DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11 November 2022 has been entered.
 Response to Amendment
Applicant’s amendment filed 23 September 2022 amends claims 1, 10, and 17. Claims 21-23 have been cancelled. Applicant’s amendment has been fully considered and entered.
Response to Arguments
Applicant argues on page 10 of the response, “The references do not disclose or suggest updating a risk score criteria to change a threshold risk score to identify low risk and high risk authentications in response to changes in information comprising previous registration attempts.” This argument has been fully considered and is persuasive. Therefore, the rejection has been withdrawn.  However, upon further consideration, a new grounds of rejection is made in view of Zhao, CN 106982193.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, U.S. Publication No 20130086657, in view of Kim, U.S. Publication No. 20110307381, Trelin, U.S. Publication No. 20190266314, in view of Gharabegian, U.S. Publication No. 20180268056, and further in view of Zhao, CN 106982193.
As per claim 1, Srinivasan discloses: a computer implemented method for proving identity when registering for a service provided by an entity, comprising: 
presenting, by the entity, a user with options for registering for the service (Srinivasan, Fig. 7), wherein the options comprise a first option of validating a user identity through a trusted partner and a second option of validating the user identity through receipt of personal identifying information (Srinivasan, [0024], [0066], and Fig. 7, an application/NPR (i.e., entity) displays options to a user to validate their identity for registration, wherein the options include radio buttons that allow a user to validate via a particular identity provider (i.e., trusted partner), or an option to input personal identifying information (PII), e.g., name and email address information (see [0059])); 
responsive to selection of the first option:
receiving, by the entity, user data from the trusted partner responsive to the user logging into a page on the trusted partner (Srinivasan, [0028]-[0029], identity data (e.g., user's name, address, date of birth, relationship information, social graph data) is retrieved from an identity provider, such as Facebook, in response to successful logging into Facebook); and
populating entity user data for the service according to the user data received from the trusted partner [responsive to successfully validation of the identity of the user] (Srinivasan, [0028]-[0029], responsive to successful user login to the application using login credentials for the user’s Facebook identity, identity information/data gathered can be used to automatically fill out (i.e., populate) a portion of a form for the application);
responsive to selection of the second option:
receiving, by the entity, personally identifying information data from the user, and populating entity user data for the service according to user data received from the user [responsive to successful authentication of the user identity]. (Srinivasan, [0059] & [0070] and Fig. 7, user chooses to register for a local NPR (see Fig. 7) which would require the user to create an account by inputting email and password information. Responsive to account creation, the user’s information such as email (i.e., personally identifying information data) is received and stored by the account).
Srinivasan does not disclose, however, Kim teaches or suggests: validating the user identity for the service responsive to a determination that a user identifier from the trusted partner matches a user identifier on record with the entity (Kim, [0095] and [0097], a universally unique identifier (UUID) is received from the trusted third party after successful authentication with the trusted third party, such that the user identity can be validated responsive to a determination that the UUID from the trusted third party matches a previously stored UUID).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Srinivasan to include validating the user identity using a user identifier from the trusted partner matching a user identifier on record as taught by Kim for the benefit of validating a user based on a non-sensitive user identifier that is trusted, as opposed to exposing private information (e.g., credit card) which prevents malicious actors from obtaining user sensitive personal identifying information in the validation process (Kim, [0005]).
While the modified Srinivasan teaches selection of the second option (Srinivasan, Fig. 7), the modified Srinivasan does not disclose, however, Trelin teaches or suggests: applying an artificial intelligence (Al) risk analysis evaluation to the personally identifying information data received to generate a risk score (Trelin, [0066], artificial intelligence is used to determine a risk score that represents the risk from the respective information that the person is who he or she asserts to be; risk score part of an identity score, [0035], wherein the information includes biographic information, e.g., email address (i.e. personally identifying information data), among other information); 
authenticating the user if the risk score, when compared to a risk score criteria, indicates a low risk that a person attempting to register is not the user (Trelin, [0094], score (i.e., risk score) is determined after identity check, wherein the risk/identity score is compared to a confidence threshold (i.e., risk score criteria), wherein a high risk score indicates that the person is who he or she asserts to be in order to approve the person for enrolment); and 
populating entity user data for the service according to the user data received from the user responsive to successful authentication of the user identity (Trelin, [0055]-[0056], biographic data is evaluated to determine if the digital representation of the biometric data (e.g., digital picture of user (see [0035])) is genuine. If the digital representation of the biometric data is genuine (i.e., successful authentication), enrollment is processed, [0057], user fills out form specifying name, address, and email to be populated for the user’s /enrollment account), 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include applying artificial intelligence to the user’s personally identifying information for authenticating the user’s identity as taught by Trelin in order to provide and accurate and flexible means of proving that the requesting user is who they claim to be as suggested by Trelin ([0053] & [0066] & [0077]).
While the modified Srinivasan teaches an artificial intelligence risk analysis evaluation to determine the risk of authenticating a user from their PII (Trelin, [0066]), the modified Srinivasan does not disclose it being of a third party. However, Gharabegian teaches or suggests: a third party artificial intelligence software hosted on remote servers to be utilized to perform processing or actions (Gharabegian, [0063], “artificial intelligence and/or machine learning software may not need to be stored on an intelligent shading system 300 and/or third party artificial intelligence and/or machine learning software hosted on remote servers may be utilized to perform this processing or these actions”). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include using a third party artificial intelligence software hosted on remote servers as taught by Gharabegian for benefit of offloading processing power (Gharabegian, [0063]).
Srinivasan, as modified by Trelin, does not specify adjusting the threshold value based upon previous registration attempts. Zhao discloses adjusting a threshold value utilized to determine whether a current registration attempt should be permitted or refused such that the threshold adjustment is performed based upon altering comparison criteria to include comparison of password portions included in previous registration attempts over a period of time (Page 8, last two full paragraphs & Page 7: Comparison would look for similar password seeds such as “abcdef” in registration attempts the include “abcdef001” and “abcdef002”), which meets the limitation of updating a risk score criteria to change a threshold risk score to identify low risk and high risk authentication in response to changes in information comprising previous registration attempts. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the threshold utilized in the modified Srinivasan to have been adjustable based on previous registration information in order to provide threat detection with improved reliability as suggested by Zhao (Page 8, last full paragraph – Page 9, first full paragraph).
As per claim 2, Srinivasan discloses receiving user identification data from the identity provider ([0028]-[0029]). Srinivasan does not specify that the user identification data is encrypted. Kim discloses the encryption of user data for all communications ([0075]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the user identification data communication from the identity provider in Srinivasan to have been encrypted in order to shield the user identification data from being accessed as suggested by Kim ([0075]).
As per claim 3, claim 2 is incorporated and the modified Srinivasan does not disclose, however, Kim teaches or suggests: decrypting the user data received from the trusted partner (Kim, [0075], all important data is encrypted and decrypted).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention for the user identification data communication from the identity provider in Srinivasan to have been encrypted in order to shield the user identification data from being accessed as suggested by Kim ([0075]).
As per claim 4, claim 2 is incorporated and the modified Srinivasan discloses: wherein the user data comprises a first name, a last name, and a data of birth of the user (Srinivasan, [0028], identity data, e.g., user's name, address, date of birth, relationship information, social graph data, etc.).
As per claim 5, claim 2 is incorporated and the modified Srinivasan discloses: wherein the user data comprises a user identifier (Srinivasan, [0028], user’s name).
Claims 6, 8, 9 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, U.S. Publication No 20130086657, in view of Kim, U.S. Publication No. 20110307381, Trelin, U.S. Publication No. 20190266314, in view of Gharabegian, U.S. Publication No. 20180268056, in view of Zhao, CN 106982193, and further in view of Fox, U.S. Publication No. 2018/0013565.
As per claim 6, Srinivasan, as modified in view of Kim, does not specify that the user identification data is encrypted using a salt value. Fox discloses adding a salt value to sensitive information prior to performing a cryptographic operation on the sensitive information ([0065]), which meets the limitation of wherein the encrypted value of the user identifier received from the trusted partner comprises a salt value of the user identifier. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include salting and hashing the user identifier to be used for validating by the trusted partner as taught by Fox for the benefit of improving remote identity verification by protecting user sensitive information from malicious third parties (Fox, [0003]).
As per claim 8, claim 1 is incorporated and the modified Srinivasan does not disclose, however, Fox teaches or suggests: receiving an access token from the trusted partner, the access token allowing the entity to retrieve the user data from the trusted partner (Fox, [0063] and [0067], authentication server generates and provides an access token to client server for obtaining categories of information to retrieve).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include a token for retrieving user data from the trusted partner as taught by Fox for the benefit of improving remote identity verification by protecting user sensitive information from malicious third parties (Fox, [0003]).
As per claim 9, claim 1 is incorporated and the modified Srinivasan does not disclose, however, Fox teaches or suggests: wherein the user identifier comprises a social security number (Fox, [0065] and [0055], sensitive information includes a social security number).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include the user identifier to be a social security number because Fox discloses that social security numbers are one of a finite number possible forms of user information that could be utilized by one of ordinary skill with a reasonable expectation of success (Fox: [0055] & [0065]).
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, U.S. Publication No 20130086657, in view of Kim, U.S. Publication No. 20110307381, Trelin, U.S. Publication No. 20190266314, in view of Gharabegian, U.S. Publication No. 20180268056, in view of Zhao, CN 106982193, in view of Fox, U.S. Publication No. 2018/0013565, and further in view of Itzhaki, U.S. Publication No. 2020/0244640. 
As per claim 7, claim 6 is incorporated and the modified Srinivasan does not disclose, however, Fox teaches or suggests: 
receiving the salt value [and a hash function] from the trusted partner (Fox, [0064], salt is provided to the client server from the authentication server); 
salting and hashing the user identifier on record with the entity to produce an entity salted and hashed user identifier (Fox, [0065], salt is combined with the sensitive information before applying the hash function); 
sending the entity salted and hashed user identifier to the trusted partner (Fox, [0066], client server submits the hash information to the authentication server); and 
receiving an indication from the trusted partner that the entity salted and hashed user identifier matches a trusted salted and hashed user identifier (Fox, [0070]-[0071], authentication server transmits a result of the match to client server).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include salting and hashing the user identifier to be used for validating by the trusted partner as taught by Fox for the benefit of improving remote identity verification by protecting user sensitive information from malicious third parties (Fox, [0003]).
The modified Srinivasan does not disclose, however, Itzhaki teaches or suggests: sending a hash function (Itzhaki, [0013]). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include the trusted partner sending a hash function to the entity as taught or suggested by Itzhaki in order to ensure that both parties are utilizes the same hash function as suggested by Itzhaki ([0013]).
Claims 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Trelin, U.S. Publication No. 20190266314, in view of Hart, U.S. Publication No. 20210056562, in view of Gharabegian, U.S. Publication No. 20180268056, and further in view of in view of Zhao, CN 106982193.
As per claim 10, Trelin discloses: a computer implemented method for authenticating a user identity for a user, the method comprising: 
receiving, by a registration entity, user non-sensitive personally identifying information (Trelin, [0083]-[0084], user enters email address (i.e., non-sensitive PII)); 
determining a risk score for the user non-sensitive personally identifying information according to a risk evaluation analysis, wherein the risk score is determined according to an artificial intelligence-based risk analyzer (Trelin, [0086] and [0095], a score is determined based on the email verification by the identification processing 631, [0066], wherein artificial intelligence is used to determine the risk score that represents the risk from the respective information that the person is who he or she asserts to be and 
authenticating the user if the risk score, when compared to a risk score criteria, indicates a low risk that a person attempting to register is not the user (Trelin, [0086] and [0095], user is authenticated if the score indicates sufficient confidence that the person is who he/she is, [0094], wherein the risk score is compared to a confidence threshold (i.e., risk score criteria)).
Trelin does not disclose, however, Hart teaches or suggests: wherein only non-sensitive personally identifying information is exchanged between the entity and the third-party risk analyzer (Hart, [0048], PII is exchanged between ID verification engine 230 and electronic verification system 235 to verify user’s identity, [0046], wherein the PII includes non-sensitive PII such as user’s email address, password, phone number, date of birth, and address).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Trelin to include only exchanging non-sensitive PII as taught by Hart for the benefit of not exposing the user’s sensitive PII which would be more detrimental to the user if obtained by malicious actors.
While the modified Trelin teaches an artificial intelligence-based risk analyzer to determine the risk of authenticating a user from their PII (Trelin, [0066]), the modified Trelin does not disclose it being of a third party. However, Gharabegian teaches or suggests: a third party artificial intelligence software hosted on remote servers to be utilized to perform processing or actions (Gharabegian, [0063], “artificial intelligence and/or machine learning software may not need to be stored on an intelligent shading system 300 and/or third party artificial intelligence and/or machine learning software hosted on remote servers may be utilized to perform this processing or these actions”). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include using a third party artificial intelligence software hosted on remote servers as taught by Gharabegian for benefit of offloading processing power (Gharabegian, [0063]).
Trelin does not specify adjusting the threshold value based upon previous registration attempts. Zhao discloses adjusting a threshold value utilized to determine whether a current registration attempt should be permitted or refused such that the threshold adjustment is performed based upon altering comparison criteria to include comparison of password portions included in previous registration attempts over a period of time (Page 8, last two full paragraphs & Page 7: Comparison would look for similar password seeds such as “abcdef” in registration attempts the include “abcdef001” and “abcdef002”), which meets the limitation of updating a risk score criteria to change a threshold risk score to identify low risk and high risk authentication in response to changes in information comprising previous registration attempts. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the threshold utilized in the modified Trelin to have been adjustable based on previous registration information in order to provide threat detection with improved reliability as suggested by Zhao (Page 8, last full paragraph – Page 9, first full paragraph).
As per claim 11, claim 10 is incorporated and the modified Trelin discloses: requesting additional information from the user if the risk score indicates a high risk that the person attempting to register is not the user (Trelin, [0087], “approve/deny rules 632 may tell identification processing 631 whether to perform another identity check. When the approve/deny rules 632 determine that a critical point is reached (the point when the identity of the person can be authenticated), the approve/deny rules 632 may communicate with the client 630 (1) pass, (2) fail, or (3) more information needed in order to authenticate the identity of the person”).
Claims 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Trelin, U.S. Publication No. 20190266314, in view of Hart, U.S. Publication No. 20210056562, in view of Gharabegian, U.S. Publication No. 20180268056, in view of in view of Zhao, CN 106982193, and further in view of Benayed, U.S. Publication No. 2018/0343246.
As per claim 12, claim 11 is incorporated and the modified Trelin does not disclose, however, Benayed teaches or suggests: generating a personal registration code (Benayed, [0029], registration code is generated by authentication server); and 
sending the personal registration code to the user through a secondary channel (Benayed, [0029], registration code is sent through secure email address).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include generating a registration code, sending the registration code to the user via email, and authenticating the user using the registration code as taught by Benayed for the benefit of enhancing secure authentication of the user by requiring the user to be in possession of the unique registration code in addition to the password/biometric when authenticating (Benayed, [0029]).
As per claim 13, claim 12 is incorporated and the modified Trelin does not disclose, however, Benayed teaches or suggests: wherein the secondary channel comprises one of an e-mail and a phone number (Benayed, [0029], registration code is sent through secure email address).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include generating a registration code, sending the registration code to the user via email, and authenticating the user using the registration code as taught by Benayed for the benefit of enhancing secure authentication of the user by requiring the user to be in possession of the unique registration code in addition to the password/biometric when authenticating (Benayed, [0029]).
As per claim 14, claim 12 is incorporated and the modified Trelin does not disclose, however, Benayed teaches or suggests: authenticating the user upon successful use of the personal registration code (Benayed, [0029], user is authenticated after successful use of registration code and user-created password or biometrics).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include generating a registration code, sending the registration code to the user via email, and authenticating the user using the registration code as taught by Benayed for the benefit of enhancing secure authentication of the user by requiring the user to be in possession of the unique registration code in addition to the password/biometric when authenticating (Benayed, [0029]).
Claims 15, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Trelin, U.S. Publication No. 20190266314, in view of Hart, U.S. Publication No. 20210056562, in view of Gharabegian, U.S. Publication No. 20180268056, in view of in view of Zhao, CN 106982193, and further in view of Livesay, U.S. Publication No. 2016/0269379. 
As per claim 15, claim 11 is incorporated and the modified Trelin does not disclose, however, Livesay teaches or suggests: presenting the user with a query of at least one knowledge based authentication (KBA) question (Livesay, [0167], presenting user with three KBA questions and authenticating the user based on the correct answers to the three KBA questions); and 
authenticating the user when the user successfully answers the at least one KBA question (Livesay, [0167], presenting user with three KBA questions and authenticating the user based on the correct answers to the three KBA questions).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include authenticating the user using three KBA questions as taught by Livesay for the benefit of enhancing secure authentication of the user by requiring the user to know more information before being authenticated (Livesay: [0167]).
As per claim 16, claim 15 is incorporated and the modified Trelin does not disclose, however, Livesay teaches or suggests: wherein the at least one KBA question comprises at least three KBA questions and the authenticating is performed only if the user successfully answers the at least three KBA questions (Livesay, [0167], presenting user with three KBA questions and authenticating the user based on the correct answers to the three KBA questions).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Trelin to include authenticating the user using three KBA questions as taught by Livesay for the benefit of enhancing secure authentication of the user by requiring the user to know more information before being authenticated (Livesay: [0167]).
Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, U.S. Publication No 20130086657, in view of Trelin, U.S. Publication No. 20190266314, in view of Gharabegian, U.S. Publication No. 20180268056, and further in view of Zhao, CN 106982193.
As per claim 17, Srinivasan discloses: a computer implemented method for proving identity when registering for a service provided by an entity, comprising: 
presenting, by the entity, options for registering for the service to a user (Srinivasan, Fig. 7), wherein the options comprise a first option of validating a user identity through a trusted partner and a second option of validating the user identity through receipt of personal identifying information from the user (Srinivasan, [0024], [0066], and Fig. 7, an application/NPR (i.e., entity) displays options to a user to validate their identity for registration, wherein the options include radio buttons that allow a user to validate via a particular identity provider (i.e., trusted partner), or an option to input PII, e.g., name and email address information (see [0059])); and 
validating the user identity for the service responsive to successful completion of the first option or the second option (Srinivasan, [0066], user is validated through successfully authenticating via a particular identity provider).
Srinivasan does not explicitly disclose, however, Trelin teaches or suggests: applying an artificial intelligence-based risk analysis evaluation to the personal identifying information to generate a risk score and validating the user if the risk score, when compared to a risk score criteria, indicates a low risk that a person attempting to register is not the user (Trelin, [0083]-[0084], user enters email address and other personal identification information during enrollment/registration, [0066], artificial intelligence is used to determine a risk score that represents the risk from the respective information that the person is who he or she asserts to be, [0094], score (i.e., risk score) is determined after identity check, wherein the risk score is compared to a confidence threshold (i.e., risk score criteria), wherein a high risk score indicates that the person is who he or she asserts to be in order to approve the person for enrolment). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include applying artificial intelligence to the user’s personally identifying information for authenticating the user’s identity as taught by Trelin in order to provide and accurate and flexible means of proving that the requesting user is who they claim to be as suggested by Trelin ([0053] & [0066] & [0077]).
While the modified Srinivasan teaches an artificial intelligence-based risk analysis evaluation to determine the risk of authenticating a user from their PII (Trelin, [0066]), the modified Srinivasan does not disclose it being of a third party. However, Gharabegian teaches or suggests: a third party artificial intelligence software hosted on remote servers to be utilized to perform processing or actions (Gharabegian, [0063], “artificial intelligence and/or machine learning software may not need to be stored on an intelligent shading system 300 and/or third party artificial intelligence and/or machine learning software hosted on remote servers may be utilized to perform this processing or these actions”). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include using a third party artificial intelligence software hosted on remote servers as taught by Gharabegian for benefit of offload processing power (Gharabegian, [0063]).
Srinivasan, as modified by Trelin, does not specify adjusting the threshold value based upon previous registration attempts. Zhao discloses adjusting a threshold value utilized to determine whether a current registration attempt should be permitted or refused such that the threshold adjustment is performed based upon altering comparison criteria to include comparison of password portions included in previous registration attempts over a period of time (Page 8, last two full paragraphs & Page 7: Comparison would look for similar password seeds such as “abcdef” in registration attempts the include “abcdef001” and “abcdef002”), which meets the limitation of updating a risk score criteria to change a threshold risk score to identify low risk and high risk authentication in response to changes in information comprising previous registration attempts. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the threshold utilized in the modified Srinivasan to have been adjustable based on previous registration information in order to provide threat detection with improved reliability as suggested by Zhao (Page 8, last full paragraph – Page 9, first full paragraph).
Claims 18, 19, are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, U.S. Publication No 20130086657, in view of Trelin, U.S. Publication No. 20190266314, in view of Gharabegian, U.S. Publication No. 20180268056, in view of Zhao, CN 106982193, and further in view of Kim, U.S. Publication No. 20110307381.
As per claim 18, claim 17 is incorporated and the modified Srinivasan discloses: 
receiving, by the entity, user data from the trusted partner responsive to the user logging into a page on the trusted partner (Srinivasan, [0028]-[0029], identity data is retrieved from an identity provider in response to successful logging into the identity provider); and 
validating the user identity for the service (Srinivasan, [0028], “the user may log in to an application using login credentials for the user's Facebook identity”).
The modified Srinivasan does not disclose, however, Kim teaches or suggests: 
validating the user identity responsive to a determination that a user identifier from the trusted partner matches a user identifier on record with the entity (Kim, [0095] and [0097], a universally unique identifier (UUID) is received from the trusted third party after successful authentication with the trusted third party, [0097], user identity is validated responsive to a determination that the UUID from the trusted third party matches a previously stored UUID).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include validating the user identity using a user identifier from the trusted partner matching a user identifier on record as taught by Kim for the benefit of validating a user based on a non-sensitive user identifier that is trusted, as opposed to exposing private information (e.g., credit card) which prevents malicious actors from obtaining user sensitive personal identifying information in the validation process (Kim, [0005]).
As per claim 19, claim 18 is incorporated and the modified Srinivasan discloses: populating entity user data for the service according to the user data received from the trusted partner responsive to successfully validation of the user identity (Srinivasan, [0028]-[0029], responsive to successful user log in to the application using login credentials for the user’s Facebook identity, identity information gathered can be used to automatically fill out (i.e., populate) a portion of a form).
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan, U.S. Publication No 20130086657, in view of Trelin, U.S. Publication No. 20190266314, in view of Gharabegian, U.S. Publication No. 20180268056, in view of Zhao, CN 106982193, and further in view of Hart, U.S. Publication No. 20210056562.
As per claim 20, claim 17 is incorporated and the modified Srinivasan does not disclose, however, Trelin teaches or suggests: receiving user non-sensitive personally identifying information (Trelin, [0083]-[0084], user enters email address (i.e., non-sensitive PII)); 
determining an additional risk score for the user non-sensitive personally identifying information according to the risk evaluation analysis, wherein the risk score is determined according to a third-party risk analyzer (Trelin, [0086] and [0095], a score is determined based on the email verification by the identification processing 631, [0116], identification processing 631 is implemented as a separate computing device (i.e., third-party risk analyzer)); and 
authenticating the user if a combined risk score indicates a low risk that a person attempting to register is not the user (Trelin, [0086] and [0095], user is authenticated if the score indicates sufficient confidence that the person is who he/she is).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include receiving non-sensitive PII from the user and authenticating the user based on a score for the received non-sensitive PII as taught by Trelin because validating the non-sensitive PII makes sure that the obtained user information is sufficient to positively identify that the person is who the person claims to be (Trelin, [0005]).
The modified Srinivasan does not disclose, however, Hart teaches or suggests: wherein only non-sensitive personally identifying information is exchanged between the entity and the third-party risk analyzer (Hart, [0048], PII is exchanged between ID verification engine 230 and electronic verification system 235 to verify user’s identity, [0046], wherein the PII includes non-sensitive PII such as user’s email address, password, phone number, date of birth, and address).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Srinivasan to include only exchanging non-sensitive PII as taught by Hart for the benefit of not exposing the user’s sensitive PII which would be more detrimental to the user if obtained by malicious actors.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805. The examiner can normally be reached M-Th: 6:20-4:50.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 5712724063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BENJAMIN E LANIER/          Primary Examiner, Art Unit 2437