Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
	This action is in response to the communication filed on 11/12/2020.
Claim 1 is allowed. 
Claims 2-21 are cancelled. 
Claims 22-41 are rejected. 

Response to Arguments
Applicant arguments, dated 11/12/2020 have been fully considered. 
Examiner notes the following – in light of new claims 22-41, claims are rejected in view of Double patent and 103 combination of reference(s). 
Further examiner notes that informal conversation with attorney Ronald Schoembaum to include claim limitation(s) in view of allowed claim 1 was discussed, however attorney Ronald Schoembaum requested to see office action with rejection for new claim(s). 
	Examiner is open to discuss claim amendment(s) for the purpose of compact prosecution of application. 



Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s) as explained below. See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 22-41 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent 10,404,678. Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is covered by the U.S. Patent 10,404,678.
This is a provisional non-statutory double patenting rejection. The assignee of the application and the patent is the same.
Exemplary claim 1 with the substantive differences between the conflicting claim 22 identified in bold is outlined below in the following comparison table.



Claim Comparison Table   
Instant Application
16,556,998
US Patent 
10,404,678
22. (New) A system for providing single-sign-on (SSO), multi-factor authentication, the system comprising: 
one or more hardware processors; a computer-readable memory; and an authentication system comprising executable instructions stored in the computer-readable memory, wherein the one or more processors are programmed to at least: 
register a user computing device using user data included in a redirect originating from a network server in response to a login request from the user computing device; 
transmit an authentication request to a user of the user computing device based on the user data that requests interaction by the user; 
inspect an element associated with the login request; 
authenticate the user based on a response to the authentication request and the inspected element; 
create a security object associated with the user computing device; 
transmit the security object to the user computing device; 
obtain a second redirect originating from the network server in response to a second login request from the user computing device, wherein the second redirect comprises a second security object; and 
authenticate the user computing device without interaction by the user in response to the second security object matching the security object. 



one or more hardware processors; a computer-readable memory; and an authentication system comprising executable instructions stored in the computer-readable memory, 
wherein the one or more processors are programmed to at least: 
receive, over a network, a request to access a first network resource by a mobile device associated with a user, wherein the first network resource is hosted by a server and accessible by a plurality of users of an organization, wherein the plurality of users of the organization comprises the user, wherein the request includes a security object associated with the mobile device, and wherein the authentication system is configured to accept, as the security object, an existing smart card identifier, an NFC object identifier, a Bluetooth object identifier, a hard OATH token, a mobile soft OATH token, and a characteristic of the mobile device; 

validate the security object as authentic by at least: 

determining, from the security object, a security object identifier; and 

determining that the security object identifier is associated with the mobile device and the user in an identity database associated with the organization; 

in response to a determination that the security object identifier is associated with the mobile device and the user in the identity database, authenticate the user and the mobile device by at least: 

receiving a redirect request from the mobile device, wherein the redirect request was received by the mobile device from the server that hosts the first network resource, and wherein the redirect request comprises an identification of the user included in the redirect request by the server that hosts the first network resource; 

receiving a second authentication factor from the mobile device; and 

validating the second authentication factor by comparing the second authentication factor with user data associated with the user, the user data accessed from the identity database; 

in response to a successful authentication of the mobile device and the user, determine 

create an identity assertion object related to the user in the determined identify assertion format based on the identification of the user included in the redirect request by the server that hosts the first network resource, the identity assertion object being distinct from the security object and the object identifier; and 

provide, to the first network resource, the identity assertion object related to the user, wherein the identity assertion object is configured to allow the user to gain access to the first network resource. 





Claim 22 of the instant application is broader in all respects than conflicting claim  1 of Patent No. U.S. Patent 10,404,678.  It is clear that all the elements of claims 22, 31 and 39 of the instant application are to be found in the patent of claims 1, 17 and 20. The difference between the instant application claims 22, 31 and 39 and claims 1, 17 and 20 of patent claims lies in the fact that the patented claim includes more elements and is thus more specific. 
For example, in the instant application claim 22 recites “single sign on authentication with validation of security object with redirect request .. and other detailed steps ..”, similarly in the patent claim 1 the ‘single sign on authentication with validation, determination and authentication of security object with redirect request from mobile 
A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus)." ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
This is nonstatutory obvious type double patenting rejection since the conflicting claims have been patented.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 22-41 are rejected under 35 U.S.C. 103 as being unpatentable by U.S. Publication 2013/0212653 to Hoghaug et al. (hereinafter “Hoghaug”) and in vies of U.S. Patent 7,788,716 to Dapkus et al. (hereinafter “Dapkus”) and further in view of U.S. Publication 2014/0310792 to Hyland et al. (hereinafter “Hyland”).

As per claim 22 Hoghaug teaches, a system for providing single-sign-on (SSO), multi-factor authentication, the system (Hoghaug para 22 teaches SSO service for authentication user device to enterprise server) comprising: 
one or more hardware processors; a computer-readable memory; and 
an authentication system comprising executable instructions stored in the computer-readable memory (Hoghaug Fig 11 element 1104 and 1116 teaches memory), wherein the one or more processors (Hoghaug Fig 11 element 1102 teaches processor) are programmed to at least: 
register a user computing device using user data included in a redirect originating from a network server in response to a login request from the user computing device (Hoghaug para 31 teaches user registration and para 33 teaches server request of GUID of user (global user identity) with client – server application); 
transmit an authentication request to a user of the user computing device based on the user data that requests interaction by the user (Hoghaug Fig 1 element 106 para 27-28 and para 35-38 teaches where network resource provides identification and other data to authentication server. Examiner interprets providing of data function as server function); 
(Hoghaug para 36 teaches user credentials validation (such as pin, password, code)); 
authenticate the user based on a response to the authentication request and the inspected element (Hoghaug in para 49 teaches verification and validation of user credentials); 
Although Hoghaug teaches authentication of client device, and even though it would be obvious to incorporate identity assertion object for secure access to enterprise resources, Hoghaug does not explicitly teach, however Dapkus teaches, security object associated with user device 
create a security object associated with the user computing device (Dapkus col 1 lines 50 - col 2 line 30 where web services authentication which is security token (interpreted as security object) based and Fig 1 teaches element 112 which covers identity assertion within token and SSPI - security service provider interface and Dapkus col 2 lines 5 - line 40 where SSPI teaches security token, element 110, 114 and identity assertion 112 as distinct functions of SSPI which is comparable to the claimed limitation); 

transmit the security object to the user computing device (Dapkus Fig 3 element 310 / 306 transmits security token to node element 312 and 306 col 2 lines 30 - line 50 where security token interpreted as security object of device is transmitted to node (device) for user access to resources). 

Hoghaug-Dapkus does not teach however Hyland teaches, 
obtain a second redirect originating from the network server in response to a second login request from the user computing device, wherein the second redirect comprises a second security object (Hyland Fig 8 element 800 and 804, para 86 - 88 and 89 teaches SSO IdP server redirects authentication request with verification of authentication token and redirect function call and para 87 where web security engine (server) verifies that the service request originates from mobile device and para 89 teaches SAML assertion where user information is part of authentication token. In summary – IDP – SSO and web security engine server validates client device (mobile device) for verification of authentication token which includes user information); and 
authenticate the user computing device without interaction by the user in response to the second security object matching the security object (Hyland Fig 9 element 936 teaches authentication based on access token (redirected token) associated with service request).  
Hoghaug - Dapkus teaches two factor authentication schemes for strong secure protocols wjth identity assertion object with secure protocol. Hoghaug - Dapkus  does not teach however Hyland teaches, redirect request to mobile device with user identifiers (para 86-88). Hoghaug - Dapkus – Hyland are analogous art because they are from secure access to resources based on authorization of user / device.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Hoghaug - Dapkus before him or her, to combine two factor authentication with identity assertion object in secure protocol with Hyland’s teaching of redirect request to client device with user ID. The suggestion/motivation for doing so would have been to enhance SSO authorization and authentication access to web services by client device(s) (para 9-10). 
As per claim 23 combination of Hoghaug – Dapkus - Hyland teaches the system of claim 22, wherein the one or more processors are further programmed to at least transmit an authentication token to the user computing device (Hoghuaug Fig 4 element 424 where webservice (404) transmits token to client device element 402 and as described in para 47-49), wherein-3-Application No.: 16/556,998 Filing Date:August 30, 2019the authentication token indicates that the user computing device performed the authentication request (Hoghaug para 36 teaches device authentication request identifier).  

As per claim 24 combination of Hoghaug – Dapkus - Hyland teaches the system of claim 23, wherein the authentication token comprises one of a cookie or a redirect URL parameter (Hyland para 58 teaches encrypted token with user credentials or device credentials such as (UDID or GUID) which covers claimed limitation).  

As per claim 25 combination of Hoghaug – Dapkus - Hyland teaches the system of claim 22, wherein the one or more processors are further programmed to at least store the security object in association with the user data (Hoghaug para 21 teaches token includes user authentication data or device authentication data which is interpreted as security object associated with user data).  

As per claim 26 combination of Hoghaug – Dapkus - Hyland teaches the system of claim 22, wherein the one or more processors are further programmed to at least: 
transmit a device characteristic capture script to the user computing device (Hoghaug para 24 and 36 – Fig 1 – teaches device fingerprint); 
generate a device fingerprint based on device characteristics received from the user computing device as a result of the user computing device running the device characteristic capture script (Hoghaug para 36 – Fig 1 – teaches device fingerprint with function call interpreted as capture script).  

As per claim 27 combination of Hoghaug – Dapkus - Hyland teaches the system of claim 26, wherein the one or more processors are further programmed to at least generate the device fingerprint based on a hash of at least some of the device (Hoghaug para 36 teaches device one-way hash of device fingerprint).  

As per claim 28 combination of Hoghaug – Dapkus - Hyland teaches the system of claim 26, wherein the device characteristics comprise at least one of HTTP header information, a browser plugin list, a list of fonts that a browser has installed, an IP address, a network card address, operating system settings, browser cookie data, or a time zone (Hoghaug para 24-25).  

As per claim 29 combination of Hoghaug – Dapkus - Hyland teaches the system of claim 22, wherein the security object is an X.509 soft identifier, an X.509 Smart Card identifier, a Java object, or a persistent browser token (Hoghaug para 21 teaches smart card token).  

As per claim 30 combination of Hoghaug – Dapkus - Hyland teaches the system of claim 22, wherein the element comprises one of an IP address acceptance range, an IP address risk attribute, or a geo-velocity (Hoghaug para 24 teaches IP address identifying information).  

Claim 31, 
Claim 31 is rejected in accordance with system of claim 22.
Claim 32, 
Claim 32 is rejected in accordance with system of claim 23.

Claim 33, 
Claim 33 is rejected in accordance with system of claim 24.
Claim 34, 
Claim 34 is rejected in accordance with system of claim 25.
Claim 35, 
Claim 35 is rejected in accordance with system of claim 26.
Claim 36, 
Claim 36 is rejected in accordance with system of claim 27.
Claim 37, 
Claim 37 is rejected in accordance with system of claim 28.
Claim 38, 
Claim 38 is rejected in accordance with system of claim 29.
Claim 39, 
Claim 39 is rejected in accordance with system of claim 22.
Claim 40, 
Claim 40 is rejected in accordance with system of claim 26.
Claim 41, 
Claim 41 is rejected in accordance with system of claim 29.

Conclusion 

Claims 22-41 have been rejected. 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/VIRAL S LAKHIA/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431