11434818 - (D) (P.T.A.B. Feb. 19, 2020)

Ziv, Aran et al.

Patent Trials and Appeals BoardFeb 19, 2020

11434818 - (D) (P.T.A.B. Feb. 19, 2020)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 11/434,818 05/17/2006 Aran Ziv 10519/1201 (MSA-0918-US) 5636 67813 7590 02/19/2020 BGL/ P.O. BOX 10395 CHICAGO, IL 60610 EXAMINER NILFOROUSH, MOHAMMAD A ART UNIT PAPER NUMBER 3685 MAIL DATE DELIVERY MODE 02/19/2020 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________________ Ex parte ARAN ZIV and MORDECHAI TEICHER ____________________ Appeal 2019-000520 Application 11/434,818 Technology Center 3600 ____________________ Before JOSEPH L. DIXON, JOHN A. EVANS, and JUSTIN BUSCH, Administrative Patent Judges. BUSCH, Administrative Patent Judge. DECISION ON APPEAL Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, and 78–85, which constitute all the claims pending in this application. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. CLAIMED SUBJECT MATTER Appellant’s disclosure “relates to a hardware token for authenticating a transaction over a communication network.” Spec. 1:4–15. More 1 We use the word Appellant to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real party in interest as SanDisk IL Ltd. Appeal Br. 2. Appeal 2019-000520 Application 11/434,818 2 specifically, embodiments of Appellant’s claimed invention relate to peripheral devices (e.g., a hardware token) and methods that generate outputs (e.g., an audio or visual signal intended to prompt a user to provide input via a user interface (e.g., a keyboard) on a host), receive a report from the host regarding the user input, confirm the user is interacting with the host in person based on receiving the report and determining the report was received within a predetermined time period, and generate an authentication token. Spec. 12:13–13:2, 14:13–15:3, 17:15–18:21, 20:3–21:2, Figs. 1– 2A,5. Claim 38, which is representative of the claimed subject matter, recites: 38. A method of confirming by a peripheral device, which is operationally connected to a host, that a user is interfacing with the host in person, the method comprising: determining, based on communicating with the host, that the peripheral is to confirm that the user is interfacing with the host in person in order for the peripheral device to generate an authentication token; in response to determining that the peripheral device is to confirm that the user is interfacing with the host in person, generating at least one output at a peripheral device-user output on the peripheral device; receiving a report from the host on user input that is input via the host; determining that the report was received within a predetermined time since generating the at least one output; confirming, in response to the received report and in response to determining that the report was received within the predetermined time since generating the at least one output, that the user is interfacing with the host in person; and in response to confirming that the user is interfacing with the host in person: generating the authentication token; and Appeal 2019-000520 Application 11/434,818 3 sending, to the host, the authentication token in order to authenticate a transaction between the host and a third-party computing device. REJECTIONS Claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, and 78–85 stand rejected under 35 U.S.C. § 112, first paragraph, for failing to provide written description support for the claimed subject matter. Final Act. 4–6. Claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, and 78–85 stand rejected under 35 U.S.C. § 112, second paragraph, as indefinite. Final Act. 6–7. Claims 38–40, 45–47, 52–55, 58–63, 67–73, and 79–85 stand rejected under 35 U.S.C. § 103 as obvious in view of Holdsworth (US 2005/0033702 A1; Feb. 10, 2005), Ortiz (US 2002/0091937 A1; July 11, 2002), and Emigh (US 8,112,483 B1; Feb. 7, 2012). Final Act. 8–12. Claims 44, 49, 57, 65, 75, and 78 stand rejected under 35 U.S.C. § 103 as obvious in view of Holdsworth, Ortiz, Emigh, and Simmons (US 8,473,336 B1; June 25, 2013). Final Act. 12–13. ANALYSIS We have reviewed the Examiner’s rejections in light of Appellant’s arguments that the Examiner erred. In reaching this decision, we have considered all evidence presented and all arguments Appellant made. Arguments Appellant could have made, but chose not to make in the Briefs, are deemed waived. See 37 C.F.R. § 41.37(c)(1)(iv). THE 35 U.S.C. § 112, FIRST PARAGRAPH, REJECTIONS The Examiner rejects claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67– 73, 75, and 78–85 under 35 U.S.C. § 112, first paragraph, as lacking written description support. Final Act. 4–5. In particular, the Examiner finds Appeal 2019-000520 Application 11/434,818 4 insufficient written description support for “generate the authentication token,” as recited in independent claims 38, 45, 61, and 71. Final Act. 4–5. The Examiner also finds insufficient written description support for “determining that the report was received within a predetermined time since generating the at least one output [on the peripheral device]” (the “determining receipt” limitation), as recited in independent claims 38 and commensurately recited in independent claims 45, 61, and 71. Final Act. 5. The Examiner also rejects the dependent claims because each dependent claim incorporates these limitations via their dependency from one of independent claims 38, 45, 61, and 71. Final Act. 6. To satisfy the written description requirement, the disclosure must reasonably convey to an ordinarily skilled artisan that Appellant possessed the claimed invention as of the filing date. See Ariad Pharms., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351 (Fed. Cir. 2010) (en banc). Specifically, “the description must ‘clearly allow persons of ordinary skill in the art to recognize that [the inventor] invented what is claimed,’” and “the specification must describe an invention understandable to that skilled artisan and show that the inventor actually invented the invention claimed.” Ariad Pharms., Inc., 598 F.3d at 1351. Additionally, the Examiner has the initial burden of presenting evidence or reasons why persons skilled in the art would not recognize in an applicant’s disclosure a description of the invention defined by the claims. In re Wertheim, 541 F.2d 257, 265 (CCPA 1976). Regarding the rejection of “generating an authentication token,” the Examiner finds the Specification describes existing authentication tokens (e.g., authentication token 112 depicted in Figure 1) and further describes Appeal 2019-000520 Application 11/434,818 5 the existing authentication tokens generating authentication token data, but the Specification fails to describe generating the authentication token itself. Final Act. 4–5; Ans. 4–5. The Examiner also finds the Specification explicitly discloses that the token is a device (e.g., a smart card, USB key, or expansion card) that may be “a standalone device, or form part of another device such as a USB flash memory disk.” Ans. 5 (quoting Spec. 4:1–5). Based on the Specification’s definition of a token, the Examiner finds “the limitation would require generating a portable device,” which the Specification does not support. Ans. 5. Appellant points to the Specification’s disclosure that a token may include authentication data. Appeal Br. 8. Appellant notes the Examiner acknowledges there is support for generating authentication token data. Appeal Br. 8 (citing Spec. 4:1–5). Without further explanation, Appellant concludes the Specification supports generating an authentication token. Appeal Br. 8. Appellant does not dispute that the recited authentication token is a physical device. Instead, Appellant argues support for generating token data included in a token supports generating the token itself. But written description support for generating data based on an existing token does not support generating the token itself. Appellant’s argument is similar to arguing that a specification describing calculator functions supports generating the calculator itself simply because the specification describes generating a sum of two numbers. Accordingly, we are not persuaded by Appellant’s assertion. As the Examiner explains, and Appellant does not dispute, the Specification describes a token as a physical device. Spec. 4:1–2; see also Spec. 15:20– Appeal 2019-000520 Application 11/434,818 6 17:5 (describing authentication 112 as being “disconnected and . . . inaccessible to host 150” or as “disabled”), 17:4–6 (describing a goal of the invention as protecting an owner from “unnoticed false transactions made by malicious program 160 activating authentication token 112 on his or her behalf”). The token may be a standalone device, or the token may “form part of another device such as a USB flash memory disk.” Spec. 4:4–5. On the other hand, the Specification describes the existing “the token generates token authentication data only if the token detects a prescribed human action.” Spec. 8:9–10. Therefore, we find the Examiner sufficiently explains why an ordinarily skilled artisan would understand the Specification to describe (1) generating authentication token data but not (2) generating the “authentication token” itself. On the other hand, we are persuaded the Examiner erred in finding the Specification does not support the determining receipt limitation. Among other things, the Examiner finds the Specification supports: (1) “that an actual authentication operation will take place within a predetermined time interval”; (2) instantly reporting “whenever a key is pressed”; (3) confirming a person’s presence “only if each report is received by the peripheral device substantially synchronously with the generation of the corresponding output by the host”; (4) “[r]eceipt of these reports substantially synchronously with the generation of the corresponding signals constitutes detection by the token of the prescribed human action”; and (5) “pressing a key within a second after hearing a signal is synchronous with the signal, whereas pressing a key twenty seconds after hearing a signal is not synchronous with the signal.” Final Act. 5; Ans. 4 (citing Spec. 9:21–10:8. The Examiner finds these disclosures support “‘synchronously’ or ‘within normal human Appeal 2019-000520 Application 11/434,818 7 reaction time,’” but not the determining receipt limitation. Final Act. 5. More specifically, the Examiner finds the Specification discloses determining the report was received within a time after “hearing a signal,” which is different than a determination within “a predetermined time since generating the at least one output.” Ans. 4. Appellant points to the same section of the Specification the Examiner refers and asserts the Specification supports the determining receipt limitation. Appeal Br. 7–8 (citing Spec. 9:21–10:8). Appellant argues the disclosure of pressing a key within one second being considered synchronous with the signal is one example that supports the determining receipt limitation. Appeal Br. 8. Appellant argues the Examiner’s distinction between the Specification’s disclosed time period “after hearing a signal” and the recited predetermined time period “since generating the at least one output” ignores the disclosed context in which the signals are generated. Reply Br. 2 (citing Spec. 9:11–20). The Specification describes embodiments involving a user’s direct interaction with the token. Spec. 9:11–20. One exemplary action includes disconnecting and reconnecting the token, then “manipulating a (minimal) user interface with which the token has been configured.” Spec. 9:12–16. Alternatively, the Specification discloses a user’s indirect interaction with the token—i.e., “mediated by the host rather than being directly with the token.” Spec. 9:21–10:8. One disclosed exemplary indirect interaction includes the user pressing a key on the host keyboard “substantially synchronously with each of at least one signal.” Spec. 9:22–25. In such an embodiment, “the host immediately reports receipt of the input(s) to the token.” Spec. 10:2–3. The token detects the prescribed human action if the Appeal 2019-000520 Application 11/434,818 8 reports are received “substantially synchronously with the generation of the corresponding signals.” Spec. 10:3–5. The Specification explains that synchronicity is relative to human reaction times and provides the example that “pressing a key within a second after hearing the signal is synchronous with the signal, whereas pressing a key twenty seconds after hearing a signal is not synchronous with the signal.” Spec. 10:5–8. The Specification also discloses an element that generates an audio and/or visual signal. Spec. 14:19–20, 17:18–20, Fig. 1. When the element generates the signal, the user must press a key on the user interface, such as a keyboard connected to the host. Spec. 20:7–10. An application on the host detects the user input (e.g., key press) and instantly reports the key press(es) to the token, whether a standalone device or part of another device. Spec. 20:4–6. Thus, the Specification indicates that a human hears the signal substantially at the same time as the signal is generated or output. Given this combination of disclosures in the Specification, we find a person of ordinary skill in the art would understand the inventor to have been in possession of the determining receipt limitation. For the above reasons, we are persuaded the Examiner erred in determining the Specification lacks written description support for the determining receipt limitation. However, we agree with the Examiner that the Specification lacks written description support for the “generating the authentication token” limitation recited in independent claims 38, 45, 61, and 71 and incorporated into the dependent claims via their dependency from one of claims 38, 45, 61, and 71. Because we agree with one of the Examiner’s bases for rejecting the pending claims under 35 U.S.C. § 112, Appeal 2019-000520 Application 11/434,818 9 first paragraph, we sustain the Examiner's rejection under 35 U.S.C. § 112(a) of claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, and 78–85. THE 35 U.S.C. § 112, SECOND PARAGRAPH, REJECTION The Examiner rejects claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67– 73, 75, and 78–85 under 35 U.S.C. § 112, second paragraph, as indefinite. Final Act. 7. In particular, the Examiner finds “the user input that is input via the host” (the “user input” limitation”), recited in independent claims 38, 45, 61, and 71, is indefinite. Final Act. 7. The Examiner also rejects the dependent claims because each dependent claim incorporates these limitations via their dependency from one of independent claims 38, 45, 61, and 71. Final Act. 7. The Examiner finds the claims indefinite because the claims are directed only to a peripheral device or actions performed by a peripheral device. Final Act. 7; Ans. 5–6. The Examiner finds requiring steps that must be performed by the host renders the claim scope unclear. Final Act. 7; Ans. 5–6. Appellant argues the user input limitation does not claim the step or act of inputting the user input via the host. Appeal Br. 9. Rather, Appellant asserts the user input limitation merely defines the content of the report the peripheral device receives. Appeal Br. 9; see also Reply Br. 3 (“The received report contains ‘x’ where x is information on user input that was input at the host.”). On this record, we disagree with the Examiner. Appellant is correct that no actual step of entering user input via the host is claimed. See Appeal Br. 9; Reply Br. 3. Accordingly, the claims do not require an actual step of inputting user input via the host. Rather, the claims merely require that the Appeal 2019-000520 Application 11/434,818 10 peripheral device receives a report “on user input that is input via the host.” Although the user input limitation is broad, we disagree that this breadth renders the claims indefinite.2 In addition to merely reciting the content of the report, we note the claim merely relates to “user input that is input via the host,” which is much broader than reciting user input that is directly input at the host. For these reasons, we find the Examiner erred in rejecting claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, and 78–85 as indefinite under 35 U.S.C. § 112, second paragraph. THE 35 U.S.C. § 103 REJECTIONS The Examiner finds the combination of Holdsworth, Ortiz, and Emigh, or Holdsworth, Ortiz, Emigh, and Simmons teaches or suggests every limitation recited in claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67– 73, 75, and 78–85. Final Act. 8–13. Of particular relevance to this Appeal, the Examiner finds Holdsworth teaches or suggests “confirming . . . that the user is interfacing with the host in person.” Final Act. 8 (citing Holdsworth ¶¶ 116, 143, Fig. 9B). Specifically, the Examiner finds Holdsworth’s user terminal generates a cryptogram using a personal identifier (e.g., a PIN (personal identification number) or a biometric, such as a fingerprint) that the user must enter at a user terminal. Ans. 7–8 (“because the generation of the cryptogram, or the claimed authentication token, requires the user terminal to prompt the user 2 We leave to the Examiner to consider whether this broad language constitutes non-functional descriptive material. Based on that determination and other factors, we also leave to the Examiner to consider whether the user input limitation may patentably distinguish Appellant’s claim over prior art—i.e., whether prior art that teaches or suggests the claimed subject matter other than the user input limitation renders the claims obvious. Appeal 2019-000520 Application 11/434,818 11 for a PIN, biometric, or other personal identifier, it requires that the user terminal confirm that the user who is making the request to the authentication authority is physically present”), 11 (citing Holdsworth ¶¶ 38, 116, 133, 134, 137). The Examiner finds that, because the user enters the identifier at the user terminal in person, Holdsworth’s “user terminal confirms that the user is interfacing with the host in person.” Ans. 11–12 (emphasis added); see Ans. 8–9, 12–13. Notably, the Examiner finds Holdsworth’s user terminal teaches or suggest the recited “peripheral device” and Holdsworth’s “authentication authority” teaches or suggest the recited “host.” See Ans. 7 (“Here, the user terminal performs the functions of the claimed peripheral, and communicates with the authentication authority, which performs the functions of the claimed host.”), 9 (“the functions of the claimed peripheral device are mapped to the user terminal of Holdsworth, rather than the token of Holdsworth”). Among other arguments, Appellant contends Holdsworth fails to teach or suggest determining whether the user is interfacing with the host in person, as recited in independent claim 38 and commensurately recited in independent claims 45, 61, and 71. Appeal Br. 20–23, 26–27. Appellant argues a user entering a PIN or other personal identifier fails to address the recited feature relating to confirming the personal presence of the user at the host. Appeal Br. 22; Reply Br. 5. Appellant contends Holdsworth’s authentication method merely verifies certain factors (e.g., a PIN or a fingerprint), but does not confirm the user is interfacing with the host in person. Appeal Br. 22. Appellant argues the Background of the Specification provides context that highlights Holdsworth’s deficiencies Appeal 2019-000520 Application 11/434,818 12 with respect to the claimed user presence confirmation. Appeal Br. 22; Reply Br. 5 (citing Spec. 1–3). Appellant’s invention relates to closing a loophole in conventional authentication tokens that malicious programs may exploit. Spec. 1:14– 3:24. In the context of Appellant’s invention, an authentication token (or just “token”) is a standalone portable device (e.g., a smart card or USB key) or a part of another device (e.g., a USB memory flash disk) “that includes data and/or processing power for authenticating a unique identity associated with the device.” Spec. 4:1–5. A host is a computing device (e.g., desktop or laptop computers, cell phones, or handheld computers) for executing transactions with a provider or server (e.g., a merchant or financial institution). Spec. 4:6–9. A malicious program is software fraudulently installed on a host that generates fraudulent transactions through false authentications. Spec. 5:13–15. The malicious program may be able to (1) intercept authentication factors (e.g., a PIN, password, or fingerprint) entered via devices (e.g., a keyboard or fingerprint reader) connected to the host and (2) access a token connected to the host. Spec. 5:15–18. A conventional token may be issued by a provider, such as a financial institution. Spec. 2:1. When connecting the conventional token to a host, the token sends authentication data to the provider’s server, which then validates the token’s authenticity (i.e., “authenticates the token”). Spec. 2:1– 6. Although such a procedure authenticates the token itself, this conventional process does not authenticate the token’s owner is using the token. Spec. 2:6–7. The server may authenticate the token even if the token is in someone else’s possession (i.e., the token was lost or stolen) or if a Appeal 2019-000520 Application 11/434,818 13 malicious program is operating the token and generating false transactions. Spec. 2:7–11. Conventional tokens use multi-factor authentication to overcome the problem of lost or stolen tokens. Spec. 2:11–14. Multi-factor authentication requires, in addition to possession of the token, at least one other authentication factor, such as a password, PIN, or biometric (e.g., fingerprint or retinal scan). Spec. 2:12–14. However, multi-factor authentication does not necessarily prevent a malicious program from generating false transactions without the token owner’s knowledge or authorization. A malicious program may intercept a PIN or other second authentication factor entered via the host and reuse that information to activate false transactions using the token when it is connected to the host. Spec. 2:15–20. Incorporating an input interface into the token itself (and requiring the input from that device) may prevent such problems but requires a bulkier and more expensive token to incorporate such an interface. Spec. 2:23–3:2. Another solution is to require entry of a code that only a human can read. Spec. 3:3–6. However, certain malicious programs may intercept this code and send it to a human at a remote location to enter the information. Spec. 3:6–8. Appellant’s invention protects a token from malicious programs without incorporating a biometric or keyboard input interface into the token by requiring a human action that can be performed only when the user is present near the host and the token. Spec. 3:16–24, 5:19–25, 6:7–10. In other words, “the focus of the present invention is on confirming that a human operator is actually present and in control, for preventing a malicious program from operating a token by itself.” Spec. 21:10–12. The invention’s goal solves the same problem that incorporating a keypad and/or biometric Appeal 2019-000520 Application 11/434,818 14 scanner into the token would address without making the token bulkier or more expensive. Spec. 6:11–15. The claims recite, in relevant part “confirming . . . that the user is interfacing with the host in person.” As noted above, the Examiner finds Holdsworth’s user terminal teaches or suggests the claimed peripheral device and Holdsworth’s authentication authority teaches or suggests the claimed host. See, e.g., Ans. 7. Therefore, in order to teach or suggest the confirming limitation, Holdsworth, alone or in combination with other prior art, must teach or suggest confirming that the user is interfacing with Holdsworth’s authentication authority in person. On this record, the Examiner’s findings are problematic. The Examiner does not find the additionally cited references modify Holdsworth with respect to the confirming limitation, so we look only to the Examiner’s findings regarding Holdsworth’s teachings with respect to the confirming limitation. The Examiner finds Holdsworth teaches confirming the user is interacting with the host in person because the user enters a PIN at Holdsworth’s user terminal. Final Act. 8 (citing Holdsworth ¶¶ 116, 143, Fig. 9B); Ans. 11–12 (citing Holdsworth ¶¶ 38, 116, 133, 134, 137). The Examiner also finds Holdsworth’s user interfaces with the authentication authority because the authentication authority sends a request message to the user terminal in response to a user-initiated transaction. Ans. 7; see Ans. 11–12. The Examiner-cited portions of Holdsworth support findings that (1) a user is interfacing with the user terminal in person and (2) a user is interfacing with the authentication authority. However, given the Examiner’s mappings, the Examiner has failed to demonstrate that Appeal 2019-000520 Application 11/434,818 15 Holdsworth teaches or suggests a user interfacing with the authentication authority in person, as required by the claims. For these reasons, we are constrained by the record to reverse the Examiner’s rejection of independent claims 38, 45, 61, and 71 under 35 U.S.C. § 103. For the same reason, we must reverse the Examiner’s rejections of all pending dependent claims, which incorporate the confirming limitation by their ultimate dependency from one of independent claims 38, 45, 61, and 71. CONCLUSION We sustain the Examiner’s decision to reject claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, and 78–85 as failing to comply with the written description requirement under 35 U.S.C. § 112, first paragraph. We reverse the Examiner’s decision to reject claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, and 78–85 as indefinite under 35 U.S.C. § 112, second paragraph. We reverse the Examiner’s decision to reject claims 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, and 78–85 under 35 U.S.C. § 103. Appeal 2019-000520 Application 11/434,818 16 DECISION SUMMARY Claims Rejected 35 U.S.C. § References/ Basis Affirmed Reversed 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, 78–85 112, first paragraph Written Description 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, 78–85 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, 78–85 112, second paragraph Indefinite 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, 78–85 38–40, 45–47, 52– 55, 58–63, 67–73, 79–85 103 Holdsworth, Ortiz, Emigh 38–40, 45–47, 52–55, 58–63, 67–73, 79–85 44, 49, 57, 65, 75, 78 103 Holdsworth, Ortiz, Emigh, Simmons 44, 49, 57, 65, 75, 78 Overall Outcome 38–40, 44–47, 49, 52–55, 57–63, 65, 67–73, 75, 78–85 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED