DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 11/02/2021.
In the instant Amendment: Claims 1 and 11 have been amended and Claims 1 and 11 are independent claims. Claims 1-20 have been examined and are pending. This Action is made FINAL.          
Response to Arguments
Applicants' arguments in the instant Amendment, filed on 11/02/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant Argues: Bradley and Edwardsson do not disclose “calculating, by the verifying node, at least a heuristic of trust of the user device by determining a degree of obscurity of the user device” and “transferring, from the user device to the at least one recipient, an asset as a function of the transfer authorization token” of amended claim 1. See Remarks at 6. 
Regarding the concept of “heuristic of trust,” the Specification explains that such “a heuristic of trust may include one or more processes for determining a degree to which user device 108 may be treated as trustworthy [and] may be calculated or computed with regard to [ ] geographic location, device fingerprint information, and/or [ ] as a function of the most recent time of past interaction.” See Specification ¶¶ [0094], [0095] (emphasis added). In other words, the nature and frequency of prior, known interaction or behavioral profile of the user device is a factor for calculating a “heuristic of trust” associated with a degree of obscurity of the user device. 
Similarly, Bradley teaches calculating the risk profile parameter (i.e., an indication of trustworthiness) of a user device based on “one or more probability and / or statistical methods to determine a risk assessment value, a risk score or authentication strength associated with the authentication data received in the authentication response 307. Some of the factors that can be analyzed by the identity risk assessment module 113 can include , for example , a user ' s usage profile , the client compute device running the client SaaS application 145 , the geographic location of the client compute device running the client SaaS application 145 , the resources and / or services the user is trying to access , the time of day a user typically request access to one or more SP servers, IP addresses of the client compute device attempting to established a session , session history between a client compute device and an SP server…” See Bradley ¶ [0081] (emphasis added). In other words, the system may determine that a device from an unknown, unexpected location, IP address, or lacking prior session history (i.e., obscure) or exhibiting abnormal behavior as higher risk and therefore lower trust. Accordingly, Bradley discloses “calculating, by the verifying node, at least a heuristic of trust of the user device by determining a degree of obscurity of the user device” of claim 1. 
Regarding “transferring, from the user device to the at least one recipient, an asset as a function of the transfer authorization token,” Bradley discloses providing a service, access or even financial services in response to receiving an authentication token. See Bradley FIG. 6, ¶ ¶ [0048], [0104] (“ In some instances , the identity token can be sent and stored at the client compute device 139 such that the client compute device 139 can use the identity token to access the SP server 115 and / or the SP server 127 . In some instances , the SP server 115 can provide , for example , SaaS application services , social network ser vices , electronic publication services.”) (emphasis added). Thus, Bradley teaches granting user access to a service and/or assets in response to an authentication token. 
Furthermore, Edwardsson teaches upon a successful authentication, a blockchain transaction protocol can “records a transfer of digital electronic value tokens from Token Sender 391 to Token Recipient 392.” See Edwardsson ¶ [0031]. Therefore, the combination of Bradley in view of Edwardsson teaches “transferring, from the user device to the at least one recipient, an asset as a function of the transfer authorization token,” with Edwardsson providing the insight of enabling a block-chain based asset transfer among authenticated participants. 
In conclusion, applicant’s argument are unpersuasive and the rejection of claim 1 is maintained. Similarly, rejection of independent claims 10 and 17, which recite similar matter to claim 1, is also maintained.  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-6, 11, 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Bradley et al. (“Bradley,” US 20170289134, published Oct. 5, 2017) in view of Edwardsson (“Edwardsson,” US 20190370504, filed May 30, 2018). 
Regarding claim 1, Bradley discloses a method of cryptographic authorization of wireless communications (Bradley [0028], [0037], [0096], [0122]. In some embodiments , the client compute device 139 [ ] a mobile device ( for example , tablet , laptop and cellular phone ) and other similar compute device.  Each [user profile] attribute can also, for example , be encrypted with the public key associated with an individual or group of individuals that have the right to read the attribute. [F]or example, authentication processes ; client server sessions ; server to server sessions ; user related information or attributes , including user credentials and user metrics. Based on the shared risk assessment information , the second SP server can decide whether to continue with the transaction based on the risk assessment information.), the method comprising: 
receiving, at a verifying node, a transfer request from a user device (Bradley FIGs 1B, 3, [0059], [0078], [0115]. For example , the client compute device 139 can provide a login request including credentials to the IdP 101 , at 170 . The IdP 101 can then authenticate the user and / or the client compute device 139 based on the credentials , at 172 . As shown in FIG . 3 , a user operating a client compute device ( e . g . , client compute device 139 in FIG . 1A ) running the client SaaS application 145 can request access , at 301 , to a protected SP resource or service hosted by a SP server ( e . g . , SP server 115 in FIG . 1A ) . For example , a threshold for a social media based SP server can have lower threshold than a financial transaction based SP server.); 
authenticating, by the verifying node, the transfer request as a function of a biometric authentication (Bradley [0045]. Identity provider server 101 can be a compute device capable of authenticating an identity of a user or a compute device ( e.g., client compute device 139 ). In some embodiments, the authentication and / or identity assertion module 111 can receive authentication data from an SP server 115 or 127 and / or a client compute device 139. For example, the authentication and / or identity assertion module 111 can use biometrics derived from recorded user finger prints and user voice patterns to measure and / or analyze unique physical or behavioral characteristics of a user.); 
calculating, by the verifying node, at least a heuristic of trust of the user device by determining a degree of obscurity of the user device (Bradley [0081]. Accordingly , the identity risk assessment module 113 can execute one or more probability and / or statistical methods to determine a risk assessment value, a risk score or authentication strength associated with the authentication data received in the authentication response 307. Some of the factors that can be analyzed by the identity risk assessment module 113 can include , for example , a user ' s usage profile , the client compute device running the client SaaS application 145 , the geographic location of the client compute device running the client SaaS application 145 , the resources and / or services the user is trying to access , the time of day a user typically request access to one or more SP servers, IP addresses of the client compute device attempting to established a session , session history between a client compute device and an SP server. ); 
assigning, by the verifying node, a confidence level to the user device as a function of the biometric authentication and the degree of obscurity of the user device (Bradley [0045], [0052], [0081]. In some embodiments, the authentication and / or identity assertion module 111 can receive authentication data from an SP server 115 or 127 and / or a client compute device 139. For example, the authentication and / or identity assertion module 111 can use biometrics derived from recorded user finger prints and user voice patterns to measure and / or analyze unique physical or behavioral characteristics of a user. The risk assessment module 113 can execute one or more prob ability and / or statistical methods to determine a risk assessment value associated with a client compute device ( e . g . , client compute device 139 ) . Accordingly , the identity risk assessment module 113 can execute one or more probability and / or statistical methods to determine a risk assessment value , a risk score or authentication strength associated with the authentication data received in the authentication response 307. Some of the factors that can be analyzed by the identity risk assessment module 113 can include , for example , a user ' s usage profile , the client compute device running the client SaaS application 145 , the geographic location of the client compute device running the client SaaS application 145 , the resources and / or services the user is trying to access , the time of day a user typically request access to one or more SP servers, IP addresses of the client compute device attempting to established a session , session history between a client compute device and an SP server. [Note that Specification [0009] explains that “confidence level” can refer to probabilistic score/index “expressing a degree to which the safety, security or authenticity of a process, device, or datum may be relied upon.”]); 
generating, by the verifying node, a transfer authorization token (Bradley [0048]. [T]he IdP server 101 can generate an identity token including a user ID or personal identity number ( PIN ) , user security / access level identifier , an indication of the specific features and resources or services provided by the application that have been approved for the user , an address of the associated application module , and / or other information that can be used by other devices within a federation ( e . g . , SP servers 115 and 127 ) . In some instances , the identity token can be sent and stored at the client compute device 139 such that the client compute device 139 can use the identity token to access the SP server 115 and / or the SP server 127 [for financial service].); and 
providing, by the verifying node, the transfer authorization token to at least one recipient device (Bradley [0048], [0051].  [T]he IdP server 101 can generate an identity token including a user ID or personal identity number ( PIN ) , user security / access level identifier , an indication of the specific features and resources or services provided by the application that have been approved for the user.  In some instances , the identity token can be sent and stored at the client compute device 139 such that the client compute device 139 can use the identity token to access the SP server 115 and / or the SP server 127. In some instances, the IdP server 101 can send an encrypted or empty identity token to the client compute device 139, a server, or another compute device. ); and
transferring, [from the user device to the at least one recipient], an asset as a function of the transfer authorization token (Bradley FIG. 6, [0048], [0104]. In some instances , the identity token can be sent and stored at the client compute device 139 such that the client compute device 139 can use the identity token to access the SP server 115 and / or the SP server 127 . In some instances , the SP server 115 can provide , for example , SaaS application services , social network ser vices , electronic publication services.). 
Bradley does not explicitly disclose: wherein the transfer authorization token comprises a physically unclonable function; transferring, from the user device to the at least one recipient, an asset. 
However, in an analogous art, Edwardsson discloses a method comprising the step of: 
wherein the transfer authorization token comprises a physically unclonable function (Edwardsson [0007], [0027]. Specifically, the specialized embedded computing devices of this invention include Physical Unclonable Function ( henceforth abbreviated PUF ) hardware. Specialized PUF embedded computing device 200 also creates a new proof signature, which includes a time stamp, then adds said proof signature, said new token creation claim transaction records, and other supported transactions from a pool of pending transactions to a new data block [of a blockchain]. [Specification at par. [0070] explains that “PUF 120 used as trusted hardware [ ] may employ cryptographic measures including generation of public and / or private keys” used for generating cryptocurrency tokens.] ); 
transferring, from the user device to the at least one recipient, an asset (Edwardsson [0031]. Transaction dy2s0cct records a transfer of digital electronic value tokens from Token Sender 391 to Token Recipient 392.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Makay with the teachings of Edwardsson to include the steps of: wherein the transfer authorization token comprises a physically unclonable function; providing, by the verifying node, the transfer authorization token to at least one recipient device, transferring, from the user device to the at least one recipient, an asset. One would have been motivated to provide users with a means for conducting a secure and token based blockchain cryptocurrency transactions among authenticated participants.  (See Edwardsson [0031].)
Regarding claim 5, Bradley and Edwardsson disclose the method of claim 1. Bradley further discloses wherein authenticating further comprises determining a location of the user device (Bradley [0081], [0115]. Some of the factors that can be analyzed by the identity risk assessment module 113 can include , for example , a user ' s usage profile , the client compute device running the client SaaS application 145 , the geographic location of the client compute device running the client SaaS application 145. For example , a threshold for a social media based SP server can have lower threshold than a financial trans action based SP server . Similarly stated , the financial trans action based SP server can have less tolerance of risk than the social media based SP server .). 
Regarding claim 6, Bradley and Edwardsson disclose the method of claim 1. Bradley further discloses wherein authenticating further comprises determining, by the verifying node, at least a heuristic of trust as a function of the at least a transfer request from the user device (Bradley [0045], [0052], [0081]. In some embodiments, the authentication and / or identity assertion module 111 can receive authentication data from an SP server 115 or 127 and / or a client compute device 139. For example, the authentication and / or identity assertion module 111 can use biometrics derived from recorded user finger prints and user voice patterns to measure and / or analyze unique physical or behavioral characteristics of a user. The risk assessment module 113 can execute one or more prob ability and / or statistical methods to determine a risk assessment value associated with a client compute device ( e . g . , client compute device 139 ) . Accordingly , the identity risk assessment module 113 can execute one or more probability and / or statistical methods to determine a risk assessment value , a risk score or authentication strength associated with the authentication data received in the authentication response 307. [Note that Specification [0009] explains that “confidence level” can refer to probabilistic score/index “expressing a degree to which the safety, security or authenticity of a process, device, or datum may be relied upon.”]). 
Regarding claim 11, claim 11 corresponds to system corresponding to the method of claim 1. Claim 11 is similar in scope to claim 1 and is therefore rejected under similar rationale.
Regarding claim 15, claim 15 corresponds to system corresponding to the method of claim 5. Claim 15 is similar in scope to claim 5 and is therefore rejected under similar rationale. 
Regarding claim 16, claim 16 corresponds to system corresponding to the method of claim 6. Claim 16 is similar in scope to claim 6 and is therefore rejected under similar rationale. 
Claims 4, 10, 14, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bradley et al. (“Bradley,” US 20170289134, published Oct. 5, 2017) in view of Edwardsson (“Edwardsson,” US 20190370504, filed May 30, 2018) and Havilio (“Havilio,” US 20170178124, published Jun. 22, 2017). 
Regarding claim 4, Bradley and Edwardsson disclose the method of claim 1. Bradley and Edwardsson do not explicitly disclose: wherein authenticating further comprises comparing the transfer request from the user device to an authentication listing. 
However, in an analogous art, Havilio discloses wherein authenticating further comprises comparing the transfer request from the user device to an authentication listing (Havilio [0102], [0114]. Specifically, the token manager 246 can manage tokenized credentials for users who have previously engaged in payment transactions [e.g., token managers has a list of users who have been authenticated for prior transactions] with one or more other users via the social networking system. The financial system can authenticate 316 the user for the payment account based on the login information.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Havilio with Bradley and Edwardsson to include the steps of: wherein authenticating further comprises comparing the transfer request from the user device to an authentication listing. One would have been motivated to provide users with a means for expediently servicing previously authenticated users.  (See Havilio [0102].) 
Regarding claim 10, Bradley and Edwardsson disclose the method of claim 1. Havilio further discloses wherein providing the transfer authorization token further comprises incorporating the transfer authorization token in an instance of an authentication listing (Havilio [0102], [0121], [0123]. Specifically, the token manager 246 can manage tokenized credentials for users who have previously engaged in payment transactions [e.g., token managers has a list of users who have been authenticated for prior transactions] with one or more other users via the social networking system. The payment network 115 may generate the token and send the token with the successful payment response or at any time after authenticating the sender. As mentioned, the payment network 115 can generate a token for use in connection with additional payment transactions after a first payment transaction.)
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Havilio with Bradley and Edwardsson to include the steps of: wherein authenticating further comprises comparing the transfer request from the user device to an authentication listing. One would have been motivated to provide users with a means for expediently servicing previously authenticated users.  (See Havilio [0102].) 
Regarding claim 14, claim 14 corresponds to system corresponding to the method of claim 4. Claim 14 is similar in scope to claim 4 and is therefore rejected under similar rationale. 
Regarding claim 20, claim 20 corresponds to system corresponding to the method of claim 10. Claim 20 is similar in scope to claim 10 and is therefore rejected under similar rationale.



Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Bradley et al. (“Bradley,” US 20170289134, published Oct. 5, 2017) in view of Edwardsson (“Edwardsson,” US 20190370504, filed May 30, 2018) and Hammond,II et al. (“Hammond, II,” US 20040123156, published Jun 24, 2005). 
Regarding claim 2, Bradley and Edwardsson disclose the method of claim 1. Bradley and Edwardsson do not explicitly disclose: wherein receiving the transfer request further comprises: receiving a cryptographic proof from the user device; and cryptographically verifying the cryptographic proof. 
However, in an analogous art, Hammond, II discloses a method comprising the step of wherein receiving the transfer request further comprises: receiving a cryptographic proof from the user device; and cryptographically verifying the cryptographic proof (Hammond II [0029]. Before mobile computer 514 connects to LAN 504, it is first authenticated using Zero-knowledge identification protocol 46 as shown in FIG. 3. Mobile computer 514 includes a prover agent 522 that interacts with authentication agent 520 to perform Zero-knowledge identification protocol 46. [Note the Speciation at par. [0038] explains that cryptographic proofs can be zero-knowledge proofs]). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Hammond II with the teachings of Bradley and Edwardsson to include the step of: receiving a cryptographic proof from the user device; and cryptographically verifying the cryptographic proof. One would have been motivated to provide users with a means for using zero-knowledge proofs for authentication. (See Hammond II [0029].) 
Regarding claim 12, claim 12 corresponds to system corresponding to the method of claim 2. Claim 12 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Bradley et al. (“Bradley,” US 20170289134, published Oct. 5, 2017) in view of Edwardsson (“Edwardsson,” US 20190370504, filed May 30, 2018) and Blankenbeckler et al. (“Blankenbeckler,” US 20040123156, published Jun 24, 2005). 
Regarding claim 3, Bradley and Edwardsson disclose the method of claim 1. Bradley and Edwardsson do not explicitly disclose: wherein authenticating further comprises comparing the transfer request from the user device to a revocation listing. 
However, in an analogous art, Blankenbeckler teaches a method comprising the step of wherein authenticating further comprises comparing the transfer request from the user device to a revocation listing (Blankenbeckler [0039], [0150].  A user of client system 106 may then remotely access the content and play it on a mobile device, such as an iPad, iPod, iPhone, a portable video game console, such as PlayStation(R) portable or a Nintendo DS, etc. Kiosk 106 then responds by sending a host session ID and its certificate, which includes its public key, to storage device 112. The storage device 112 verifies the host certificate and checks the signature. The storage device 112 may also check its revocation list to make sure the kiosk 106 is not revoked.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Blankenbeckler with the teachings of Bradley and Edwardsson to include the step of: wherein authenticating further comprises comparing the transfer request from the user device to a revocation listing. One would have been motivated to provide users with a means for comparing client identification information against a revocation list prior to granting access to services. (See Blankenbeckler [0150]). 
Regarding claim 13, claim 13 corresponds to system corresponding to the method of claim 3. Claim 13 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Claims 7-9, 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Bradley et al. (“Bradley,” US 20170289134, published Oct. 5, 2017) in view of Edwardsson (“Edwardsson,” US 20190370504, filed May 30, 2018) and Lindemann (“Lindemann,” US 20170048218, published Feb. 16, 2017). 
Regarding claim 7, Bradley and Edwardsson disclose the method of claim 1. Bradley and Edwardsson do not explicitly disclose: wherein generating the transfer authorization token further comprises: associating, the transfer request from the user with at least an authorization datum; digitally signing the authorization datum; and generating the transfer authorization token containing the digitally authorization datum.
However, in an analogous art, Lindemann discloses a method comprising the steps of wherein generating the transfer authorization token further comprises: 
associating, the transfer request from the user with at least an authorization datum; digitally signing the authorization datum; and generating the transfer authorization token containing the digitally authorization datum (Lindemann [0044]. After the user provides valid verification data [ ], the authentication device verifies the user and generates a crypto graphic signature (sometimes referred to as a “token') with the transaction details and the random challenge (i.e., the signature is calculated over the transaction details and the nonce). This allows the secure transaction server 132-133 to ensure that the transaction details have not been modified between the server and the client. The secure transaction server 132-133 identifies the user with the user name and verifies the signature. If verification succeeds, a confirmation message is sent to the client and the transaction is processed.).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Lindemann with the teachings of Bradley and Edwardsson to include the step of: associating, the transfer request from the user with at least an authorization datum; digitally signing the authorization datum; and generating the transfer authorization token containing the digitally authorization datum. One would have been motivated to provide users with a means for using a digital signature to verify the authenticity of transaction data. (See Lindemann [0044]). 
Regarding claim 8, Bradley, Edwardsson and Lindemann disclose the method of claim 7.  Bradley, Edwardsson and Lindemann do not explicitly disclose: wherein the transfer authorization token includes recipient device information. 
Edwardsson further discloses wherein the transfer authorization token includes recipient device information (Edwardsson [0031]. In one embodiment, Token Sender 391 may use a software program running on a smartphone to send value tokens to Recipient 392's PoEPG blockchain network address. Other embodiments, including but not limited to embodiments wherein the sender and recipient use mobile phone text messaging.). 
    The motivation is the same as that of claim 7 above. 
Regarding claim 9, Havilio, Edwardsson and Lindemann disclose the method of claim 7. Edwardsson further discloses wherein generating the authorization token includes associating a temporal attribute with the transfer authorization token (Edwardsson [0026]- [0027]. [Specialized PUF embedded in computing device] calculates the number of new digital value tokens it is entitled to create [ ] and generates transaction records for the e PoEPG blockchain to create and claim said value tokens. Specialized PUF embedded computing device 200 also creates a new proof signature, which includes a time stamp, then adds said proof signature, said new token creation claim transaction records, and other supported transactions from a pool of pending transactions to a new data block , then broadcasts the new block [to be added to the block-chain].). 
The motivation is the same as that of claim 7 above. 
Regarding claim 17, claim 17 corresponds to system corresponding to the method of claim 7. Claim 17 is similar in scope to claim 7 and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 corresponds to system corresponding to the method of claim 8. Claim 18 is similar in scope to claim 8 and is therefore rejected under similar rationale.
Regarding claim 19, claim 19 corresponds to system corresponding to the method of claim 9. Claim 19 is similar in scope to claim 9 and is therefore rejected under similar rationale.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961.  The examiner can normally be reached on Monday to Friday, 9 AM - 6  PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  


Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/EDWARD LONG/
Examiner, Art Unit 2439



/LUU T PHAM/               Supervisory Patent Examiner, Art Unit 2439