DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 11/20/2020.
In the instant Amendment, Claims 1-5, 7 and 9-18 have been amended. Claims 19-20 have been cancelled without prejudice. Claims 21-22 have been added. Claims 1, 10 and 21 are independent claims.  Claims 1-18 and 21-22 have been examined and are pending.  This Action is made FINAL.
	
Response to Arguments
The rejections of claims 10-18 under 35 U.S.C. § 101 are withdrawn as the claims have been amended. The rejections of claims 19-20 under 35 U.S.C. § 101 are withdrawn as the claims have been cancelled. 
Applicants’ arguments with respect to claims 1-18 and 21-22 have been considered but are moot in view of the new ground(s) of rejection.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.





Claims 1-2, 4, 10-11, 13  and 21-22 are rejected under 35 U.S.C. 103 as being patentable over  Smith et al. ("Smith," US 20140096177, published on 04/03/2014) in view of DASGUPTA et al. (“DASGUPTA,” US 20160359838, published on 12/08/2016) 
Regarding Claim 1;
Smith discloses a method of authenticating a request for accessing a computing resource system in a multi-resource computing environment, the method comprising (par 0012; a multi-factor authentication in which a user interacts with a client device environment in order to access resources of a service provider, wherein the resources may be associated with varying sensitivity/authorization levels; par 0025; different service providers may establish different score ranges based on the particular security needs of the service provider):
storing, by an access gateway, authentication data including a plurality of authentication factors (par 0013; fig. 2, the client device environment uses a client device to process data input via a plurality of authentication factors to authenticate the user; par 0016; client device environment includes the plurality of authentication factors and a logic architecture executing on a client device, wherein the authentication factors may be connected to the logic architecture via a trusted path mechanism. An input output subsystem having bus lines that are dedicated to the authentication factors and logic architecture may be used to facilitate communication between the authentication factors and logic architecture), wherein each authentication factor of the plurality of authentication factors (par 0012; a user interacts with a client device environment in order to access resources of a service provider; par 0013; the client device environment uses a client device to process data input via a plurality of authentication factors to authenticate the user. For example, a text entry field on a display of the client device might be used as a first authentication factor to receive a traditional password or PIN), 
determining, by the access gateway for each authentication factor of the plurality of authentication factors, a respective intrinsic value, wherein the respective intrinsic value indicates a corresponding level of validity for each authentication factor of the plurality of authentication factors (par 0014; fig. 1; authentication factors have varying sensitivity/confidence levels as to the amount of security provided by the authentication factors. For example, the first authentication factor might be considered the least secure, particularly if the password is relatively short or has minimal constraints on the selection of the content or reset frequency of the password. The second authentication factor, on the other hand, could be considered more secure than the first authentication factor due to the temporary nature of the OTP, whereas the third authentication factor may be considered the most secure due to the hardware nature and tighter controls over the information stored on the smart card; par 0016; client device environment includes the plurality of authentication factors and a logic architecture executing on a client device, wherein the authentication factors may be connected to the logic architecture via a trusted path mechanism); 
 (par 0014; two or more of the authentication factors could also be associated with a similar amount of security, wherein combining authentication factors in and of itself may increase the amount of security provided; par 0016; client device environment includes the plurality of authentication factors and a logic architecture executing on a client device, wherein the authentication factors may be connected to the logic architecture via a trusted path mechanism; par 0017; a plurality of FMRs can be multiplied together to determine a composite FMR; par 0018; the score module might implement a choice relationship between the composite FMRs and specific sensitivity levels);
receiving, by the access gateway from a computing device of the plurality of computing devices, an access request indicating the request to access the an computing resource system of the plurality of computing resource systems in the multi-resource computing environment (par 0016; client device environment includes the plurality of authentication factors and a logic architecture executing on a client device, wherein the authentication factors may be connected to the logic architecture via a trusted path mechanism; par 0012; a user interacts with a client device environment in order to access resources of a service provider, wherein the resources may be associated with varying sensitivity/authorization levels; par 0025; different service providers may establish different score ranges based on the particular security needs of the service provider), the computing resource system associated with a threshold authentication level (par 0017; the logic architecture may have a policy module to determine composite FMRs for the authentication factors as they are used to gain access to resources such as the resources [] a plurality of FMRs can be multiplied together to determine a composite FMR; par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen); 
determining, by the access gateway based on a comparison of the cumulative assurance level of the authentication data with the threshold authentication level of the computing resource system, that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the authentication data (par 0016; fig.2; client device environment includes the plurality of authentication factors and a logic architecture executing on a client device, wherein the authentication factors may be connected to the logic architecture via a trusted path mechanism; par 0018; the score module might implement a choice relationship between the composite FMRs and specific sensitivity levels (e.g., scores); par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen; par 0030; if the target FMR has been reached, the score can be compared to the provider ranges; par 0028; the score evaluator can determine whether the MFA scores are within provider ranges associated with resources of the service provider, an access module may [] deny the client device environment access to resources if the associated MFA scores are outside the appropriate provider ranges); and
responsive to determining that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the  (par 0018; the score module might implement a choice relationship between the composite FMRs and specific sensitivity levels (e.g., scores); par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen; par 0028; the score evaluator can determine whether the MFA scores are within provider ranges associated with resources of the service provider, an access module may [] deny the client device environment access to resources if the associated MFA scores are outside the appropriate provider ranges), requesting, by the access gateway, an additional authentication factor from the computing device (par 0016; fig.2; client device environment includes the plurality of authentication factors and a logic architecture executing on a client device, wherein the authentication factors may be connected to the logic architecture via a trusted path mechanism; par 0031; a determination may be made as to whether the score is within a provider range. If not, the next provider range can be selected, wherein the determination may be repeated until a match is found).  
Smith discloses all the limitations as recited above, but do not explicitly disclose wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user , and wherein each authentication factor of the plurality of authentication factors is associated with a corresponding request received over the period of time to access  at least one of a plurality of computing resource systems in the multi-resource computing environment.

wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user (DASGUPTA: par 0011; fig. 3; selection of a set of authentication factors in different device, media and surrounding conditions over time; par 0030; a user is authenticated at various times with different modalities, as determined by the adaptive selection process of the present invention; par 0031; these criteria may be triggered at different times by a user, and the selected set of authentication factors is expected to vary), and
wherein each authentication factor of the plurality of authentication factors is associated with a corresponding request received over the period of time to access  at least one of a plurality of computing resource systems in the multi-resource computing environment (DASGUPTA: par 0011; fig. 3; selection of a set of authentication factors in different device, media and surrounding conditions over time; par 0030; a user is authenticated at various times with different modalities, as determined by the adaptive selection process of the present invention; par 0031; these criteria may be triggered at different times by a user, and the selected set of authentication factors is expected to vary). 
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of DASGUPTA with the method/system of Smith to include wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing (DASGUPTA: abstract).

Regarding Claim 2; 
Smith in combination with DASGUPTA disclose the method of claim 1, 
Smith further discloses receiving the additional authentication factor from the computing device (Smith: par 0031; a determination may be made as to whether the score is within a provider range. If not, the next provider range can be selected, wherein the determination may be repeated until a match is found); responsive to receiving the additional authentication factor, modifying the cumulative assurance level of the authentication data to create a modified cumulative assurance level of the authentication data (Smith: par 0031; a determination may be made as to whether the score is within a provider range. If not, the next provider range can be selected, wherein the determination may be repeated until a match is found; par 0014; two or more of the authentication factors could also be associated with a similar amount of security, wherein combining authentication factors in and of itself may increase the amount of security provided; par 0017; a plurality of FMRs can be multiplied together to determine a composite FMR; par 0018; the score module might implement a choice relationship between the composite FMRs and specific sensitivity levels); determining that the modified cumulative assurance level of the authentication data exceeds the threshold authentication level of the computing resource system, based on a comparison of the modified cumulative assurance level of the authentication data to the threshold authentication level of the computing resource system (Smith: par 0018; the score module might implement a choice relationship between the composite FMRs and specific sensitivity levels (e.g., scores); par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen; par 0028; the score evaluator can determine whether the MFA scores are within provider ranges associated with resources of the service provider; par 0035; determine whether the score is within the appropriate provider range for the resource. If so, grants the client device access to the resource); and responsive to determining that the modified cumulative assurance level of the authentication data exceeds the threshold authentication level of the computing resource system, providing access to the computing resource system (Smith: par 0018; the score module might implement a choice relationship between the composite FMRs and specific sensitivity levels (e.g., scores); par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen; par 0028; the score evaluator can determine whether the MFA scores are within provider ranges associated with resources of the service provider; par 0035; determine whether the score is within the appropriate provider range for the resource. If so, grants the client device access to the resource).  

Regarding Claim 4

Smith further discloses wherein the threshold authentication level of the computing resource system is indicated by a policy associated with the computing resource system (Smith: par 0012; a multi-factor authentication in which a user interacts with a client device environment in order to access resources of a service provider, wherein the resources may be associated with varying sensitivity/authorization levels; par 0015; client device environment generates single sign on tokens having standardized scores that mask the underlying FMR data and/or MFA policies leading to the generation of the scores. the scores enable the service provider to determine whether to grant access to the resources without knowledge of the types of authentication factors used, the security characteristics (e.g., FMRs) associated with the authentication factors  or the Boolean based MFA policies corresponding to each sensitivity level).  

Regarding Claim 10;
This Claim recites an access gateway that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

	
Regarding Claim 11;
This Claim recites an access gateway that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  

Regarding Claim 13;
This Claim recites an access gateway that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Regarding Claim 21;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  


Regarding Claim 22;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  


Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US 20140096177) in view of DASGUPTA et al. (US 20160359838) and further in view of Tischart et al. (“Tischart,” US 20180183789, published on 06/28/2018)

Regarding Claim 3;
Smith in combination with DASGUPTA disclose the method of claim 1, 
 disclose all the limitations as recited above, but do not explicitly disclose wherein the period of time is prior to receiving the access request.  
However, in an analogous art, Tischart discloses Identity and authentication system/method that includes:
wherein the period of time is prior to receiving the access request (Tischart: par 0053; these attributes are unique markers associated with the user account for determining a risk level associated with the current authentication session of the user account. The gathered data can also include identity data and contextual data that has been acquired over a period of time (e.g., data associated with prior authentication sessions for that specific user account, etc.).  
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Tischart with the method/system of Smith and DASGUPTA to include wherein the period of time is prior to receiving the access request. One would have been motivated to One would have been motivated to determine based on the identity data, the contextual data, and the one or more patterns. In at least one scenario, access is granted to the secure network in response to the determined risk level (Tischart: abstract).
  
Regarding Claim 12;
This Claim recites an access gateway .  
Claims 5-6 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US 20140096177) in view of DASGUPTA et al. (US 20160359838) and further in view of Emaminouri et al. (“Emaminouri,” US 9680812, published on 06/13/2017)
Regarding Claim 5; 
Smith in combination with DASGUPTA disclose the method of claim 4, 
Smith in combination with DASGUPTA disclose all the limitations as recited above, but do not explicitly disclose wherein the policy further indicates a permission level associated with the computing resource system, the permission level indicating an authorization requirement for accessing the computing resource system.  
However, in an analogous art, Emaminouri discloses authentication procdure system/method that includes:
wherein the policy further indicates a permission level associated with the computing resource system (Emaminouri: Col 2, lines 3-5; the various strengths and security levels associated with different combinations of authentication factors can be easily defined by a set of rules or policies; Col 7, lines 53-67; a specialized authentication server application to perform user authentication [] policies defining security levels (e.g., rules associating certain combinations of authentication factors with security strength, parameters indicating which users  or groups of users are allowed to use certain types of authentication procedures, etc.), and other operating parameters (e.g., risk engine details and machine learning logic, authentication statistics, configuration data, etc.), the permission level indicating an authorization requirement for accessing the computing resource system (Emaminouri: Col 1, lines 12-16; if the human user supplies authentication factors which match expected authentication factors, authentication is considered successful and the human user is allowed to access the protected resources using the smart device; Col 7, lines 53-67; a specialized authentication server application to perform user authentication [] policies defining security levels (e.g., rules associating certain combinations of authentication factors with security strength, parameters indicating which users  or groups of users are allowed to use certain types of authentication procedures, etc.), and other operating parameters (e.g., risk engine details and machine learning logic, authentication statistics, configuration data, etc.).
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Emaminouri with the method/system of Smith and DASGUPTA to include wherein the policy further indicates a permission level associated with the computing resource system, the permission level indicating an authorization requirement for accessing the computing resource system. One would have been motivated to authenticate the user at a first security level within a range of security levels. The new authentication procedure is operative to authenticate the user at a second security level within the range of security levels, the first security level being at least as high as the second security level within the range of security levels (Emaminouri: abstract).



Regarding Claim 6; 
Smith in combination with DASGUPTA and Emaminouri disclose the method of claim 5, 
smith further discloses wherein determining that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the authentication data is further based on a comparison (smith: par 0018; the score module might implement a choice relationship between the composite FMRs and specific sensitivity levels (e.g., scores); par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen; par 0030; if the target FMR has been reached, the score can be compared to the provider ranges; par 0031; a determination may be made as to whether the score is within a provider range. If not, the next provider range can be selected, wherein the determination may be repeated until a match is found);
Smith in combination with DASGUPTA discloses all the limitations as recited above, but do not explicitly disclose based on a comparison of the permission level to authorization information associated with the access request.
However, in an analogous art, Emaminouri discloses authentication procedure system/method that includes:
based on a comparison of the permission level to authorization information associated with the access request (Emaminouri: Col 1, lines 12-16; if the human user supplies authentication factors which match expected authentication factors, authentication is considered successful and the human user is allowed to access the protected resources using the smart device; Col 7, lines 53-67; a specialized authentication server application to perform user authentication [] policies defining security levels (e.g., rules associating certain combinations of authentication factors with security strength, parameters indicating which users  or groups of users are allowed to use certain types of authentication procedures, etc.), and other operating parameters (e.g., risk engine details and machine learning logic, authentication statistics, configuration data, etc.).
One would have been motivated to authenticate the user at a first security level within a range of security levels. The new authentication procedure is operative to authenticate the user at a second security level within the range of security levels, the first security level being at least as high as the second security level within the range of security levels (Emaminouri:: abstract).

Regarding Claim 14;
This Claim recites an access gateway that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  

Regarding Claim 15;
This Claim recites an access gateway that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.  



Claims 	7-9 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US 20140096177) in view of DASGUPTA et al. (US 20160359838) and further in view of Krishnamoorthyet al. (“Krishnamoorthy,” US 20200042723, filed on 08/03/2018)

Regarding Claim 7;
Smith in combination with DASGUPTA disclose the method of claim 1, 
Smith in combination with DASGUPTA disclose all the limitations as recited above, but do not explicitly disclose wherein the comparison of the cumulative assurance level of the authentication data to the threshold authentication level of the computing resource system is performed by a policy decision point.  
However, in an analogous art, Krishnamoorthy discloses identity fraud risk system/method that includes:
wherein the comparison of the cumulative assurance level of the authentication data to the threshold authentication level of the computing resource system is performed by a policy decision point (Krishnamoorthy: par 0019; Policy manager 130, upon receipt of the risk score associated with a user, compares the risk score with a policy threshold score or policy score range, previously set by, for example, an administrator, to determine whether the risk score indicates a risk failure, A risk failure/denial indicates that the determined risk score for the user is too high, and that the attempt to access protected digital resources should be denied).  
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the (Krishnamoorthy: abstract).

Regarding Claim 8;
Smith in combination with DASGUPTA disclose the method of claim 1, 
Smith in combination with DASGUPTA disclose all the limitations as recited above, but do not explicitly disclose wherein a policy decision point determines a risk score associated with the access request, the risk score indicating a likelihood of the access request being a fraudulent request.  
However, in an analogous art, Krishnamoorthy discloses identity fraud risk system/method that includes:
wherein a policy decision point determines a risk score associated with the access request, the risk score indicating a likelihood of the access request being a fraudulent request (Krishnamoorthy: par 0014; a risk assessment platform assesses a level of risk of identity fraud associated with users attempting to access protected resources [] the risk assessment platform then performs a risk score calculation process to determine a level of risk of identity fraud associated with the user based on the collected user and/or device attributes). 
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Krishnamoorthy with the method/system of Smith and DASGUPTA to include wherein a policy decision point determines a risk score associated with the access request, the risk score indicating a likelihood of the access request being a fraudulent request. One would have been motivated to determines a level of risk of identity fraud associated with the user based on the first and second user and device attributes, and grants or denies the user access to the second protected resource based on the determined level of risk of identity fraud associated with the user (Krishnamoorthy: abstract).
  
Regarding Claim 9;
Smith in combination with DASGUPTA and Krishnamoorthy disclose the method of claim 8, 
Krishnamoorthy further discloses wherein determining that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the authentication data is further based on a comparison of the risk score to a risk tolerance associated with the computing resource system (par 0019; policy manager, upon receipt of the risk score associated with a user, compares the risk score with a policy threshold score or policy score range, previously set by, for example, an administrator, to determine whether the risk score indicates a risk failure [] a risk failure/denial indicates that the determined risk score for the user is too high, and that the attempt to access protected digital resources should be denied).  
  One would have been motivated to determines a level of risk of identity fraud associated with the user based on the first and second user and device attributes, and grants or denies the user access to the second protected resource based on the determined level of risk of identity fraud associated with the user (Krishnamoorthy: abstract).
  
Regarding Claim 16;
This Claim recites an access gateway that perform the same steps as method of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.  

Regarding Claim 17;
This Claim recites an access gateway that perform the same steps as method of Claim 8, and has limitations that are similar to Claim 8, thus are rejected with the same rationale applied against claim 8.  

Regarding Claim 18;
This Claim recites an access gateway that perform the same steps as method of Claim 9, and has limitations that are similar to Claim 9, thus are rejected with the same rationale applied against claim 9.  



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham  can be reached on (571)270-5002. The fax 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/C.W./Examiner, Art Unit 2439       


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439