DETAILED ACTION
Claim Status
This Office Action is in response to claims filed on 06/29/2022.
Claims 1-2, 4-5 and 7-10 are pending and have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
With respect to rejection of claims under 35 U.S.C. 103, Applicant is of the opinion that the claims are patentable as neither Royyuru, Kaladgi, Collinge and Makhotin, alone or in combination, recite the distinguishing features described in the amended claims.  Further, Applicant provides an argument related to “reference authentication data” which is not part of the claim language making the argument unclear or if “authentication data” is the same as “reference authentication data.”
Examiner fully considers Applicant’s position, but respectfully disagree and consider the argument with regard to the combination of the prior arts used to rejection the prior claims as moot since the claim have been amended and the combination of prior arts used to reject the instant claims have changed.
However, Royyuru discloses the generation of a dynamic PAN cryptogram by applying an algorithm to at least a key such as the institution key card variant (IKCV), one or more factors from the payment device (e.g. unpredictable numbers, counters or time stamp) and real Primary Account Number (PAN) hence Royyuru discloses generating, by the user device, a cryptogram (dynamic PAN cryptogram) by applying a third algorithm to the key (IKCV), the intermediary vector (one or more factors from the payment device, (DTC)), and the data (PAN) relative to the given operation, function, action and/or process to be secured as cited.
On the other hand, Beltramino disclose downloading, by the user device, from a remote server and string in its memory, at least one predetermined initial vector (wallet single use keys (W_SUKs)) that is based on an application of a first algorithm to (a) reference user authentication data (mobile personal identification number (Mobile PIN)), and (b) a reference vector (wallet session keys (W_SKs)) that is not based on the reference user authentication data and that is valid for the given operation, function, action and/or process to be secured, said initial vector being thus valid for the given operation, function, action and/or process to be secured (Pars. 21-22); generating, by the user device, an intermediary vector by applying a second algorithm, being an inverse algorithm of the first algorithm, to the at least one predetermined initial vector downloaded from the remote server and valid for the given operation, function, action and/or process to be secured and the authentication data provided by the user (PIN) (Pars. 25-26) and a user authentication request (Par. 34).  Therefore, the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains as cited.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-5 and 7-10 are rejected under 35 U.S.C. 103 as being unpatentable over Royyuru et al. (US 2012/0317035), Beltramino et al. (US 2017/0032370) in view of Collinge et al. (US 2015/0156176).
With respect to claims 1 and 8-10, Royyuru discloses a method, a device , a server and a system for authenticating a user for a given operation, function, action and/or process to be secured; using a user device having at least a processor, a memory and an associated man machine interface enabling the user to present user authentication data for capture or to enter user authentication data, said method, comprising: wherein the system comprises at least one device and at least one server, the device being connected to the server, wherein the device comprises a processor configured to (Figs. 1-3; Pars. 40-41):
a man-machine interface (MMI) configured to receive authentication data as provided by a user (Figs. 2-3; Pars. 42, 50);
storing, in the memory of a user device, a key (institution key card variant (IKCV)), and the at least one predetermined initial vector (unique card-level key) and valid for the operation, function, action and/or process to be secured (Fig. 3; Pars. 48)
wherein the processor, of the device, is configured to:
accessing, by the user device, from its memory, (i) the key, and (ii) at least one predetermined initial vector (Figs. 3-4, 7; Pars. 58);
receiving, by the user device, via the man machine interface associated with the user device, authentication data as provided by the user (Pars. 50, 58);
accessing, by the user device, (iii) data (PAN) relative to the given operation, function, action and/or process to be secured, and (iv) authentication data provided by the user (PIN) (Figs. 3-4; Par. 58);
generating, by the user device, a cryptogram (dynamic PAN cryptogram) by applying a third algorithm to the key (IKCV), the intermediary vector (one or more factors from the payment device, (DTC)), and the data (PAN) relative to the given operation, function, action and/or process to be secured (Figs. 3-6; Pars. 58, 62, 75);
transmitting, by the user device, to a server having computing resource, a user request accompanied with the generated cryptogram and the data relative to the given operation, function, action and/or process to be secured (Figs. 3-4; Pars. 68) 
wherein the server computer comprises: at least one processor: and a memory wherein the at least one processor is configured to:
receiving, from a user device, a request accompanied with the cryptogram and the data relative to the given operation, function, action and/or process to be secured (Figs. 3-4; Pars. 67-68);
accessing, from the memory, (i) a key (institution key), and (ii) at least one reference vector (unique card level keys) that is not based on the reference user authentication data and valid for the operation, function, action and/or process to be secured (Figs. 3-4; Pars. 59, 68).
Royyuru does not explicitly disclose downloading, by the user device, from a remote server and string in its memory, at least one predetermined initial vector that is based on an application of a first algorithm to (a) reference user authentication data and (b) a reference vector that is not based on the reference user authentication data and that is valid for the given operation, function, action and/or process to be secured, said initial vector being thus valid for the given operation, function, action and/or process to be secured; generating, by the user device, an intermediary vector by applying a second algorithm, being an inverse algorithm of the first algorithm, to the at least one predetermined initial vector downloaded from the remote server and valid for the given operation, function, action and/or process to be secured and the authentication data provided by the user and a user authentication request.  Beltramino disclose downloading, by the user device, from a remote server and string in its memory, at least one predetermined initial vector (wallet single use keys (W_SUKs)) that is based on an application of a first algorithm to (a) reference user authentication data (mobile personal identification number (Mobile PIN)), and (b) a reference vector (wallet session keys (W_SKs)) that is not based on the reference user authentication data and that is valid for the given operation, function, action and/or process to be secured, said initial vector being thus valid for the given operation, function, action and/or process to be secured (Pars. 21-22); generating, by the user device, an intermediary vector by applying a second algorithm, being an inverse algorithm of the first algorithm, to the at least one predetermined initial vector downloaded from the remote server and valid for the given operation, function, action and/or process to be secured and the authentication data provided by the user (PIN) (Pars. 25-26) and a user authentication request (Par. 34).  Therefore, the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to substitute the uploading of the unique card-level key into the user device and into a file on the payment processor platform, indexed by card number, that is used by application in the user device to generate a dynamic transaction cryptogram (DTC) based on the unique card-level key and a Personal Identification Number (PIN) provided by the consumer (Pars. 58, 71, (Table)) of Royyuru in view of Beltramino in order to use payment device/user specific information during generation of transaction cryptogam and to authenticate the device/consumer using the device based on the received cryptogam for a specific transaction (Royyuru, Pars. 59, 107-113) and to authenticate both user devices and their users during transaction session (Beltramino, Par. 32).  ("Express suggestion to substitute one equivalent technique for another need not be present to reader such substitution obvious"; In re Fout, 213 USPQ 532 (CCPA 1982), In re Siebentritt, 152 USPQ 618 (CCPA 1967); Ex Parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)).
Neither Royyuru nor Beltramino explicitly disclose generating, by the server, a reference cryptogram by applying the third algorithm to the key, the reference vector valid for the operation, function, action and/or process to be secured, and the data relative to the given operation, function, action and/or process to be secured; verifying, by the server computer, whether the reference cryptogram matches the received cryptogram; and in response to the reference cryptogram matching the received cryptogram authenticating, by the server computer, the user in response to verifying that (if) the reference cryptogram matches the received cryptogram.  Collinge disclose generating, by the server, a reference cryptogram (second application cryptogram) by applying the third algorithm to the key (session key), the reference vector valid for the operation, function, action and/or process to be secured (single use keys), and the data (payment profile (transaction account number)) relative to the given operation, function, action and/or process to be secured (Figs. 3, 5-7; Par. 88); verifying, by the server computer, whether the reference cryptogram matches the received cryptogram (Figs. 7; Par. 135); and in response to the reference cryptogram matching the received cryptogram authenticating, by the server computer, the user in response to verifying that (if) the reference cryptogram matches the received cryptogram (Pars. 41, 89).  Therefore, the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to substitute the generation of a card variant of an institution key with key generation data (IKCVGENDATA) that comprise a 16-digit string based on: Last four (receipt) digits of the PAN, Member number (two bytes), Device Sequence number (two bytes), Four digit expiration date (YYMM), Last four (receipt) digits of the PAN by the user device for a transaction cryptogam generation and authenticating of cryptograms generated by the user device at a payment system for each transaction (Figs. 4, 7; Pars. 68, 107-113) of Royyuru, Beltramino in view of Collinge in order to use payment device/user specific information during generation of transaction cryptogam and to authenticate the device/consumer using the device based on the received cryptogam for a specific transaction (Royyuru, Pars. 59, 68, 107-113) and to authenticate both user devices and their users during transaction session (Collinge, Par. 41).  ("Express suggestion to substitute one equivalent technique for another need not be present to reader such substitution obvious"; In re Fout, 213 USPQ 532 (CCPA 1982), In re Siebentritt, 152 USPQ 618 (CCPA 1967); Ex Parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)).
With respect to claim 2, Royyuru, Beltramino in view of Collinge of discloses all the limitations as described above.  Additionally, Royyuru discloses wherein,
the data includes payment transaction data (Abstract, Figs. 4-5; Pars. 58, 69),
the request is further accompanied with a request for authorizing a payment transaction, and data relating to a user account (Pars. 59-61), and
the server, or another server, further retrieves at least one identifier relating to a user account based upon the data relating to the user account (Pars. 58, 70).
Royyuru does not explicitly disclose user authentication request.  Beltramino disclose a user authentication request (Par. 34).  Therefore, the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to substitute transmitting of user payment information from the user device to payment processor system for authentication of user payment information before approval (Figs. 4-5; Par. 68) of Royyuru in view of Beltramino in order to use payment device/user specific information during generation of transaction cryptogam and to authenticate the device/consumer using the device based on the received cryptogam for a specific transaction (Royyuru, Pars. 59, 68) and to authenticate both user device and their user’s during authorization of a transaction session (Beltramino, Par. 34).  ("Express suggestion to substitute one equivalent technique for another need not be present to reader such substitution obvious"; In re Fout, 213 USPQ 532 (CCPA 1982), In re Siebentritt, 152 USPQ 618 (CCPA 1967); Ex Parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)).
With respect to claim 4, Royyuru, Beltramino in view of Collinge of discloses all the limitations as described above.  Additionally, Royyuru discloses wherein the user authentication data provided by the user includes at least one element of a group comprising:
a Personal Identity Number (Fig. 4; Pars. 58-59);
at least one biometric print;
user credentials;
a password;
a passcode.
With respect to claim 5, Royyuru, Beltramino in view of Collinge of discloses all the limitations as described above.  Additionally, Royyuru discloses wherein the at least one identifier relating to a user account and/or the data relating to the user account includes at least one element of a group comprising:
a Primary Account Number (Abstract, Figs. 4-5; Pars. 58, 69);
a Dynamic Primary Account Number (Abstract, Figs. 4-5; Pars. 35, 69);
a Primary Account Number alias;
a Primary Account Number alternate.
With respect to claim 7, Royyuru, Beltramino in view of Collinge of discloses all the limitations as described above.  Additionally, Royyuru discloses wherein the third algorithm includes at least one element of a group comprising: a Data Encryption Standard or DES type algorithm; a Triple DES type algorithm; a Message Authentication Code type algorithm; an algorithm using a symmetric key (Pars. 85, 98, 106).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
PGPub Gordon et al. (US 2016/0241402): Gordon discloses user device generating cryptogams based on user identification and verification to authenticating the user during transaction (Abstract, Figs. 2-5; Pars. 32, 55, 58-64, 78-95).
PGPub Makhotin et al. (US 2015/0088756): Makhotin disclose transmitting, by the user device to a server computer, a user authentication request (Fig. 6; Pars. 110, 116, 119, 161-162).
PGPub Kaladg et al. (US 2016/0275491): Kaladg disclose downloading, by a user device, from a remote server, at least one predetermined initial vector (secret key), initial vector downloaded from the remote server (Figs. 1, 2b; Pars. 41).

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WODAJO GETACHEW whose telephone number is (469)295-9069. The examiner can normally be reached M-F 8:00-6:00 CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John W Hayes can be reached on (571) 272-6708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/WODAJO GETACHEW/Examiner, Art Unit 3685                                                                                                                                                                                            
/Mohammad A. Nilforoush/Primary Examiner, Art Unit 3685