Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
The instant application having Application No. 17/168,276 is presented for examination by the examiner.

 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim 5 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 

As per claim 5, the removing step is unclear because the primary multi-factor authentication mechanism was disclosed as being part of the chain of trust.  Claim 1 recites that the sponsor is registered in the chain of trust associated with the user account.  Claim 1 is silent in establishing the relationship of the primary multi-factor authentication mechanism to the chain of trust.  Therefore, it is unclear what constitutes removal of the chain when no connection is disclosed.  For purposes of examination, the limitation is interpreted such that the primary way of authenticating by the user is removed after onboarding a new multi-factor authentication mechanism.  In other words, after the sponsor device authenticates the first user the first user can then replace the old password with the new password to re-enable normal access to his/her account.   Appropriate correction is required.



Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.




Claims 1-6, 8, 10-15, and 17-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by USP Application Publication 2020/0128013 to Mossoba et al., hereinafter Mossoba.
As per claims 1, 12, and 17, Mossoba teaches a method for using a sponsor [Authorization providing computing device 109-n | second party] as a proxy for multi-factor authentication of a first user account for a first user when a primary multi-factor authentication mechanism is unavailable to the first user account [the user has lost his/her device and cannot access the account in the normal way; 0005], the method comprising: 
registering the sponsor in a multi-factor authentication chain of trust associated with the first user account (0028, 0029, and 0031); 
requesting verification of an identity of the first user from the sponsor (0035, step 205]; 
receiving, from the sponsor, a verification of the identity of the first user [second party provides server with the authenticating information; 0024]; and 
granting access to a service to the first user account (0033-0035).

As per claims 2, 13, and 18, Mossoba teaches registering the sponsor in the multi-factor authentication chain of trust includes associating the sponsor with a sponsor policy that defines when use of the sponsor is permitted (0022 and 0027).
As per claims 3, 14, and 19, Mossoba teaches the granted access is limited by an access policy [authentication preferences are stored; 0031] that defines limited access when access is granted based on the verification of the sponsor [interpreted as the user first resets the password after accessing account as a result of a successful verification of the sponsor; 0024 and 0034].
As per claims 4, 15, and 20, Mossoba teaches the request for verification of the identity from the sponsor includes a declaration that the primary multi-factor authentication mechanism must be replaced [server requests second party provide, to the server, its own credentials first then grants access to first user.  This process replaces the primary way the first user signs into his/her account; 0024].
As per claim 5, Mossoba teaches granting access to the service includes: sending a link [email can be pushed to second user; 0025] to onboard a new multi-factor authentication mechanism [second party authenticates itself by providing credentials to the server; 0024]; and 
removing the primary multi-factor authentication mechanism from the multi-factor authentication chain of trust [as interpreted above, the lost password is removed and replaced by first user after being able to sign back in; 0034].
As per claim 6, Mossoba teaches requesting verification of the identity of the first user from the sponsor comprises: initiating a communication between the first user account and the sponsor (0023).
As per claim 8, Mossoba teaches receiving a request to access a service accompanied by log-in credentials for the first user account (0032).
As per claim 10, Mossoba teaches determining that a trust score associated with the primary multi-factor authentication mechanism is too low to perform the multi-factor authentication [trust score is interpreted as a pass/fail decision which is instituted by the server when it is detected that the first user 107 and second party 109 as using the same physical device resulting no authentication; 0024].
As per claim 11, Mossoba teaches receiving a request to have the sponsor satisfy the multi-factor authentication for the user account [request for security authentication received by server (0035) and authentication information provided by the authorization providing device; 0033].

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 7, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Mossoba in view of USP Application Publication 2015/0046990 to Oberheide et al., hereinafter Oberheide.

As per claim 7, Mossoba is silent in explicitly teaching the primary multi-factor authentication mechanism is responsible for generating keys derived from biometric data, and wherein the primary multi- factor authentication mechanism must be replaced comprising: instructing a replacement primary multi-factor authentication mechanism to generate a new biometrically derived key; receiving the new biometrically derived key; storing the new biometrically derived key in association with the service to be used in future authentications.  
Oberheide teaches: 
the primary multi-factor authentication mechanism is responsible for generating keys derived from biometric data [biometric features are encoded into a signature that when combined define the biometric profile for the user; these encoded biometric signatures are what unlocks the authentication process; 0026 and 0053], 
and wherein the primary multi-factor authentication mechanism must be replaced [new device leads to re-enrollment which updates old biometric profile] comprising: 
instructing a replacement primary multi-factor authentication mechanism to generate a new biometrically derived key [re-enroll new biometric profile; 0060 and 0061]; 
receiving the new biometrically derived key [new encoded signature profile sent to server; 0060, step S136]; 
storing the new biometrically derived key in association with the service to be used in future authentications [reference biometric profiles are stored in 130; see also 0043].  It was known before the effective filing date to use biometrically derived keys as a factor in multi-factor authentication.  Mossoba already teaches multi-factor authentication wherein the second party actually performs biometric authentication.  Thus the system of Mossoba is compatible with biometric authentication.  Oberheide teaches how biometric profiles are updated when the user receives a new device with new Auth app (0061).  Mossoba teaches resetting the credentials such as the password after being locked out of the account.  If biometric authentication were initially used by the first user of Mossoba, her biometric authentication can be replaced as taught by Oberheide.  Mossoba teaches multi-factor authentication using biometrics (0003) and seeks to improve the process using other trusted devices.  If the first user’s credentials are tied to the device, which paragraph 0024 teaches they should be, and a new device is obtained, the biometric credentials can be reset as taught by Oberheide with predictable results.  The claim is obvious because one of ordinary skill in the art can substitute methods known before the effective filing date which do not produce unpredictable results.   Substituting a biometric factor for another factor is predictable.  The re-enrollment process taught by Oberheide can be substituted for the resetting of a password.  

As per claim 9, Mossoba teaches determining that a multi-factor authentication request failed (0027).  Mossoba does not explicitly teach notifying the first user account that the multi-factor authentication request failed.  On the other hand, Oberheide teaches notifying the first user account that the multi-factor authentication request failed [last step of Figure 11].  The user knowing the results of the authentication request is important.  Mossoba only explicitly describes what the user does when authentication succeeds.  Oberheide teaches sending both possible results to the user which improves the user’s experience because she is informed what happened either way.  The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which do not produce unpredictable results.  


As per claim 16, Mossoba teaches:
	receiving a request to access a service accompanied by log-in credentials for the first user account (0032);
determining that a multi-factor authentication request failed (0027);
determining that a trust score associated with the primary multi-factor authentication mechanism is too low to perform the multi-factor authentication [trust score is interpreted as a pass/fail decision which is instituted by the server when it is detected that the first user 107 and second party 109 as using the same physical device resulting no authentication; 0024];
receiving a request to have the sponsor satisfy the multi-factor authentication for the user account [request for security authentication received by server (0035) and authentication information provided by the authorization providing device; 0033].
Mossoba does not explicitly teach notifying the first user account that the multi-factor authentication request failed.  On the other hand, Oberheide teaches notifying the first user account that the multi-factor authentication request failed [last step of Figure 11].  The user knowing the results of the authentication request is important.  Mossoba only explicitly describes what the user does when authentication succeeds.  Oberheide teaches sending both possible results to the user which improves the user’s experience because she is informed what happened either way.  The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which do not produce unpredictable results.  

Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431