DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination under 37 CFR 1.114
2. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/25/2021 has been entered. 

Response to Arguments
3. According to applicant's arguments filed on 01/25/2021, claims 1,3,11,12,14,22,24,25 and 30 have been amended; and claims 2 and 13 have been cancelled; hereby acknowledged.

4. Applicant’s arguments regarding 112(b) rejection have been fully considered but they are not persuasive. 

5. Applicant states that claims 3, 14 and 25 recites: “obtaining a random number from a set of numbers associated with a scale, comparing the random number from the set of numbers with a reference number, the reference number representing the request failure rate; and granting or denying access to the resources when the random number satisfies the comparison with the reference number.
 For example, when the request failure rate is 10% (i.e., 10% of requests should be denied and 90% of requests should be allowed), the method includes obtaining a random number (suppose, 
The reference number representing the request failure rate (it could be 10%, 90%, 97%).
Comparing the random number with the reference number, when the random number satisfies the comparison (e.g., the random number matches the reference number), which has a 10% chance of occurring, the method includes denying access to the resource. Likewise, when the random number fails to satisfy the comparison, which occurs with a 90% chance, the method includes allowing access to the resource. Thus, it is unclear how one can access or denial to the resource based on comparing the random number [a billion] with the reference number [10]”. 

Applicant then argues that the claims 3, 14, and 25 are definite, point out, and distinctly       claim the subject matter, as such the 112(b) rejection should be withdrawn.

6. Examiner would like to point out that, claims 3, 14 and 25 recites: “obtaining a random number from a set of numbers associated with a scale, comparing the random number from the set of numbers with a reference number, the reference number representing the request failure rate; and granting or denying access to the resources when the random number satisfies the comparison with the reference number”.

According to applicant’s statement, the method includes obtaining a number (random number) between 1 and a billion.  The reference number may be any number between 1 and 10; and when the random number satisfies the comparison (e.g., the random number matches the reference number), which has a 10% chance of occurring, the method denying access to the 

Examiner would like to point that the claims do not recite that the random number is between 1-10, so the random number can be can be any number. For example, the random number can be 5 or 35 or 5500, a million or a billion. Comparing the random number (e.g. 5 or 35 or 5500, a million or a billion) with a reference number [the reference number is also not recited in the claims] representing with the request failure rate. As such the reference number could be number for example, 5 or 35 or 5500, a million or a billion. It is not clear how a random number for instance 3 billion when compared to a reference number 55000 yields any result, or vice versa the random number is 55000 and reference number is 3 billion, how does that yield any result.
Appropriate clarification is needed.

7. With respect to 112(b) rejection for claims 11, 22, 31 and 31-33, the applicant have amended the claims which recites: “receiving, at the data processing hardware, an indication of a selection of the resource through a user interface, the resource being selected for a security credential update, the security credential update disabling the security credential associated with the resource at the request failure rate and enabling a new security credential for the resource; receiving, at the data processing hardware, an association of the new security credential with the resource selected for a security credential update; and receiving, at the data processing hardware, the request failure rate for requests to access the resource using the security credential designated for disablement by the security credential update.

8. Applicant then argues that the claims 11, 22, 30 and 31-33 are definite, point out, and distinctly claim the subject matter, as such the 112(b) rejection should be withdrawn.
three “receiving” steps, and it’s not clear what is recited in the third receiving steps, and how are these three receiving steps related to each other.
For example the last receiving step recites: “receiving, at the data processing hardware, the request failure rate for requests to access the resource using the security credential designated for disablement by the security credential update”. It is not clear what is meant by this limitation.

Appropriate clarification is needed.

10. Applicant’s argument with respect to 102 rejection have been fully considered but they are not persuasive. 

11. Applicant argues that Addala reference fails to disclose or suggest the newly amended feature of claim 1 which recites: “the request failure rate indicating an amount of security credentials designed for disablement”.

12. Examiner would like to point out that, Addala in Col.6, lines.9-39 teaches this limitation (see, the rejection below). 
Claim Rejections - 35 USC § 112
13. The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


14. Claims 3, 11, 14, 22, 25,30 and 31-33 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

15. Claim 3 recites: “obtaining a random number from a set of numbers associated with a scale, comparing the random number from the set of numbers with a reference number, the reference number representing the request failure rate; and granting or denying access to the resources when the random number satisfies the comparison with the reference number”.
It is not clear what is meant by this limitation.
The claims do not recite that the random number is between1-10, so the random number can be can be any number. For example, the random number can be 5 or 35 or 5500, a million or a billion. Comparing the random number (e.g. 5 or 35 or 5500, a million or a billion) with a reference number [the reference number is also not recited in the claims] representing with the request failure rate. As such the reference number could be number for example, 5 or 35 or 5500, a million or a billion. It is not clear how a random number for instance 3 billion when compared to a reference number 55000 yields any result, or vice versa the random number is 55000 and reference number is 3 billion, how does that yield any result.

It is not clear what is achieved by comparing the random number with a reference number representing the request failure rate.
Similar problem is found in claims 14 and 25.
Appropriate correction is needed.

 receiving, at the data processing hardware, the request failure rate for requests to access the resource using the security credential designated for disablement by the security credential update”.
It is not clear what is meant by this limitation. The claim in its entirety does not make any patentable sense. It is not clear how each of these limitations are related to each other. For instance there are three “receiving” steps, and it’s not clear what is recited in the third receiving steps, and how are these three receiving steps related to each other.
For example the last receiving step recites: “receiving, at the data processing hardware, the request failure rate for requests to access the resource using the security credential designated for disablement by the security credential update”.
 It is not clear what is meant by this limitation. Appropriate clarification is needed.

17. Similar problem is found in claims 22 and 30.  Appropriate correction is needed.

18. Claims 31-33 are also rejected because they depend on a rejected claim 30.


. Examiner Note: A rejection over prior art is not feasible at this time for claims 3, 11, 14, 22, 25 and 30-33. The claims 3, 11, 14, 22, 25 and 30-33 are replete with indefiniteness such that it cannot be ascertained as to what the scope of the claims are with respect to applying prior art.

Claim Rejections - 35 USC § 102

A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


20. Claim(s) 1, 4-7, 9-10, 12,15-18,20,21,23-24 and 26-29 are rejected under 35 U.S.C. 102 (a) (1) as being anticipated by Addala (US Pub.No.9, 438,604).

21.   Regarding claim 1 Addala teaches a method comprising: receiving, at data processing hardware, a request for access to a resource, the request comprising a request authenticator including an authentication credential (Figs.1-2 and Col.4, lines.8-18 teaches the client computer 110 used by a user will attempt to access an application (e.g., web service) hosted on application server 120. The user will request to access the application. User will provides his credential which include a user identifier [authentication credential herein] to access and use the application on the application server 120. The authentication server 130 will be configured for authenticating (e.g., validating, confirming) the user credentials before the user is allowed to access the application on the application server 120);

comparing, by the data processing hardware, the authentication credential against a security credential associated with the resource; determining, by the data processing hardware, whether the authentication credential satisfies the security credential (Fig.3-4, Col.6,lines.55-66 and Col.7,lines.3-54 teaches the authentication server 130 includes a primary authentication mechanism 331, primary user credentials 332, and completed authentication notification module 333. The primary authentication mechanism 331 will be configured to receive primary user credentials for a user operating at a remote computer (e.g., client computer 110) and to 
and when the authentication credential satisfies the security credential, granting or denying, by the data processing hardware, access to the resource based on a request failure rate associated with the security credential (Figs.3-4 and Col.7, lines.54-67 and Col.8, lines.1-8 teaches if it is determined that the primary authentication mechanism 331 is unable to complete an authentication attempt, then the primary access module 321 will be configured to pass the 
Col.5, lines.1-65 and Col.6, lines. 1-12 teaches the user's access allowance rate information will be stored locally (e.g., on the application server). The information will include statistics or other records relating to completed authentication attempts for the user by the primary authentication mechanism. For example, the allowance rate information could include a table showing that the user identifier for the user has been associated with five successful and one unsuccessful completed authentications by the primary authentication mechanism in the past month. For another example, the allowance rate information could include a single value of ninety-seven that indicates that ninety-seven percent of the time in the last year this user was allowed access to the application after the primary authentication mechanism completed authentication attempts on the user's credentials (compared to only three percent denials after completed authentication attempts). Further, in some embodiments, the access allowance rate information will also include records relating to whether or not past authentication attempts were actually completed. The user's access allowance rate is identified from the access allowance rate information and is compared to a set of (e.g., one or more) criteria. The set of criteria will refer to one or more factors or requirements associated with the access allowance rate. The set of criteria may include a single threshold (e.g., a minimum acceptable access allowance rate). A determination is made as to whether the set of criteria are satisfied. If they are not satisfied, the user is denied access to the application),

the request failure rate indicating an amount of security credentials designed for disablement (Col.6, lines.9-39 teaches a determination is made as to whether the set of criteria are satisfied. If they are not satisfied, then, the user is denied access to the application. If, however, the set of criteria are satisfied, then, the user is requested to provide secondary user credentials. The secondary user credentials may refer to a second set of (e.g., one or more) credentials that are different (at least in part) from the primary user credentials. The secondary user credentials may be associated with lower levels of security than their counterpart credentials used by the primary authentication mechanism (e.g., primary user credentials). Examples of secondary user credentials may include, without limitation, alphanumeric passwords or security question and answer pairs. A determination is made as to whether the secondary user credentials are authentic (e.g., whether a second authentication factor provided with a user identifier properly corresponds with the user identifier). If the secondary user credentials are not authentic, then, the user is denied access to the application. If, however, the secondary user credentials are authentic, then, the user is allowed quarantine access to the application. The quarantine access will allow the user lesser privileges with respect to the application than full access [i.e., access to full application will be disabled/restricted]. Restrictions placed on quarantine access will include, for example, read-only data access, access to only limited features or functionality of the application, or access that incorporates only a limited ability to modify the settings of the application. As such the amount of security credentials [application access] are disabled based on the failure rate).
22.    Regarding claim 4 Addala teaches the method, further comprising:
determining, by the data processing hardware, that a number of received requests having corresponding authentication credential satisfying the security credential satisfies a threshold number; and implementing a remedial action (Fig. 3, Col.8, lines.54-67 and Col.9, lines.1-50 teaches a scenario, in which, John Smith, the CEO of Smith Corp, uses his laptop (client 
Each time a completed authentication attempt fails, the authentication server informs the application server (via the completed authentication notification module 333), and the application server records the reduction in the allowance rate (in the allowance rate statistics 326) associated with the JSmith user identifier.


23.   Regarding claim 5 Addala teaches the method, wherein the remedial action comprises granting access to the resource when the authentication credential satisfies the security credential and not enforcing the request failure rate associated with the security credential (Fig.2 and Col.6, lines.1-39 teaches the user's access allowance rate is identified from the access allowance rate information and is compared to a set of (e.g., one or more) criteria. The set of criteria will refer to one or more factors or requirements associated with the access allowance rate. The set of criteria may include a single threshold (e.g., a minimum acceptable access allowance rate). A determination is made as to whether the set of criteria are satisfied. If they are not satisfied, then, the user is denied access to the application. If, however, the set of criteria are satisfied, then, the user is requested to provide secondary user credentials. The secondary user credentials may include, alphanumeric passwords or security question and answer pairs. A determination is made as to whether the secondary user credentials are authentic. If the secondary user credentials are not authentic, then, the user is denied access to the application. If, however, the secondary user credentials are authentic, then, the user is allowed quarantine access to the application. The quarantine access will allow the user lesser privileges with respect to the application than full access. Restrictions placed on quarantine 

24.    Regarding claim 6 Addala teaches the method, wherein determining whether the authentication credential  satisfies the security credential further comprises: comparing, by the data processing hardware, the authentication credential  against a new security credential associated with the resource; determining, by the data processing hardware, that the authentication credential  satisfies the new security credential; and granting, by the data processing hardware, access to the resource  (Col.7, lines.52-67 and Col.8, lines.1-47 teaches if it is determined, that, the primary authentication mechanism 331 is unable to complete an authentication attempt, then the primary access module 321 will be configured to pass the user's request to access the application 327 to the secondary access module 322.   The secondary access module 322 will serve as the secondary gatekeeper to the application 327 and will be used in situations where, for one or more reasons, an attempt to complete a primary authentication fails. Upon receipt of a user request that is passed to the secondary access module 322, the criteria evaluation module 324 will be configured to analyze allowance rate statistics 326 associated with the user identifier requesting access and then compare these statistics to a set of criteria. If the results of this comparison by the criteria evaluation module 324 are unfavorable, then the user may be denied access to the application 327. However, if the results are favorable, then the user's request may be passed to the secondary authentication mechanism 323. The secondary authentication mechanism 323 will be configured for verifying the identity of users based on secondary user credentials 325 [(such as his mother's maiden name and his place of birth), which is the new credential herein], rather than primary user credentials 332 (such as username, password). Upon receiving these credentials, the secondary authentication mechanism 323 will be further configured to complete secondary 

25.    Regarding claim 7 Addala teaches the method, further comprising: determining, by the data processing hardware, that the requester security credential fails to satisfy the security credential or the new security credential; and denying, by the data processing hardware, access to the resource (Col.7, lines.52-67 and Col.8, lines.1-47 teaches if it is determined, that, the primary authentication mechanism 331 is unable to complete an authentication attempt, then the primary access module 321 will be configured to pass the user's request to access the application 327 to the secondary access module 322.   The secondary access module 322 will serve as the secondary gatekeeper to the application 327 and will be used in situations where, for one or more reasons, an attempt to complete a primary authentication fails. Upon receipt of a user request that is passed to the secondary access module 322, the criteria evaluation module 324 will be configured to analyze allowance rate statistics 326 associated with the user identifier requesting access and then compare these statistics to a set of criteria. If the results of this comparison by the criteria evaluation module 324 are unfavorable, then the user may be denied access to the application 327. However, if the results are favorable, then the user's request may be passed to the secondary authentication mechanism 323. The secondary authentication mechanism 323 will be configured for verifying the identity of users based on secondary user credentials 325 [(such as his mother's maiden name and his place of birth), which is the new credential herein], rather than primary user credentials 332 (such as username, password). Upon receiving these credentials, the secondary authentication mechanism 323 will be further configured to complete secondary authentication attempts on these user credentials by comparing them to the copy of the secondary user credentials 325 
Fig.5 and Col.10, lines.29-60 teaches if the primary user credentials are currently authenticated, then the user's access allowance rate information is increased, per operation, to reflect the current authentication. The primary version of the data set is replaced, in the main portion of the application database, with the modified version of the data set. The user is upgraded to full access to the application. 
If, however, the quarantined user failed the most recent authentication attempt (and is therefore not currently authenticated), then the user's access allowance rate is decreased, per operation. User's quarantine access to the application is revoked. And, the modified version of the data set is deleted from the quarantine portion of the application database). 

26.    Regarding claim 9 Addala teaches the method, wherein the request failure rate increases based on a function of time (Figs.3- 4 and Col.9, lines.54-67 teaches a table representing the access allowance rate statistics 326, the table includes a plurality of user identifiers (RJones, SMichaels, and LStein). Associated with each user credential are the five most-recent completed authentication attempts by the primary authentication mechanism for that particular user credential. For example, the last row of the table shows that LStein is associated with three successful authentications and two failed authentications out of the last five completed attempts. The last column of the table includes the calculated access allowance rate (e.g., the success rate among completed authentication attempts) for each user identifier over the five most-recent attempts associated with each user identifier. The table will be updated each time a new authentication attempt is completed for a particular user identifier.
Col.8, lines.54-67 and Col.9, lines.1-50 teaches if, however, a determination is made that the user's credentials have not been authenticated (due to multiple failed authentication attempts) 

27.    Regarding claim 10 Addala teaches the method, wherein the request failure rate comprises at least one of: a denial count for authentication credential s satisfying the security credential; a percentage of authentication credential s satisfying the security credential and denied access to the resource; or a percentage of authentication credential s satisfying the security credential and granted access to the resource (Col.5, lines. 40-61 teaches the user's access allowance rate information may be stored locally (e.g., on the application server). The information may include statistics or other records relating to completed authentication attempts for the user by the primary authentication mechanism. For example, the allowance rate information could include a table showing that the user identifier for the user has been associated with five successful and one unsuccessful completed authentications by the primary authentication mechanism in the past month. For another example, the allowance rate information could include a single value of ninety-seven that indicates that ninety-seven percent of the time in the last year this user was allowed access to the application after the primary authentication mechanism completed authentication attempts on the user's credentials (compared to only three percent denials after completed authentication attempts). Further, in some embodiments, the access allowance rate information may also include records relating to whether or not past authentication attempts were actually completed).

28.   Regarding claim 12 Addala teaches a method comprising: receiving, at data processing hardware, a request for access to a resource, the request comprising a request authenticator including an authentication credential (Figs.1-2 and Col.4, lines.8-18 teaches the client computer 110 used by a user will attempt to access an application (e.g., web service) hosted on 

comparing, by the data processing hardware, the authentication credential  against an old security credential associated with the resource and a new security credential associated with the resource; determining, by the data processing hardware, whether the authentication credential  satisfies the old security credential (Fig.3-4, Col.6,lines.55-66 and Col.7,lines.3-54 teaches the authentication server 130 includes a primary authentication mechanism 331, primary user credentials 332, and completed authentication notification module 333. The primary authentication mechanism 331 will be configured to receive primary user credentials [new credential herein] for a user operating at a remote computer (e.g., client computer 110) and to complete authentication attempts on these user credentials by comparing them to the copy of the primary user credentials 332 [old credential herein] stored in a secure location on the authentication server 130. The primary user credentials will include a user identifier (e.g., a username) and at least one additional authentication factor (e.g., a password). After completing an authentication attempt, the primary authentication mechanism 331 will send the results of the completed attempt (e.g., either an indicator that the user identifier has been properly authenticated or an indicator that the user identifier has not been properly authenticated) to the completed authentication notification module 333. The completed authentication notification module 333 will be configured to notify the results of the completed attempt to the application server 120. A primary access module 321 will be configured to act as the primary gatekeeper to the application located on the application server 120. The primary access module 321 will receive notifications from the completed authentication notification module 333 about users that 

and when the authentication credential  satisfies the old security credential, granting or denying, by the data processing hardware, access to the resource based on a request failure rate associated with the old security credential (Figs.3-4 and Col.7, lines.54-67 and Col.8, lines.1-8 teaches if it is determined that the primary authentication mechanism 331 is unable to complete an authentication attempt, then the primary access module 321 will be configured to pass the user's request to access the application 327 to the secondary access module 322. The secondary access module 322 will serve as the secondary gatekeeper to the application 327 and will be used in situations where, for one or more reasons, an attempt to complete a primary authentication fails. Upon receipt of a user request that is passed to the secondary access module 322, the criteria evaluation module 324 will be configured to analyze allowance rate statistics 326 associated with the user identifier requesting access and then compare these statistics to a set of criteria. If the results of this comparison by the criteria evaluation module 324 are unfavorable, then the user will be denied access to the application 327.
Col.5, lines.1-65 and Col.6, lines. 1-12 teaches the user's access allowance rate information will be stored locally (e.g., on the application server). The information will include statistics or other records relating to completed authentication attempts for the user by the primary authentication 

the request failure rate indicating an amount of security credentials designed for disablement (Col.6, lines.9-39 teaches a determination is made as to whether the set of criteria are satisfied. If they are not satisfied, then, the user is denied access to the application. If, however, the set of criteria are satisfied, then, the user is requested to provide secondary user credentials. The secondary user credentials may refer to a second set of (e.g., one or more) credentials that are different (at least in part) from the primary user credentials. The secondary user credentials may be associated with lower levels of security than their counterpart credentials used by the primary authentication mechanism (e.g., primary user credentials). Examples of secondary user credentials may include, without limitation, alphanumeric passwords or security question and answer pairs. A determination is made as to whether the secondary user credentials are 

29.    Regarding claim 15 Addala teaches the method further comprising: determining, by the data processing hardware, that a number of received requests having corresponding authentication credential s satisfying the old security credential satisfies a threshold number; and implementing a remedial action (Fig. 3, Col.8, lines.54-67 and Col.9, lines.1-50 teaches a scenario, in which, John Smith, the CEO of Smith Corp, uses his laptop (client computer 110) for his work over a series of weeks. In a first week, Smith connects to Smith Corp's authentication server (authentication server 130) from his laptop and, when prompted, enters his primary user credentials, including his user identifier, "JSmith", and his password, "abc123". His credentials are authenticated (by the primary authentication mechanism 331) and his computer is then logged in to an authenticated session. Smith then attempts to access banking software (application 327) from his laptop. The application server (application server 120) confirms that Smith is currently in an authenticated session (e.g., by communicating with the completed authentication notification module 333). Smith is able to have full access to the banking software and completes his work for the day. In the second week, Smith is working from his home and is unable to access Smith Corp's authentication server from his laptop. He 
Each time a completed authentication attempt fails, the authentication server informs the application server (via the completed authentication notification module 333), and the application server records the reduction in the allowance rate (in the allowance rate statistics 326) associated with the JSmith user identifier.
Late in the third week, a thief steals Smith's laptop. Using the stolen laptop, the thief attempts to use the JSmith user identifier to access Smith Corp's banking software directly through the application server without first communicating with Smith Corp's authentication server. Upon determining that authentication server is not able to complete an authentication attempt (because the thief bypassed communicating with the authentication server altogether), the application server then checks the access allowance rate associated with the JSmith user identifier. Finding the allowance rate to have dropped below the ninety-percent success rate threshold (due to the multiple failed authentication attempts in the third week), the application server denies the thief access to the banking software).


A determination is made as to whether the set of criteria are satisfied. If they are not satisfied, then, the user is denied access to the application. If, however, the set of criteria are satisfied, then, the user is requested to provide secondary user credentials. The secondary user credentials may include, alphanumeric passwords or security question and answer pairs. 
A determination is made as to whether the secondary user credentials are authentic. If the secondary user credentials are not authentic, then, the user is denied access to the application. If, however, the secondary user credentials are authentic, then, the user is allowed quarantine access to the application. The quarantine access will allow the user lesser privileges with respect to the application than full access. Restrictions placed on quarantine access may include, for example, read-only data access, access to only limited features or functionality of the application, or access that incorporates only a limited ability to modify the settings of the application). 

31.    Regarding claim 17 Addala teaches the method, wherein determining whether the authentication credential  satisfies the old security credential further comprises: determining, by the data processing hardware, that the authentication credential  satisfies the new security credential; and granting, by the data processing hardware, access to the resource (Col.7, lines.52-67 and Col.8, lines.1-47 teaches if it is determined, that, the primary authentication 

32.    Regarding claim 18 Addala teaches the method, further comprising: determining, by the data processing hardware, that the authentication credential  fails to satisfy the old security credential or the new security credential; and denying, by the data processing hardware, access to the resource (Col.7, lines.52-67 and Col.8, lines.1-47 teaches if it is determined, that, the primary authentication mechanism 331 is unable to complete an authentication attempt, then the primary access module 321 will be configured to pass the user's request to access the 
Fig.5 and Col.10, lines.29-60 teaches if the primary user credentials are currently authenticated, then the user's access allowance rate information is increased, per operation, to reflect the current authentication. The primary version of the data set is replaced, in the main portion of the application database, with the modified version of the data set. The user is upgraded to full access to the application. 
If, however, the quarantined user failed the most recent authentication attempt (and is therefore not currently authenticated), then the user's access allowance rate is decreased, per operation. 

33.    Regarding claim 20 Addala teaches the method, wherein the request failure rate increases based on a function of time (Figs.3- 4 and Col.9, lines.54-67 teaches a table representing the access allowance rate statistics 326, the table includes a plurality of user identifiers (RJones, SMichaels, and LStein). Associated with each user credential are the five most-recent completed authentication attempts by the primary authentication mechanism for that particular user credential. For example, the last row of the table shows that LStein is associated with three successful authentications and two failed authentications out of the last five completed attempts. The last column of the table includes the calculated access allowance rate (e.g., the success rate among completed authentication attempts) for each user identifier over the five most-recent attempts associated with each user identifier. The table will be updated each time a new authentication attempt is completed for a particular user identifier.
Col.8, lines.54-67 and Col.9, lines.1-50 teaches if, however, a determination is made that the user's credentials have not been authenticated (due to multiple failed authentication attempts) then, the user's access allowance rate would have dropped below a success rate threshold (due to the multiple failed authentication), then the application server will denies the user to access the application).

34.    Regarding claim 21 Addala teaches the method, wherein the request failure rate comprises at least one of: a denial count for authentication credentials satisfying the old security credential; a percentage of authentication credentials satisfying the old security credential and denied access to the resource; or a percentage of authentication credentials satisfying the old security credential and granted access to the resource (Col.5, lines. 40-61 teaches the user's access allowance rate information may be stored locally (e.g., on the application server). The 

35.    Regarding claim 23 Addala teaches the method further comprising receiving, at the data processing hardware, a failure rate change request configured to change the request failure rate (Figs.3- 4 and Col.9, lines.54-67 teaches a table representing the access allowance rate statistics 326, the table includes a plurality of user identifiers (RJones, SMichaels, and LStein). Associated with each user credential are the five most-recent completed authentication attempts by the primary authentication mechanism for that particular user credential. For example, the last row of the table shows that LStein is associated with three successful authentications and two failed authentications out of the last five completed attempts. The last column of the table includes the calculated access allowance rate (e.g., the success rate among completed authentication attempts) for each user identifier over the five most-recent attempts associated with each user identifier. The table will be updated each time a new authentication attempt is completed for a particular user identifier.
Col.8, lines.54-67 and Col.9, lines.1-50 teaches the access allowance rate information obtained and collected will increased or decreased, respectively per operation. The user's access 
If, however, a determination is made that the user's credentials have not been authenticated (due to multiple failed authentication attempts) then, the user's access allowance rate would have dropped below a success rate threshold (due to the multiple failed authentication), then the application server will denies the user to access the application).

36.    Regarding claim 24 Addala teaches a method comprising: receiving, at data processing hardware, a request for access to a resource, the request comprising a request authenticator including an authentication credential  (Figs.1-2 and Col.4, lines.8-18 teaches the client computer 110 used by a user will attempt to access an application (e.g., web service) hosted on application server 120. The user will provides his credential which include a user identifier [authentication credential herein] to access and use the application on the application server 120. The authentication server 130 will be configured for authenticating (e.g., validating, confirming) the user credentials before the user is allowed to access the application on the application server 120);

comparing, by the data processing hardware, the authentication credential  against an old security credential associated with the resource and a new security credential associated with the resource; when the authentication credential  satisfies the old security credential, granting or denying access to the resource based on a request failure rate associated with the old security credential (Fig.3-4, Col.6,lines.55-66 and Col.7,lines.3-54 teaches the authentication server 130 includes a primary authentication mechanism 331, primary user credentials 332, and completed authentication notification module 333. The primary authentication mechanism 331 will be 

the request failure rate indicating an amount of old security credentials designed for disablement; when the authentication credential  satisfies the new security credential, granting  a determination is made as to whether the set of criteria are satisfied. If they are not satisfied, then, the user is denied access to the application. If, however, the set of criteria are satisfied, then, the user is requested to provide secondary user credentials. The secondary user credentials may refer to a second set of (e.g., one or more) credentials that are different (at least in part) from the primary user credentials. The secondary user credentials may be associated with lower levels of security than their counterpart credentials used by the primary authentication mechanism (e.g., primary user credentials). Examples of secondary user credentials may include, without limitation, alphanumeric passwords or security question and answer pairs. A determination is made as to whether the secondary user credentials are authentic (e.g., whether a second authentication factor provided with a user identifier properly corresponds with the user identifier). If the secondary user credentials are not authentic, then, the user is denied access to the application. If, however, the secondary user credentials are authentic, then, the user is allowed quarantine access to the application. The quarantine access will allow the user lesser privileges with respect to the application than full access [i.e., access to full application will be disabled/restricted]. Restrictions placed on quarantine access will include, for example, read-only data access, access to only limited features or functionality of the application, or access that incorporates only a limited ability to modify the settings of the application. As such the amount of security credentials [application access] are disabled based on the failure rate);
and when the authentication credential fails to satisfy the old security credential and the new security credential, denying access to the resource (Figs.3-4 and Col.7, lines.54-67 and Col.8, lines.1-8 teaches if it is determined that the primary authentication mechanism 331 is unable to complete an authentication attempt, then the primary access module 321 will be configured to pass the user's request to access the application 327 to the secondary access module 322. The secondary access module 322 will serve as the secondary gatekeeper to the application 327 and will be used in situations where, for one or more reasons, an attempt to complete a primary 
Col.5, lines.1-65 and Col.6, lines. 1-12 teaches the user's access allowance rate information will be stored locally (e.g., on the application server). The information will include statistics or other records relating to completed authentication attempts for the user by the primary authentication mechanism. For example, the allowance rate information could include a table showing that the user identifier for the user has been associated with five successful and one unsuccessful completed authentications by the primary authentication mechanism in the past month. For another example, the allowance rate information could include a single value of ninety-seven that indicates that ninety-seven percent of the time in the last year this user was allowed access to the application after the primary authentication mechanism completed authentication attempts on the user's credentials (compared to only three percent denials after completed authentication attempts). Further, in some embodiments, the access allowance rate information may also include records relating to whether or not past authentication attempts were actually completed. The user's access allowance rate is identified from the access allowance rate information and is compared to a set of (e.g., one or more) criteria. The set of criteria will refer to one or more factors or requirements associated with the access allowance rate. The set of criteria may include a single threshold (e.g., a minimum acceptable access allowance rate). A determination is made as to whether the set of criteria are satisfied. If they are not satisfied, the user is denied access to the application).

37.    Regarding claim 26 Addala teaches the method, further comprising: determining, by the data processing hardware, that a number of received requests having corresponding 
Each time a completed authentication attempt fails, the authentication server informs the application server (via the completed authentication notification module 333), and the 
Late in the third week, a thief steals Smith's laptop. Using the stolen laptop, the thief attempts to use the JSmith user identifier to access Smith Corp's banking software directly through the application server without first communicating with Smith Corp's authentication server. Upon determining that authentication server is not able to complete an authentication attempt (because the thief bypassed communicating with the authentication server altogether), the application server then checks the access allowance rate associated with the JSmith user identifier. Finding the allowance rate to have dropped below the ninety-percent success rate threshold (due to the multiple failed authentication attempts in the third week), the application server denies the thief access to the banking software).

38.    Regarding claim 27 Addala teaches the method, wherein the remedial action comprises granting access to the resource when the authentication credential satisfies the old security credential and not enforcing the request failure rate associated with the old security credential (Fig.2 and Col.6, lines.1-39 teaches the user's access allowance rate is identified from the access allowance rate information and is compared to a set of (e.g., one or more) criteria. The set of criteria will refer to one or more factors or requirements associated with the access allowance rate. The set of criteria may include a single threshold (e.g., a minimum acceptable access allowance rate). A determination is made as to whether the set of criteria are satisfied. If they are not satisfied, then, the user is denied access to the application. If, however, the set of criteria are satisfied, then, the user is requested to provide secondary user credentials. The secondary user credentials may include, alphanumeric passwords or security question and answer pairs. 
A determination is made as to whether the secondary user credentials are authentic. If the secondary user credentials are not authentic, then, the user is denied access to the application. 

39.    Regarding claim 28 Addala teaches the method, wherein the request failure rate comprises at least one of: a denial count for authentication credentials satisfying the old security credential; a percentage of authentication credentials satisfying the old security credential and denied access to the resource; or a percentage of authentication credentials satisfying the old security credential and granted access to the resource (Col.5, lines. 40-61 teaches the user's access allowance rate information may be stored locally (e.g., on the application server). The information may include statistics or other records relating to completed authentication attempts for the user by the primary authentication mechanism. For example, the allowance rate information could include a table showing that the user identifier for the user has been associated with five successful and one unsuccessful completed authentications by the primary authentication mechanism in the past month. For another example, the allowance rate information could include a single value of ninety-seven that indicates that ninety-seven percent of the time in the last year this user was allowed access to the application after the primary authentication mechanism completed authentication attempts on the user's credentials (compared to only three percent denials after completed authentication attempts). Further, in some embodiments, the access allowance rate information may also include records relating to whether or not past authentication attempts were actually completed).


Continuing the scenario into a third week, a news article about the financial success of Smith and Smith Corp is published. In the hopes of gaining insight into his success, several different individuals try to log in to Smith Corp's authentication server using Smith's user identifier. Because they do not know Smith's password, none of the individuals is successfully authenticated. Each time a completed authentication attempt by one of these individuals fails, the authentication server informs the application server (via the completed authentication notification module 333), and the application server records the reduction in the allowance rate (in the allowance rate statistics 326) associated with the JSmith user identifier.
 Late in the third week, a thief steals Smith's laptop. Using the stolen laptop, the thief attempts to use the JSmith user identifier to access Smith Corp's banking software directly through the application server without first communicating with Smith Corp's authentication server. Upon determining that authentication server is not able to complete an authentication attempt (because the thief bypassed communicating with the authentication server altogether), the application server then checks the access allowance rate associated with the JSmith user identifier. Finding the allowance rate to have dropped below the ninety-percent success rate threshold (due to the multiple failed authentication attempts in the third week), the application server denies the thief access to the banking software).

Claim Rejections - 35 USC § 103
41. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


42. Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Addala (US Pub.No.9, 438,604) as applied to claims 1,12 above and further in view of Atzmony (US Pat.No.7,945,776).

43.   Regarding claim 8 Addala teaches all the above claimed limitations, but does not expressly teach the method, wherein the security credential comprises at least one of a public key or a hash message authentication code (hmac) key.

Atzmony teaches the security credential comprises at least one of a public key or a hash message authentication code (hmac) key (Col.16, lines.38-44 teaches the security credential comprises of a Hashed Message Authentication Code (HMAC) key).

Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention was filed to modify Addala to include the security credential comprises a hash message authentication code (hmac) key, as taught by Atzmony such a set up would yield a predictable result of providing secure access to computer resources.
44.    Regarding claim 18 Addala teaches all the above claimed limitations, but does not expressly teach the method, wherein the old security credential or the new security credential comprises at least one of a public key or a hash message authentication code (hmac) key.

Atzmony teaches the old security credential or the new security credential comprises at least one of a public key or a hash message authentication code (hmac) key (Col.16, lines.38-44 

Therefore it would have been obvious to one of the ordinary skill in the art before the effective filing date of the invention was filed to modify Addala to include the security credential comprises a hash message authentication code (hmac) key, as taught by Atzmony such a set up would yield a predictable result of providing secure access to computer resources.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506.  The examiner can normally be reached on Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-





/DEREENA T CATTUNGAL/Examiner, Art Unit 2431