [0082], [0103] and [0128] of Sprague, a device ID and context verification factor, e.g. QR code scan, are aggregated into a trust score which if it is high enough, will allow access to the third party service provider digital asset).

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the user device ID and scanning a barcode for device authentication of Sprague and the storing barcode identification information and device ID for authentication of Arnald. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of a authentication a user making a request for a website that requires the user device ID and scanning a QR code (Sprague) where the ID information stored in the barcode and the user device ID are stored by the provider for use in the authentication request (Arnald).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine combination of Sprague and Arnald and the label with two datasets of Sharma. It would have been obvious because a simple substitution of one known element (label with random 3D elements and 2D address code of Sharma) for another (card with barcode of the combination of Sprague and Arnald) would yield the predictable results of a card with a barcode used for user login (the combination of Sprague and Arnald) that has a label containing random 3D elements and a 2D code used as address (Sharma) where the user scans the label and sends the scan with their device ID for authentication.

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Sprague, Arnald and Sharma and the authentication session identifier of Kayyidavazhiyil to form a system that generates a session identification code (Kayyidavazhiyil) which prompts the user to create an authentication key message generated by scanning a membership card (Sprague and Arnald). One of ordinary skill would have been motivated to combine Sprague, Arnald, Sharma and Kayyidavazhiyil because it would allow the server to avoid confusing one authentication session with another and prevent a fraudster from gaining access to the protected resource by trying to time an access attempt with the access attempt of a legitimate user (note column 7, lines 10-20 of Kayyidavazhiyil).

	
	For claims 15 and 25, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil teaches claims 13 and 23, wherein the reading the authentication key of the authentication tag applied to the physical object is performed by configuring the mobile device as a portable, handheld, image capture device (note paragraphs [0098] and [0103] of Sprague, camera on device; paragraph [0025] of Sharma, portable image capture device), and by aiming the image capture device at the authentication tag to capture return light from the three-dimensional elements (note paragraph [0042] of Sharma, capture return light from 3D elements).

	For claim 16, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil teaches claim 13, further comprising: registering a name of the user with the first entity when the scanned key data matches the key data stored in the database (note paragraph [0137] of Sprague, third party service provider saves device ID with user account when trust score is met).

	For claims 17 and 29, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil teaches claims 13 and 23, wherein the mobile device is authorized to read the authentication key of the authentication tag by comparing a device identifier of the mobile device with the unique device identifier stored in the database upon the mobile device reading the session identification code (note paragraphs [0020] and [0029] of Sharma, authentication pattern is stored in a remote database where second dataset serves as an address identifier).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine combination of Sprague and Arnald and the label with two datasets of Sharma. It would have been obvious because a simple substitution of one known element (label with random 3D elements and 2D address code of Sharma) for another (card with barcode of the combination of Sprague and Arnald) would yield the predictable results of a card with a barcode used for user login (the combination of Sprague and Arnald) that has a label containing random 3D elements and a 2D code used as address (Sharma) where the user scans the label and sends the scan with their device ID for authentication.


	For claims 18 and 30, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil teaches claims 13 and 23, wherein the machine-readable data elements of the second dataset are encoded in at least one Radio Frequency Identification (RFID) chip (note paragraph [0024] of Sharma, RFID tag).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine combination of Sprague and Arnald and the label with two datasets of Sharma. It would have been obvious because a simple substitution of one known element (label with random 3D elements and 2D address code of Sharma) for another (card with barcode of the combination of Sprague and Arnald) would yield the predictable results of a card with a barcode used for user login (the combination of Sprague and Arnald) that has an RFID label containing random 3D elements and a 2D code used as address (Sharma) where the user scans the label and sends the scan with their device ID for authentication.


	For claims 21 and 27, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil teaches claims 13 and 23, wherein the session identification code includes a plurality of session parameters that are captured by the mobile device in response to an access request (note column 6, lines 8-18 of Kayyidavazhiyil, server returns bar code encoded with user identifier, session identifier and other data).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Sprague, Arnald and Sharma and the authentication session identifier of Kayyidavazhiyil to form a system that generates a session identification code (Kayyidavazhiyil) which prompts the user to create an authentication key message generated by scanning a membership card (Sprague and Arnald). One of ordinary skill would have been motivated to combine Sprague, Arnald, Sharma and Kayyidavazhiyil because it would allow the server to avoid confusing one authentication session with another and prevent a fraudster from gaining access to the protected resource by trying to time an access attempt with the access attempt of a legitimate user (note column 7, lines 10-20 of Kayyidavazhiyil).


7.	Claims 14 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil as applied to claims 13 and 23 above, and further in view of Cha et al. (U.S. Patent Application Publication 2013/0174241; hereafter “Cha”).
	For claims 14 and 24, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil teaches claims 13 and 23, further comprising: providing, from the user, a user name to the first entity prior to the first entity providing the session identification code to the user (note column 5, line 65 through column 6, line 2 of Kayyidavazhiyil, user provides user identifier to the server).

	The combination of Sprague, Arnald, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	providing, from the user, a user name and password to the first entity.

	Cha teaches:
	providing, from the user, a user name and password to the first entity (note paragraph [0048], user provides user credentials including user identifier and password).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil and the receiving user credentials including user identifier and password before redirection to another server of Cha. It would have been obvious because combining prior art elements (user provides identifier to receive session identification of Kayyidavazhiyil; user provides user identifier and password before redirection and a session of Cha) according to known methods would yield the predictable results of a card with a barcode used for authentication (combination of Sprague and Arnald) where the user provides user credentials to the asset server to receive a session identifier (Kayyidavazhiyil) where the user credentials include both a user identifier and password (Cha).



8.	Claims 19 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil as applied to claims 13 and 23 above, and further in view of Nolan (U.S. Patent 10,026,078).
	For claim 19, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	further comprising: displaying a plurality of icons indicative of at least one of a card, a service, an asset on the mobile device, and activating a selected icon when the scanned key data matches the key data stored in the database of the second entity.

	Nolan teaches:
	further comprising: displaying a plurality of icons indicative of at least one of a card, a service, an asset on the mobile device, and activating a selected icon when the scanned key data matches the key data stored in the database of the second entity (note column 4, lines 36-44, selection buttons for different accounts after user authentication).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil and the account icons of Nolan. It would have been obvious because a simple substitution of one known element (allowing authorized user to access icons for different accounts of Nolan) for another (allowing authorized user to online service of Sprague) would yield the predictable results of allowing authorized users to access to their private data.


	For claim 26, the combination of Sprague, Arnald, Sharma, Kayyidavazhiyil and Nolan teaches claim 23, wherein the physical object comprises a storage medium  that stores the authentication key (note column 3, lines 44-56 of Nolan, user card has memory that stores user data) that can only being accessed by the mobile device having the unique device identifier (note column 4, lines 26-29 and column 14, lines 49-55 of Nolan, card functions only work when user’s mobile device, i.e. unique device identifier, is in proximity).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil and user card with storage for private user data of Nolan. It would have been obvious because combining prior art elements (user authentication using card encoded with key of Sprague, Arnald, Sharma and Kayyidavazhiyil; user data stored in a memory of a card of Nolan) according to known methods would yield the predictable results of a card with an authentication key used for authentication (Sprague, Arnald, Sharma and Kayyidavazhiyil) where the key is retrieved from card memory when the user mobile device is in proximity (Nolan).



9.	Claims 20 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil as applied to claims 13 and 23 above, and further in view of Tuukkanen (U.S. Patent Application Publication 2016/0286396).
	For claims 20 and 31, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	further comprising: storing a second unique device identifier indicative of a second mobile device of a second user in the database and determining if the scanned key data read by both the mobile device and the second mobile device matches the key data stored in the database of the second entity; and allowing the user to access the digital asset only if the scanned key data read by both the mobile device and the second mobile device matches the key data stored in the database of the second entity.

	Tuukkanen teaches:
	further comprising: storing a second unique device identifier indicative of a second mobile device of a second user in the database (note paragraphs [0031]-[0032], at least two user devices are required for a security operation) and determining if the scanned key data read by both the mobile device and the second mobile device matches the key data stored in the database of the second entity (note paragraphs [0034], [0041], [0043] and [0050], at least two devices provide security information); and allowing the user to access the digital asset only if the scanned key data read by both the mobile device and the second mobile device matches the key data stored in the database of the second entity (note paragraphs [0034], [0041], [0043] and [0050], authentication is granted when at least two devices provide security information).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil and the additional device providing authentication information of Tuukkanen. It would have been obvious because combining prior art elements (authentication using barcode and device ID of the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil) and authentication requiring at least two devices of Tuukkanen) according to known methods would yield the predictable results of requiring two user devices (Tuukkanen) to scan the authentication key and provide the code and their device ID for authentication (the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil).


10.	Claims 22 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil as applied to claims 21 and 27 above, and further in view of Arceo (U.S. Patent Application Publication 2012/0330769).
	For claims 22 and 28, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	wherein at least one of the plurality of session parameters comprises geolocation coordinates of the mobile device.

	Arceo teaches:
	wherein at least one of the plurality of session parameters comprises geolocation coordinates of the mobile device (note paragraphs [0251]-[0259] and [0268]-[0272], transaction identifier is only valid in certain location and during certain times).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil and transaction identifier (i.e. session code) with time and geographic expirations of Arceo. One of ordinary skill would have been motivated to combine Sprague, Arnald, Sharma, Kayyidavazhiyil and Arceo because having expirations for the session codes would reduce fraud/theft (note paragraph [0251] of Arceo).


11.	Claim 32 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil as applied to claim 23 above, and further in view of Wu et al. (U.S. Patent Application Publication 2004/0035925; hereafter “Wu”).
	For claim 32, the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil differs from the claimed invention in that they fail to teach:
	wherein additional key data from an additional authentication key of the authentication tag that uniquely identifies the physical object is stored in the database, the first entity allowing access by the user to the digital asset only if scanned additional key data read by the mobile device matches the additional key data stored in the database.

	Wu teaches:
	wherein additional key data from an additional authentication key of the authentication tag that uniquely identifies the physical object (note paragraphs [0022] and [0024], multiple barcodes are used) is stored in the database (note paragraph [0011], data is stored in log file and image file), the first entity allowing access by the user to the digital asset only if scanned additional key data read by the mobile device matches the additional key data stored in the database (note Fig. 6 and paragraph [0028], barcodes are scanned and validated).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil and the multiple barcodes of Wu. It would have been obvious because combining prior art elements (authentication using barcode and device ID of the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil and scanning multiple codes of Wu) according to known methods would yield the predictable results of requiring multiple codes to be scanned (Wu) to provide multiple codes and their device IDs for authentication (the combination of Sprague, Arnald, Sharma and Kayyidavazhiyil).


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

12.	Claims 13-32 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-10 of U.S. Patent No. 10,192,084 in view of Sprague, Arnald, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu. 
	For claim 13, 10,192,084 teaches a method for authorizing access by a user to a digital asset of a first entity, comprising:
	storing key data from an authentication key of an authentication tag in the database of the second entity (note claim 1, “storing key data…”), the authentication key including a first dataset comprised of a random distribution of three-dimensional elements and a second dataset comprised of machine-readable data elements, the authentication key uniquely identifying the user (note claim 1, “configuring each tag…”);
	applying the authentication tag to a physical object (note claim 8, “affixing…”) and authorizing only the mobile device having the unique device identifier to read the authentication key of the authentication tag (note claim 4, “…which of the mobile devices is authorized to read…”);
	reading a session identification code provided by the first entity using the mobile device in response to the user requesting access to the digital asset, the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data (note claim 1, “reading the datasets…”); and
	determining if the scanned key data read by the mobile device matches the key data stored in the database of the second entity, and allowing access by the user to the digital asset only if the scanned key data read by the mobile device matches the key data stored in the database of the second entity (note claim 1, “determining…”).

10,192,084 differs from the claimed invention in that they fail to teach: 
	storing a unique, unchanging hardware identifier indicative of a mobile device of the user in a database of a second entity that is independent from the first entity and the mobile device;

	Sprague teaches:
	storing a unique, unchanging hardware identifier indicative of a mobile device of the user (note paragraphs [0114]-[0115] and [0119], MAC address of user mobile device is stored by identity server 190) in a database of a second entity that is independent from the first entity and the mobile device (note paragraph [0079] and Fig. 1D, identity server 190 is independent of relying party third party service provider 192 and user mobile device 150)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication method of 10,192,084 and the stored device IDs of Sprague. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of identifying authorized devices for reading authentication keys.

	The combination of 10,192,084 and Sprague differs from the claimed invention in that they fail to teach:
	reading a session identification code provided by the first entity using the mobile device in response to the user requesting access to the digital asset , the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data;

	Kayyidavazhiyil teaches:
	reading a session identification code provided by the first entity using the mobile device (note column 6, lines 25-33, user scans pattern and extracts session identifier) in response to the user requesting access to the digital asset (note column 6, lines 8-18, server returns bar code encoded with session identifier), the first entity thereafter prompting the user to read the authentication key with the mobile device to generate scanned key data (note column 6, lines 25-39, user to prompted to generate authentication key);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of 10,192,084 and Sprague and the authentication session identifier of Kayyidavazhiyil to form a system that generates a session identification code (Kayyidavazhiyil) which prompts the user to create an authentication key message generated by scanning a QR code (Sprague). One of ordinary skill would have been motivated to combine 10,192,084, Sprague and Kayyidavazhiyil because it would allow the server to avoid confusing one authentication session with another and prevent a fraudster from gaining access to the protected resource by trying to time an access attempt with the access attempt of a legitimate user (note column 7, lines 10-20 of Kayyidavazhiyil).

For claims 14-32, 10,192,084 similarly teaches authentication tags and where 10,192,084 fails to disclose the details, Sprague, Arnald, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu teach the claims as shown above.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication method of 10,192,084 and the stored device IDs of Sprague, Arnald, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of identifying authorized devices for reading authentication keys.


13.	Claims 13-32 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-10 of U.S. Patent No. 10,885,220 in view of Sprague, Arnald, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu. 
	For claim 13, 10,885,220 teaches a method for authorizing access by a user to a digital asset of a first entity, comprising:
	storing a unique, unchanging hardware identifier indicative of a mobile device of the user in a database of a second entity that is independent from the first entity and the mobile device (note claim 1, “…wherein the hardware identifier indicative of the mobile device is previously stored in the database of the authentication server…”;
	storing key data from an authentication key of an authentication tag in the database of the second entity (note claim 1, “…wherein the key data indicative of the authentication tag and the user is previously stored in a database of an authentication server…”, the authentication key including a first dataset comprised of a random distribution of three-dimensional elements and a second dataset comprised of machine-readable data elements, the authentication key uniquely identifying the user (note claim 1, “…the authentication tag being configured with a first dataset comprised of a random distribution of three-dimensional elements and with a second dataset comprised of machine-readable data elements, the first and second datasets together comprising an authentication key…”;
	applying the authentication tag to a physical object (note claim 1, “…an authentication tag associated with the user and applied to a physical object accessible to the user…”) and authorizing only the mobile device having the unique, unchanging hardware identifier to read the authentication key of the authentication tag (note claim 1, “…the authorized mobile device to read the authentication key with the reading device in response to a prompt; communicating, by the app, the read authentication key, the read session ID, and the hardware identifier to the authentication server…”);
	reading a session identification code provided by the first entity using the mobile device in response to the user requesting access to the digital asset (note claim 1, “…the webpage displaying a machine-readable code corresponding to a unique session ID…”, the first entity thereafter prompting the user to read the authentication key of the authentication tag applied to the physical object with the mobile device to generate scanned key data (note claim 1, “…accessing a reading device of the mobile device associated with the user…”; and
	determining if the scanned key data read by the mobile device matches the key data stored in the database of the second entity (note claim 1, “…based on the authentication server determining that the read authentication key matches the stored key data and that the sent hardware identifier matches the stored hardware identifier…”), and allowing access by the user to the digital asset only if the scanned key data read by the mobile device matches the key data stored in the database of the second entity (note claim 1, “…accessing the website, in the browser, as a logged-in user based on browser redirection by the webpage with a token corresponding to the information selected by the user…”).

For claims 14-32, 10,885,220 similarly teaches authentication tags and where 10,885,220 fails to disclose the details, Sprague, Arnald, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu teach the claims as shown above.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication method of 10,885,220 and the stored device IDs of Sprague, Arnald, Sharma, Kayyidavazhiyil, Cha, Nolan, Tuukkanen, Arceo, Wu. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of identifying authorized devices for reading authentication keys.

Conclusion
14.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
	Bettenburg et al. ((U.S. Patent Application Publication 2018/0183778) teaches authentication to a third party by scanning a QR code a device with a unique identifier (note paragraphs [0082] and [0410]).

15.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

16.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID J PEARSON whose telephone number is (571)272-0711. The examiner can normally be reached 6:00 - 5:30 pm; Monday through Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/David J Pearson/Primary Examiner, Art Unit 2438