Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
	112(b) rejections of claims 7-8 are overcome by amendment.

Response to Arguments 
Applicant’s arguments, see pg. 9-12, filed 9/8/2022, with respect to the rejection(s) of claim(s) 1, 9, and 17 under U.S.C. 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Be’ery et al. (US 2022/0303122), Blinn (US 9,871,791 B2), Hayton (US 9,628,448 B2), and Gibbs et al. (US 6,085,321 A).

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 17-18 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Be’ery et al. (US 2022/0303122 A1) with an effective filing date of 8/2/2019.

Regarding claim 17, Be’ery discloses a method comprising: 
communicating (Fig. 2B #21, [0045] “the first computer network 21 (A)”), by a first user device (Fig. 2B “C1”), with a cloud authenticator (Fig. 2B “S”) to generate a primary first credential portion (Fig. 2B “A1C1”) and a primary second credential portion associated with a user account at the cloud authenticator; (Fig. 2B “A1S”)
receiving, by the first user device, the primary first credential portion; (Fig. 2C #211 “A1C1”, [0049] “the first computing device 201 (C1)… may control, for instance store at a dedicated memory or be in possession of, the first portion ‘A1C1’ of the first cryptographic key 211”)
participating in a signing protocol with the cloud authenticator to generate a signature based at least in part on the primary first credential portion and the primary second credential portion; (Fig. 2B #211 “A1”; Fig. 2C #211)
at least partly in response to generating the signature, accessing an online service by the first user device; ([0050] “the server 203 (S) may enforce the exchange… using the portions controlled...”)
to indicate consent by the first user device for a second user device to be granted a secondary first credential portion; ([0050] “the server 203 (S), may prevent data exchange by each computing device of their original keys, unless the exchange is mutual and the server 203 (S) is involved.”)
and communicating with the[[a]] second user device and the cloud authenticator to generate a secondary first credential portion and a secondary second credential portion associated with the user account at the cloud authenticator. (Fig. 2B #22,212 “B1: (B1C2, B1S)”)

Regarding claim 18, Be’ery discloses the method of claim 17, wherein the signing protocol comprises a threshold signature signing protocol and the signature comprises a threshold signature. ([0042] “ECDSA”, “EdDSA”, “Schnorr”, “threshold signature address”)


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claims 1 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Be’ery et al. (US 2022/0303122 A1) in view of Blinn (US 9,871,791 B2), Hayton (US 9,628,448 B2), and further in vew of Gibbs et al. (US 6,085,321 A), hereinafter, Be’ery, Blinn, Hayton and Gibbs.

	Regarding claim 1, Be’ery discloses a computer-implemented method comprising: 
registering, by a cloud authenticator (Be’ery, Fig. 2C #203 “Server”), a first user device with a user account of a user, (Be’ery, Fig. 2C #201 “C1”; [0046]) the registering comprising participating in trustless generation of (Be’ery, Fig. 2C #211 “A1C1”) and a primary second credential portion retained by the cloud authenticator; (Be’ery, Fig. 2C #211 “A1S”)
registering, by the cloud authenticator (Be’ery, Fig. 2C #203 “Server”), a second user device with the user account of the user, the registering comprising generating a secondary first credential portion based at least in part on the primary first credential portion and (Be’ery, Fig. 2C #212 “B1C2”) generating a secondary second credential portion based at least in part on the primary second credential portion; (Be’ery, Fig. 2C #212 “B1S”) 
responsive to the first request, generating a first signature by participating in a first signing protocol between the cloud authenticator and the first user device, the first signature based at least in part on the primary first credential portion, the primary second credential portion (Be’ery, Fig. 2B #211 “A1”, [0045] “first threshold signature address ‘A1’”)
and responsive to the second request, generating a second signature by participating in a second signing protocol between the cloud authenticator and the second user device, the second signature based at least in part on the secondary first credential portion, the secondary second credential portion (Be’ery, Fig. 2B #212 “B1”, [0045] “second threshold signature address ‘B1’”)
It is noted, the “registering” in claim 1 is limited to the “trustless generation” of credential portions. In this case, Be’ery discloses a method for which addresses belonging to user devices in a blockchain network can be exchanged for transactions. The server of Be’ery is analogous to the “cloud authenticator” since it both participates in trustless generation of threshold signature address portions (credentials) and facilitates transactions (online service). 
Be’ery fails to teach receiving, at the cloud authenticator and from the first user device, a first request to authenticate the user account to an online service; 
the first signature based at least in part on a credential identifier (ID) for the online service; 
providing, by the cloud authenticator, the first signature to a remote device associated with the online service to authenticate the user account to the online service; 
receiving, at the cloud authenticator and from the second user device, a second request to authenticate the user account to the online service; 
the second signature based at least in part on the credential ID for the online service. 

Blinn teaches receiving, at the cloud authenticator and from the first user device, a first request to authenticate the user account to an online service; (Fig. 3 #300 “Receive transmission from 1st client with authentication credential”)
receiving, at the cloud authenticator and from the second user device, a second request to authenticate the user account to the online service; (Fig. 3 #310, “Receive transmission from 2nd client with at least one additional credential”)
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Be’ery to incorporate the teachings of Blinn to include receiving, at the cloud authenticator and from the first user device, a first request to authenticate the user account to an online service and receiving, at the cloud authenticator and from the second user device, a second request to authenticate the user account to the online service. Such modification(s) would be motivated to address the weakness in two-factor authentication systems where two factors are entered into the same source. (Blinn, Col. 3 ln. 35-39)

Hayton teaches providing, by the cloud authenticator (Fig. 6 “Access Gateway”), the first signature to a remote device associated with the online service (Fig. 6 “Auth. Service”) to authenticate the user account to the online service; (Fig. 6 #603, Col. 26 ln. 24-39)
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Be’ery in view of Blinn to incorporate the teachings of Hayton to include providing, by the cloud authenticator, the first signature to a remote device associated with the online service to authenticate the user account to the online service. Such modifications would be motivated to validate a user with a set of authentication credentials. (Hayton, Col. 25 ln. 58-59)

Gibbs teaches a signature based at least in part on a credential identifier (ID) for an online service. (Gibbs, Fig. 1 #104, Col. 3 ln. 39-48)
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Be’ery in view of Blinn, and Hayton to incorporate the teachings of Gibbs to include the first and second signatures based at least in part on a credential identifier. Such modification(s) would be motivated to associate the signature with the online service or user.

	Regarding claim 2, Be’ery in view of Blinn, Hayton, and Gibbs disclose the method of claim 1 as set forth above, and wherein the first signature matches the second signature. (Blinn, Fig. 3 #320 “Verify user ID in database via match of 1st, 2nd, and 3rd credentials”)

	Regarding claim 3, Be’ery in view of Blinn, Hayton and Gibbs disclose the computer-implemented method of claim 1, 
wherein the primary first credential portion is retained by the first user device and is not available to the cloud authenticator during generation of the primary first credential portion, and the secondary first credential portion is retained by the second user device and is not available to the cloud authenticator during generation of the secondary first credential portion. (Be’ery, [0046] “each client or user of system 200, for instance the owner of the first computing device 201 (C1) and the owner of the second computing device 202 (C2), may control or be in possession of a vault and/or wallet (e.g., having an address), on at least one computer network, mutually controlled by two parties (each party or device controlling at least one portion), where the second portion is controlled by the server 203 (S) as provided by the threshold signature protocol and/or the MPC protocol.”)
It is noted, method claim 3 is similar to method claim 1. The term “trustless” is defined in the instant specification as “neither the user device 204 nor the cloud authenticator controls the generation process”.

	Regarding claim 4, Be’ery in view of Blinn, Hayton and Gibbs disclose the computer-implemented method of claim 3, 
wherein the first user device provides consent for the second user device to participate in generation of the secondary first credential portion prior to the generation of the secondary first credential portion(Be’ery, [0064] “To facilitate an exchange, in some embodiments, the first computing device 201 (C1) and the second computing device 202 (C2) may create a proposed transaction to transfer cryptocurrencies to the new address (e.g., use their portions of the cryptographic keys to unlock the addresses together) together with the consent of the server 203 (S)”)

	 Regarding claim 5, Be’ery in view of Blinn, Hayton and Gibbs disclose the computer-implemented method of claim 1, 
wherein trustless generation of the primary first credential portion and the secondary first credential portion comprises a generation process not controlled by the cloud authenticator and not controlled by the first user device, and further wherein the cloud authenticator does not have access to the primary first credential portion during the trustless generation and the first user device does not have access to the primary second credential portion during the trustless generation(Be’ery, [0046])
It is noted, method claim 5 is similar to method claim 3.

Regarding claim 7, Be’ery in view of Blinn, Hayton and Gibbs the computer-implemented method of claim 1, further comprising: 
selecting, by the cloud authenticator, the credential ID by participating in a registration protocol with the first user device to register with the online service.  (Gibbs, Col. 8 ln. 41-48)

Regarding claim 8, Be’ery in view of Blinn, Hayton, Ranellucci and Gibbs disclose the computer-implemented method of claim 1, further comprising: 
receiving, by the cloud authenticator, a signed copy of the credential ID, (Gibbs, Fig. 6, Col. 8 ln. 45-55)
wherein the generating the second signature in the second signing protocol comprises using the signed copy of the credential ID. (Gibbs, Fig. 1 #104, Col. 3 ln. 39-48)

	Apparatus claims 9-13 and 15-16 relate to the method claims 1-5 and 7-8. Therefore apparatus claims 9-13 and 15-16 are rejected on similar grounds as method claims 1-5 and 7-8 over Be’ery in view of Blinn, Hayton and Gibbs.

Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Be’ery in view of Blinn, Hayton and Gibbs, and in further view of Salajegheh et al. (WO 2020/101787 A1).

Regarding claim 6, Be’ery in view of Blinn, Hayton and Gibbs disclose the computer-implemented method of claim 1, but fail to disclose participating in an enrollment protocol with the first user device to generate the secondary first credential portion based at least in part on the primary first credential portion.
Salajegheh teaches participating in an enrollment protocol with the first user device to generate the secondary first credential portion based at least in part on the primary first credential portion. ([0185] “The authentication device 808 can obtain the token share and the other token share(s) by retrieving a first key share corresponding to the first assurance level and any other key share(s) corresponding to the any other token share(s). The authentication device 808 can then derive the token share corresponding to the first assurance level from the first key share. The authentication device 808 can then derive the any other token share(s) corresponding to the lower assurance levels from the any other key share(s).”)
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Be’ery in view of Blinn, Hayton and Gibbs to incorporate the teachings of Salajegheh to include teaches participating in an enrollment protocol with the first user device to generate the secondary first credential portion based at least in part on the primary first credential portion. Such modifications would be motivated to improve the security of the derived key share.

	Apparatus claim 14 relates to the method of claim 6. Therefore, apparatus claim 14 is rejected on similar grounds as the method claim 6 over Be’ery in view of Blinn, Hayton, Gibbs and Salajegheh.

Claims 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Be’ery as applied to claims 17-18 above, and further in view of Gibbs.

Regarding claim 19, Be’ery discloses the method of claim 17, 
wherein the participating in the signing protocol further comprises generating the signature based at least in part on the primary first credential portion, the primary second credential portion.
Be’ery fails to disclose selecting, by the first user device and with the cloud authenticator, a credential identifier (ID) for the online service,
wherein the participating in the signing protocol further comprises generating the signature based at least in part on the credential ID.
However, Gibbs teaches selecting, by the first user device and with the cloud authenticator, a credential identifier (ID) for the online service, (Gibbs, Col 7 ln. 41-48)
wherein the participating in the signing protocol further comprises generating the signature based at least in part on the credential ID. (Gibbs, Fig. 1 #103, Col. 3 ln. 39-48) 
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Be’ery in view of Blinn, and Hayton to incorporate the teachings of Gibbs to include the first and second signatures based at least in part on a credential identifier. Such modifications would be motivated to associate the signature with the online service or user.

Regarding claim 20, Be’ery in view of Gibbs discloses the method of claim 19, further comprising:
signing, by the first user device, a copy of the credential ID to create a signed credential ID; (Gibbs, Fig. 5 #516, Col. 8 ln. 1-4) 
and sending the signed credential ID to the cloud authenticator in association with the user account. (Gibbs, Fig. 6, Col. 8 ln. 45-55)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Li et al. (US 2020/0274713 A1) – Regarding verifying a requested credential of a credential owner and/or issuing a new credential through one or more credential service providers.
Pettit (GB 2594312 A) – Regarding holders of shares creating signature components dependent upon the message (MDC) and components independent of the message (MIC).
 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA NEIL GONZALES whose telephone number is (571)272-0286. The examiner can normally be reached 10:00 AM-2:00 PM; 3:00 PM-7:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
	





/J.N.G./Examiner, Art Unit 2496                                                                                                                                                                                                        

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496