Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-20 remain for examination.  Claim 1, 6, 8, 13, 15 have been amended. Applicant's arguments filed on 09/12/2022 have been fully considered but they are moot in view of the new ground(s) of rejection necessitated by the amendments. Accordingly, this action has been made final.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 2020/0112578 A1 (hereinafter “Gupta”), and further in view of U.S. PGPub. No. 2020/0204577 (hereinafter “Song”).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 8 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 2020/0112578 A1 (hereinafter “Gupta”), and further in view of U.S. PGPub. No. 2020/0204577 (hereinafter “Song”); in further view of Sim US 20180234464 A1.

Regarding claim 1/8/15:
Gupta discloses: 
(Claim 1): A system (Gupta: “[0010] … a system for detecting bots”)
(Claim 8): A method (Gupta: “[0008] … a method for detecting bots”)
(Claim 15): A non-transitory computer-readable storage medium storing a set of instructions that, when executed by one or more processors, causes the one or more computer processors to perform operations (Gupta: “[0009] … a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for detecting bots”) 
comprising:
one or more computer processors (Gupta: “[0010] … a processing circuitry”, “[0047] …general-purpose microprocessors”);
one or more computer memories (Gupta: “[0010] … a memory”);
a set of instructions incorporated into the one or more computer memories, the set of instructions configuring the one or more computer processors to perform operations (Gupta: “[0010] … memory contains instructions that, when executed by the processing circuitry”) comprising:
sending an authentication request to a bot prevention service (Gupta, “[0041]…sends a set of pre-configured list of parameters to the bot detection engine 102”), the authentication request including a device identification (Gupta, “[0043]… parameters with values describing the browser and device. Here, f1, f2 etc. denote special values assigned for empty or null values. Another set of parameter values are collected for mobile app profile. These include parameters such as device manufacturer name, OS version, processor details, kernel version, vendor ID, battery level etc.”);
receiving a human verification test from the bot prevention service (Gupta: “[0015] FIG. 4 illustrates a functional flow diagram of a process for training and prediction in a system for bot detection, according to an embodiment.”, “[0054]…Based on anomaly score generated by the trained model 426, actions like “showing Completely Automated Public Turing Test (CAPTCHA)” are taken on the suspicious visitors.”, it is implied from this paragraph that the CAPTCHA is generated by the Bot detection engine and forwarded to the client);
performing the human verification test (Gupta: “[0015] FIG. 4 illustrates a functional flow diagram of a process for training and prediction in a system for bot detection, according to an embodiment.”, “[0054]…Based on anomaly score generated by the trained model 426, actions like “showing Completely Automated Public Turing Test (CAPTCHA)” are taken on the suspicious visitors.”, it is implied from this paragraph that the CAPTCHA test is performed);
sending an answer associated with the test to the bot prevention service (Gupta: “[0015] FIG. 4 illustrates a functional flow diagram of a process for training and prediction in a system for bot detection, according to an embodiment.”, “[0054]… The scores are then forwarded to the score evaluator 428 which evaluates the score to find out if a visitor is a bot with a bad score or a human with a normal score.”, it is implied from this paragraph that the CAPTCHA is generated by the Bot detection engine and forwarded to the client);
receiving an authentication approval or a failure of the authentication approval from the bot prevention service (Gupta: “[0069] If it is determined that the client runs a bot, at S616, a mitigation action is initiated based on identification of the bot. The mitigation may include blocking the client from accessing the server, reporting the client's IP address, sending an alert, and so on”).

Gupta does not disclose the following limitation taught by Song:
the authentication request including a device identification, a secondary form of user authentication, and an IP address, the authentication request (Song discloses: “[0022] … authentication process, an account usually relies on some devices, network, and identity media, such as an international mobile equipment identity (IMEI), an international mobile subscriber identity (IMSI), an Internet Protocol (IP) address, a media access control (MAC) address, a mobile phone number, an email address, and an identity card number.”)
Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the system of Gupta by adding additional authentication elements to the request such as a phone number and IP address as disclosed in Song and be motivated in doing so because these elements can further assist in authenticating a device to an authentication service. 
Furthermore, the combination of Gupta and Song does not explicitly excluding personally identifiable information associated with a user other than the device identification, the secondary form of the user authentication, and the IP address.
However, Sim discloses “excluding personally identifiable information associated with a user other than the device identification, the secondary form of the user authentication, and the IP address” (Sim Pa. [0037]) [Any type of information that may be used by resource providers to estimate risk in their own authentication procedures may be included, preferably excluding personally identifiable information. The shared information need not be information that was actually used by the authentication broker to authenticate the user that requested the token 110.]
Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the system of Gupta and Song by adding additional authentication elements to the request such as personally identifiable information as disclosed in Sim and be motivated in doing so because these elements can further assist in authenticating a device to an authentication service. 
Regarding claim 3/10/17:
The combination Gupta, Song and Sim discloses: 
wherein the authentication request includes an anonymous identifier (Song discloses: “[0022] … authentication process, an account usually relies on some devices, network, and identity media, such as an international mobile equipment identity (IMEI), an international mobile subscriber identity (IMSI), an Internet Protocol (IP) address, a media access control (MAC) address, a mobile phone number, an email address, and an identity card number.”)

Regarding claim 5/12/19:
The combination Gupta, Song and Sim discloses: 
based on a receiving of the failure of the authentication approval, performing at least one of blocking the IP address permanently, blocking the IP address for a period of time, blocking the secondary form of user authentication, or performing a new human verification test (Gupta: “[0069] If it is determined that the client runs a bot, at S616, a mitigation action is initiated based on identification of the bot. The mitigation may include blocking the client from accessing the server, reporting the client's IP address, sending an alert, and so on”).

Regarding claim 6/13/20:
The combination Gupta, Song and Sim discloses: 
wherein the secondary form of user authentication includes one or more of: an email address and a phone number (Song discloses: “[0022] … authentication process, an account usually relies on some devices, network, and identity media, such as an international mobile equipment identity (IMEI), an international mobile subscriber identity (IMSI), an Internet Protocol (IP) address, a media access control (MAC) address, a mobile phone number, an email address, and an identity card number.”)

Regarding claim 7/14:
The combination Gupta, Song and Sim discloses: 
further comprising, based on a receiving of the authentication approval, providing access to data within an information retrieval service (Gupta: “[0065] … a client attempting to access a web property…”).

Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta in view of Song as applied to claims 1, 8 and 15 above, and further in view of U.S. PGPub. No. 2013/0145441 A1 (hereinafter "Mujumdar").
Regarding claims 2/9/16:
The combination of Gupta, Son in view of Sim does not explicitly disclose the following limitation taught by Mujumdar:
wherein the human verification test includes using an image-based human verification test configured for a mobile device (Mujumdar, “[0022]… a view 100 of an image-identification CAPTCHA on a mobile device 103. The image-identification CAPTCHA may include a challenge question or command 104 that, in this example, instructs the user to select a particular image or type of image from a set of images. For example, challenge question or command 104 may instruct the user to identify all images containing a bag or to identify a subset of all images containing a bag.”).

Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the system of Gupta, Song and Sim by using image based CAPTCHA systems as one of the CAPTCHA systems disclosed by Gupta and to also format it for a mobile phone. The motivation comes from the prior art itself, where Mujumdar in ¶5 discloses the motivation for using image-based CAPTCHAs as: “[0005]… type-in CAPTCHAs, are typically either too simple, allowing automated software applications to circumvent the CAPTCHA using character recognition techniques, or are too difficult to comprehend, creating a frustrating user experience.”
Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta in view of Song as applied to claims 1, 8 and 15 above, and further in view of U.S. Pat. No. 8,955,069 B1 (hereinafter "Dotan").

Regarding claims 4/11/18:
The combination of Gupta, Son  in view of Sim does not explicitly disclose the following limitation taught by Dotan:
wherein the authentication approval includes providing an access code that may be used to access one or more of the following: an application on the mobile device, a service over the network, data on the mobile device, and data over the network (Dotan, Col. 2:44-50: “A security application on the mobile device of the user receives a request to collect the biometric information and provides the biometric information for the biometric authentication. In addition, a given token code is generated and provided to the security application on the mobile device if the biometric authentication is successful. The user can then enter the given token code to access the protected resource.”).
Thus, one of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to modify the system of Gupta, Song and Sim by generating an access code following successful authentication that can be used to access a protected resource. The motivation is found in the prior art, Dotan itself, as it does: (Col. 2:26-28) “not require the token or token generating material to be stored on the mobile device of the user.”

Response to Arguments
Arguments
It is argued that: The Examiner cited to a combination of Gupta and Song as allegedly teaching or suggesting all of the elements of the pre-amended versions of each of claims 1, 8, and 15. However, Applicant submits that no combination of Gupta and Song teaches or suggests, at least, "[an] authentication request excluding personally identifiable information associated with a user other than the device identification, the secondary form of the user authentication, and the IP address," as recited in each of independent claims 1, 8, and 15, as amended. In fact, neither reference teaches or suggests removing any personally-identifiable information from an authentication request that is sent to a bot prevention service.
Examiner’s response. 
In response to applicant's argument Examiner respectfully submits that Sim US 20180234464 A1 has been introduced to address the newly added limitation and which discloses by Sim.  “excluding personally identifiable information associated with a user other than the device identification, the secondary form of the user authentication, and the IP address” (Sim Pa. [0037]) [Any type of information that may be used by resource providers to estimate risk in their own authentication procedures may be included, preferably excluding personally identifiable information. The shared information need not be information that was actually used by the authentication broker to authenticate the user that requested the token 110.]”
Therefore, the Applicant’s arguments are moot.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Thursday 7:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B. Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EVANS DESROSIERS/           Primary Examiner, Art Unit 2491