DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed 03/04/2022. Claims 1 – 24 are pending for consideration.

Priority
	This application is a continuation of allowed application16/025851 filed on 07/02/2018 now patent US 11271930.

Drawings
	The drawings were received on 03/04/2022. These drawings are accepted.

Information Disclosure Statement
The information disclosure statements (IDS) dated 03/09/2022 has been received and considered.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp .

Claims 1 – 24 are rejected on the ground of nonstatutory double patenting as being unpatentable over independent claims 1-8 of U.S. Patent No. 11271930 (Reference Patent). Although the claims at issue are not identical, they are not patentably distinct from each other because independent claims of the Reference Application anticipate the instant independent claim 1 and a claims 2 – 8 dependent on claim 1 as shown below for the first claim set.

Claim #
Instant Application
Reference Patent (11271930)
Claim #
1-8
1.An authentication correlation (AC) computing device 



comprising at least one processor and a memory, the AC computing device configured to: receive a first authentication request from a requesting computer device 















including an account identifier, a first timestamp, and at least one authentication factor; determine a first security level of the first authentication request based upon the at least one authentication factor; 






store the first security level and the first timestamp in a database as authentication data; 
receive a second authentication request 
including the account identifier and a second timestamp; determine the second authentication satisfies an authentication rule based on the account identifier, the second timestamp, and the stored authentication data, wherein the rule defines a timeframe and an authentication threshold; and generate an authentication response based on the determination and the authentication rule, wherein the authentication response includes an approval indicator.














2.The AC computing device of Claim 1, wherein the AC computing device is further configured to transmit the authentication response to a payment network associated with the account identifier.



3.The AC computing device of Claim 1, wherein the first authentication request includes an indicator representing that biometric authentication was performed on the requesting user device.

4.The AC computing device of Claim 1, wherein the authentication request includes a digital signature generated by the requesting computer device

5.The AC computing device of Claim 1, wherein the authentication response further includes a request for additional authentication factors and a URI for a second authentication system.

6.The AC computing device of Claim 1, wherein the first security level and the first timestamp are stored in a location associated with the account identifier within the memory.

7.The AC computing device of Claim 1, wherein the AC computing device is further configured to: determine the authentication rule that applies to the second authentication request based at least in part on the account identifier.



8.The AC computing device of Claim 7, wherein the AC computing device is further configured to: retrieve authentication factor data from the memory based on the timeframe, the second timestamp, and the account identifier, wherein the authentication factor data includes any number of stored security levels; and compare the stored security levels to the authentication threshold.
1.An authentication correlation (AC) computing device in communication with a payment network, the AC computing device 

comprising at least one processor and a memory, the AC computing device configured to: store one or more authentication rules of an issuer of payment accounts, wherein the one or more authentication rules define a timeframe and an authentication level threshold for approval of subsequent authentication requests after a first authentication request, and wherein the issuer is included in the payment network; in response to a user initiating a first payment transaction over the payment network, receive a first authentication request for the first payment transaction, the first authentication request 

including a first account identifier, a first timestamp, and a first authentication factor, the first authentication factor representing a type of authentication performed in authenticating the user as part of the first payment transaction; determine a first security level of the type of authentication performed in authenticating the user based upon the first authentication factor; 

store the first security level and the first timestamp in a database as authentication data; 
in response to the user initiating a 
second payment transaction over the payment network, receive a second authentication request, the second authentication request including a second account identifier. a second timestamp, and a second authentication factor, wherein the first and second account identifiers are associated with the same payment account; determine a second security level associated with the second authentication factor; determine that the second security level is less secure than the first security level;  apply the one or more authentication rules of the issuer to the second authentication request including determining (i) that the second authentication request was received within the timeframe based on a comparison of the first and second timestamps, and (ii) that the first security level satisfies the authentication level threshold; and authenticate the user for the second payment transaction without requiring additional authentication input from the user.

2.The AC computing device of Claim 1, wherein the AC computing device is further configured to transmit, in response to the user being authenticated, an authentication response to the payment network associated with at least one of the first and second account identifiers.

3.The AC computing device of Claim 1, wherein the first authentication request includes an indicator that biometric authentication was performed on the requesting user device.

4.The AC computing device of Claim 1, wherein the first and second authentication requests include a digital signature generated by a requesting computer device.
5.The AC computing device of Claim 1, wherein first and second authentication responses further include a request for additional authentication factors and a URI of a second authentication system.

6.The AC computing device of Claim 1, wherein the first security level and the first timestamp are stored in a location associated with the first account identifier within the database.

7.The AC computing device of Claim 1, wherein the AC computing device is further configured to: determine an authentication rule applies to the second authentication request based at least in part on authentication rules associated with the second account identifier.


8.The AC computing device of Claim 7, wherein the AC computing device is further configured to: retrieve authentication factor 
1-8


Independent claims 9 and 17 disclose a method and a medium, respectively, which are substantially equivalent to the device of claim 1. Dependent claims are rejected because of their dependency on respective base claims. Accordingly, claims 1 – 24 are rejected on the ground of nonstatutory double patenting as being unpatentable over cited claims of U.S. Patent No. 11271930 (Reference Patent).

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 7, 15, and 23 are rejected under 35 U.S.C. 112 (b) or 35 U.S.C. 112 (pre-AIA ) second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claims 7, 15, and 23 the statement ‘the authentication rule …based at least in part on the account identifier’ is indefinite since it does not specify how the authentication rule relates to the account identifier, to which specifically part of it.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1 – 24 are rejected under 35 U.S.C. 103 as being unpatentable over Mathew et al. (US 2018/0288063) (hereafter Mathew) and in view of Beigi (US 2015/0347734) (hereafter Beigi).

Regarding claim 1 Mathew teaches: An authentication correlation (AC) computing device comprising at least one processor and a memory, the AC computing device (Mathew in col.5, ll. 53-58 discloses “A computer system may include one or more processors and one or more memory accessible to the one or more processors and storing one or more instructions which, upon execution by the one or more processors, causes the one or more processors to implement methods and/or operations disclosed herein”)
configured to: receive a first authentication request from a requesting computer device (Mathew in col.6, ll. 1-3 discloses “In response to receiving a request to access the resource from a computing device by a user, determining, authentication of a user at the first authentication level.”)
[including an account identifier, a first timestamp,] 
and at least one authentication factor determine a first security level of the first authentication request based upon the at least one authentication factor (Examiner note: authentication factor is met by the interactive element that determined the authentication level) (Mathew in col.5, ll. 21-23 discloses “The resource may provide an interactive element to request the current authentication level to be reduced.” Mathew in col.5, ll. 62-64 discloses “a method includes identifying a first authentication level at which access to a resource is permitted.”)
store the first security level and the first timestamp in a database as authentication data (Mathew in col.5, ll. 1-3 discloses “The access management system may store data with session information for a session.”);
receive a second authentication request including the account identifier and a second timestamp (Mathew in col.6, ll. 24-29 discloses “The method may include, after the session is established at the first authentication level, receiving, from the computing device, a second request to prevent the access to the resource at the first authentication level. Receiving the second request may be detected as the event.”)
determine the second authentication satisfies an authentication rule (Mathew in col.6, ll. 39-42 discloses “where the one or more resources are accessible by the computing device at the second authentication level, and where the request to access the one or more resources is detected as the event”)
[based on the account identifier, the second timestamp,] 
and the stored authentication data, wherein the rule defines a timeframe (Mathew in col.4, ll. 66-67 discloses “The conditions may be specific based on a variety of criteria, including a type of resource, the user accessing a resource, time, or other events in an enterprise system.”)
[and an authentication threshold;] 
and generate an authentication response based on the determination and the authentication rule, wherein the authentication response includes an approval indicator.
(Examiner note: authentication response is met by completion process 222, i.e. granting an access after the second level authentication) (Mathew in col.18, ll. 32-41 discloses “access management system 140 may perform a process 222 ("Step-up") to adjust (e.g., "step-up") the authentication level of a session such that additional authentication is performed before access is permitted to one or more resources. For example, at step 230, user 102 may operate device 104 to request access to a resource that is accessible based on authentication at an authentication level that higher, or elevated compared to the authentication level at which user 102 authenticated in the previous steps.”).
Mathew fails to explicitly teach: 
including an account identifier, a first timestamp
based on the account identifier, the second timestamp
and an authentication threshold;
Beigi from the analogous technical field teaches: including an account identifier, a first timestamp; 
based on the account identifier, the second timestamp
(Examiner note: account information comprises account ID) (Beigi, in Para. [0195] discloses “receive and store an account identifier, ACCTA, which will be used by the TA in the future to retrieve information related to this registration.” Beigi, in Para. [0078] discloses “This database also includes other information such as several timestamps depicting the last attempt and last successful attempt, number of failures in a row, etc.”),
and an authentication threshold (Beigi, in Para. [0157] discloses “A predefined threshold is used for making a hard binary decision of whether to authenticate user or not, based on where the score lies with respect to this threshold.”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Mathew, in view of the teaching of Beigi which discloses security levels and timestamps related information together with account identifier stored in a database in order to improve data management in the system (Beigi, [0078, 0157, 0195]).

Regarding claim 2 Mathew fails to explicitly teach: The AC computing device of Claim 1, wherein the AC computing device is further configured to transmit the authentication response to a payment network associated with the account identifier.
Beigi from the analogous technical field teaches: The AC computing device of Claim 1, wherein the AC computing device is further configured to transmit the authentication response to a payment network associated with the account identifier
(Examiner note: the ACCTA is an account identifier of Beigi) (Beigi, in Para. [0169] discloses “The payment method triggers a combination of challenges based on requirements which have been set in the set up stage by the PDA owner and the authorizing entity” Beigi, in Para. [0207] discloses “Send Signed Transaction along with the ACCTA which was stored at the registration stage to the POS”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Mathew, in view of the teaching of Beigi which discloses processing payment using account identifier in order to improve data management in the system (Beigi, [0169, 0207]).

Regarding claim 3 Mathew as modified by Beigi teaches: The AC computing device of Claim 1, wherein the first authentication request includes an indicator representing that biometric authentication was performed on the requesting user device (Mathew in col.15, ll. 35-39 discloses “Examples of credential types may include a Smartcard/Proximity card, a token, a public key infrastructure (PKI), a Windows Logan, a lightweight directory access protocol (LDAP) logon, a biometric input, or the like.”).

Regarding claim 4 Mathew fails to explicitly teach:  The AC computing device of Claim 1, wherein the authentication request includes a digital signature generated by the requesting computer device.
Beigi from the analogous technical field teaches: The AC computing device of Claim 1, wherein the authentication request includes a digital signature generated by the requesting computer device (Beigi, in Para. [0176] discloses “The following definitions are used to describe the digital signature of the information which is stored on the device to ensure the authenticity of the authentication references.”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Mathew, in view of the teaching of Beigi which discloses digital signature processing in order to improve the authentication in the system (Beigi, [0176]).

Regarding claim 5 Mathew as modified by Beigi teaches: The AC computing device of Claim 1, wherein the authentication response further includes a request for additional authentication factors and a URI for a second authentication system (Mathew in col.20, ll. 66-67 discloses “A resource can be data (e.g., a URL or a URI) accessed through an application.” Mathew in col.6, ll. 39-42 discloses “where the one or more resources are accessible by the computing device at the second authentication level, and where the request to access the one or more resources is detected as the event”).

Regarding claim 6 Mathew fails to explicitly teach: The AC computing device of Claim 1, wherein the first security level and the first timestamp are stored in a location associated with the account identifier within the memory.
Beigi from the analogous technical field teaches: The AC computing device of Claim 1, wherein the first security level and the first timestamp are stored in a location associated with the account identifier within the memory (Beigi, in Para. [0157] discloses “Each security level may have a special digital certificate associated with it and at the time of usage, the transaction authority may request different levels of security (different credentials).” Beigi, in Para. [0195] discloses “receive and store an account identifier, ACCTA, which will be used by the TA in the future to retrieve information related to this registration.” Beigi, in Para. [0183] discloses “the original reference data is retrieved by the authentication application from the persistent memory” Beigi, in Para. [0078] discloses “This database also includes other information such as several timestamps depicting the last attempt and last successful attempt, number of failures in a row, etc.”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Mathew, in view of the teaching of Beigi which discloses security levels and timestamps related information together with account identifier stored in a database in order to improve data management in the system (Beigi, [0078, 0157, 0183, 0195]).

Regarding claim 7 Mathew fails to explicitly teach: The AC computing device of Claim 1, wherein the AC computing device is further configured to: determine the authentication rule that applies to the second authentication request based at least in part on the account identifier.
Beigi from the analogous technical field teaches:  The AC computing device of Claim 1, wherein the AC computing device is further configured to: determine the authentication rule that applies to the second authentication request based at least in part on the account identifier (Examiner note: as noted above the authentication rules are met by the authentication criteria; account information comprises account ID) (Beigi, in Para. [0068] discloses “Section 1. 87 shows the number of people who have already matched the multifactor authentication criteria and 88 shows the number of total matches requested by the system” Beigi, in Para. [0157] discloses “account information may be linked to the device/user through registration with a transaction authority”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Mathew, in view of the teaching of Beigi which discloses authentication criteria (rules) that include access to the account ID in order to improve security of the system (Beigi, [0068, 0157]).

Regarding claim 8 Mathew fails to explicitly teach: The AC computing device of Claim 7, wherein the AC computing device is further configured to: retrieve authentication factor data from the memory based on the timeframe, the second timestamp, and the account identifier, wherein the authentication factor data includes any number of stored security levels; and compare the stored security levels to the authentication threshold.
Beigi from the analogous technical field teaches: The AC computing device of Claim 7, wherein the AC computing device is further configured to: retrieve authentication factor data from the memory based on the timeframe, the second timestamp, and the account identifier, wherein the authentication factor data includes any number of stored security levels; and compare the stored security levels to the authentication threshold (Beigi, in Para. [0091] discloses “a complete multifactor authentication is proposed which contains few modes from each of four different types of authentication factor” Beigi, in Para. [0078] discloses “This database also includes other information such as several timestamps depicting the last attempt and last successful attempt, number of failures in a row, etc.” Beigi, in Para. [0157] discloses “account information may be linked to the device/user through registration with a transaction authority” Beigi, in Para. [0157] discloses “Each security level may have a special digital certificate associated with it and at the time of usage, the transaction authority may request different levels of security (different credentials).” Beigi, in Para. [0092] discloses “A virtual location may be a bank account, a merchant account, an account with a seller or a facilitator of a sale between buyers and sellers, personal data stored on a storage device such as passwords and classified information on a hard drive or other storage media.” Beigi, in Para. [0157] discloses “A predefined threshold is used for making a hard binary decision of whether to authenticate user or not, based on where the score lies with respect to this threshold.”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Mathew, in view of the teaching of Beigi which discloses authentication factors including timestamps and account ID stored in the database in order to improve data management for higher security (Beigi, [0078, 0091, 0092, 0157]).

Regarding claim 9, claim 9 discloses a method that is substantially equivalent to the device of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 9 and rejected for the same reasons.

Regarding claim 10, claim 10 dependent on claim 9 discloses a method that is substantially equivalent to the device of claim 2 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 2 are equally applicable to claim 10 and rejected for the same reasons.

Regarding claim 11, claim 11 dependent on claim 9 discloses a method that is substantially equivalent to the device of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 11 and rejected for the same reasons.

Regarding claim 12, claim 12 dependent on claim 9 discloses a method that is substantially equivalent to the device of claim 4 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 4 are equally applicable to claim 12 and rejected for the same reasons.

Regarding claim 13, claim 13 dependent on claim 9 discloses a method that is substantially equivalent to the device of claim 5 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 5 are equally applicable to claim 13 and rejected for the same reasons.

Regarding claim 14, claim 14 dependent on claim 9 discloses a method that is substantially equivalent to the device of claim 6 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 6 are equally applicable to claim 14 and rejected for the same reasons.

Regarding claim 15, claim 15 dependent on claim 9 discloses a method that is substantially equivalent to the device of claim 7 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 7 are equally applicable to claim 15 and rejected for the same reasons.

Regarding claim 16, claim 16 dependent on claim 15 discloses a method that is substantially equivalent to the device of claim 8 dependent on claim 7. Therefore, the arguments set forth above with respect to claim 8 are equally applicable to claim 16 and rejected for the same reasons.

Regarding claim 17, claim 17 discloses a medium that is substantially equivalent to the device of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 17 and rejected for the same reasons.

Regarding claim 18, claim 18 dependent on claim 17 discloses a medium that is substantially equivalent to the device of claim 2 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 2 are equally applicable to claim 18 and rejected for the same reasons.

Regarding claim 19, claim 19 dependent on claim 17 discloses a medium that is substantially equivalent to the device of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 19 and rejected for the same reasons.

Regarding claim 20, claim 20 dependent on claim 17 discloses a medium that is substantially equivalent to the device of claim 4 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 4 are equally applicable to claim 20 and rejected for the same reasons.

Regarding claim 21, claim 21 dependent on claim 17 discloses a medium that is substantially equivalent to the device of claim 5 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 5 are equally applicable to claim 21 and rejected for the same reasons.

Regarding claim 22, claim 22 dependent on claim 17 discloses a medium that is substantially equivalent to the device of claim 6 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 6 are equally applicable to claim 22 and rejected for the same reasons.

Regarding claim 23, claim 23 dependent on claim 17 discloses a medium that is substantially equivalent to the device of claim 7 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 7 are equally applicable to claim 23 and rejected for the same reasons.

Regarding claim 24, claim 24 dependent on claim 23 discloses a medium that is substantially equivalent to the device of claim 8 dependent on claim 7. Therefore, the arguments set forth above with respect to claim 8 are equally applicable to claim 24 and rejected for the same reasons.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VLADIMIR IVANOVICH GAVRILENKO whose telephone number is (313)446-6530.  The examiner can normally be reached on Monday-Friday 7:30-4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/VLADIMIR I GAVRILENKO/Examiner, Art Unit 2431    

/TRANG T DOAN/Primary Examiner, Art Unit 2431