DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2021-02-22 has been entered.

Response to Amendment
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is in reply to papers filed on 2021-02-22. Claims 1-20 are pending. Claims 1, 10, 17 is/are independent.

Response to Arguments
Applicant’s arguments have been fully considered but are moot in view of the new ground(s) of rejection.
With respect to claim(s) 1 (see page(s) 10-13 of Applicant’s Remarks), Applicant argues that the prior art of record (in particular,  U.S. Publication 20150269566 to Gaddam et al. (hereinafter "Gaddam '566") in view of U.S. Patent 9923927 to McClintock et al. (hereinafter "McClintock '927")  in view of U.S. Patent 8683597 to Johansson et al. (hereinafter "Johansson '597")) does not disclose:
cause a behavior of the user to be monitored during the session, wherein monitoring the user's behavior includes at least one of: 
(i) employing a camera to monitor for a presence of the user or (ii) monitoring a proximity of a mobile device of the user; 
determine the new session lifetime of the session is expired or will expire within an upcoming time period; 
determine the user is still present based on the user's monitored behavior; and 

Examiner agrees.  However, U.S. Publication 20140189807 to Cahill et al. (hereinafter "Cahill '807") discloses this subject matter.  Cahill '807 teaches resetting a session lifetime based, at least in part, on a user presence check, e.g. using a webcam and facial recognition to determine that a user remains at the terminal.  As detailed in the rejections below, it would have been obvious to have modified the system of Gaddam '566 to utilize user presence checks in this way.  Accordingly, Applicant's arguments are not persuasive.
Applicant’s arguments with respect to the remaining claim(s) is/are based on Applicant’s arguments with respect to claim(s) 1 and have been considered as detailed above.

Claim Interpretation
The following is a quotation of 35 U.S.C. § 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA  35 U.S.C. § 112 ¶ 6:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. § 112(f) or pre-AIA  35 U.S.C. § 112 ¶ 6:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as "configured to" or "so that"; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. § 112(f) or pre-AIA  35 U.S.C. § 112 ¶ 6. The presumption that the claim limitation is interpreted under 35 U.S.C. § 112(f) or pre-AIA  35 U.S.C. § 112 ¶ 6 is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. § 112(f) or pre-AIA  35 U.S.C. § 112 ¶ 6 except as otherwise indicated in an Office action.
Claims 17-20 of this application includes one or more claim limitations that use the word “means” and are being interpreted under 35 U.S.C. § 112(f) or pre-AIA  35 U.S.C. § 112 ¶ 6.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. § 112(f) or pre-AIA  35 U.S.C. § 112 ¶ 6 it/they is/are being interpreted to cover the corresponding 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. § 112(f) or pre-AIA  35 U.S.C. § 112 ¶ 6 applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. § 112(f) or pre-AIA  35 U.S.C. § 112 ¶ 6 (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. § 112(f) or pre-AIA  35 U.S.C. § 112 ¶ 6.

Summary of Claim Rejections under 35 U.S.C.  § 103
The following table summarizes the rejections set forth in detail below of the claims over the prior art.

Claim No.
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 in view of Grajek '867 
1
[Wingdings font/0xFC]

2
[Wingdings font/0xFC]

3
[Wingdings font/0xFC]

4
[Wingdings font/0xFC]

5

[Wingdings font/0xFC]
6
[Wingdings font/0xFC]

7
[Wingdings font/0xFC]

8

[Wingdings font/0xFC]
9

[Wingdings font/0xFC]
10
[Wingdings font/0xFC]

11
[Wingdings font/0xFC]

12
[Wingdings font/0xFC]

13

[Wingdings font/0xFC]
14

[Wingdings font/0xFC]
15

[Wingdings font/0xFC]
16

[Wingdings font/0xFC]

[Wingdings font/0xFC]

18
[Wingdings font/0xFC]

19


20

[Wingdings font/0xFC]


Claim Rejections - 35 U.S.C. § 103
The following is a quotation of the appropriate paragraphs of AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of AIA  35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-4, 6-7, 10-12, 17-19  is/are rejected under 35 U.S.C. § 103 as being unpatentable over U.S. Publication 20150269566 to Gaddam et al. (hereinafter "Gaddam '566") in view of U.S. Patent 9923927 to McClintock et al. (hereinafter "McClintock '927")  in view of U.S. Patent 8683597 to Johansson et al. (hereinafter "Johansson '597") in view of U.S. Publication 20140189807 to Cahill et al. (hereinafter "Cahill '807").  Gaddam '566 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).  McClintock '927 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).  Johansson '597 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).  Cahill '807 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).  
Per claim 1 (independent):
Gaddam '566 discloses a system of session management (duration of primary token is a function of risk [Gaddam '566 ¶ 0076-0077])
Gaddam '566 discloses one or more processors and one or more hardware storage devices that store instructions that are executable by the one or more processors to cause the system to at least (processor(s), memory, computer readable media, storage, executable instructions [Gaddam '566 ¶ 0100-0101])
Gaddam '566 does not disclose initially set a session lifetime of a session to a predetermined, random, or infinite value, the session lifetime being a length of validity for the session 
Gaddam '566 does not disclose initially setting a session lifetime to a predetermined, random, or infinite value
However, Gaddam '566 discloses initially set a session lifetime of a session to the value of a predetermined function, the session lifetime being a length of validity for the session (duration of primary token is a function of risk [Gaddam '566 ¶ 0076-0077])
Gaddam '566 discloses generate a token that identifies the session and that is valid for the session lifetime (primary token / encryption key is sent to access device 220 when access device 220 authenticates to provider/vault 270 [Gaddam '566 ¶ 0074-0078]; sets duration of primary token [Gaddam '566 ¶ 0076-0077])
Gaddam '566 discloses provide access to the token in response to successful authentication of entity user for whom the session was initiated (primary token / encryption key is sent to access device 220 when access device 220 authenticates to provider/vault 270 [Gaddam '566 ¶ 0074-0078])
Gaddam '566 discloses compute a session reputation for the session, wherein the session reputation is automatically computed based on a sign-in risk and a device risk (duration of primary token is a function of risk [Gaddam '566 ¶ 0076-0077])
Gaddam '566 does not disclose determine a new session lifetime based on the session reputation, wherein the new session lifetime is a new length of validity for the session 
However, Gaddam '566 discloses determine a session lifetime based on the session reputation, wherein the session lifetime is a length of validity for the session (duration of primary token is a function of risk [Gaddam '566 ¶ 0076-0077])
Gaddam '566 does not disclose causing the token to be valid for the new session lifetime
However, Gaddam '566 discloses causing the token to be valid for the session lifetime (sets duration of primary token [Gaddam '566 ¶ 0076-0077]; primary token / encryption key is sent to access device 220 when access device 220 authenticates to provider/vault 270 [Gaddam '566 ¶ 0074-0078])
Gaddam '566 does not disclose cause a behavior of the user to be monitored during the session, wherein monitoring the user's behavior includes at least one of (i) employing a camera to monitor for a presence of the user or (ii) monitoring a proximity of a mobile device of the user 
Gaddam '566 does not disclose determine the new session lifetime of the session is expired or will expire within an upcoming time period; determine the user is still present based on the user's monitored behavior; based on determining the user is still present, determine the user is naturally authenticated and extend the new session lifetime of the session to enable the user to continue with the session 
Further:
McClintock '927 discloses initially set a session lifetime of a session to a predetermined, random, or infinite value, the session lifetime being a length of validity for the session (decreases authentication duration for sensitive roles [McClintock '927 col. 21 l. 64 – col. 22 l. 7])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 with default session lifetime and the risk assessment and user role / user privileges check of McClintock '927 to arrive at an apparatus, method, and product including:
initially set a session lifetime of a session to a predetermined, random, or infinite value, the session lifetime being a length of validity for the session 
A person having ordinary skill in the art would have been motivated to combine them at least because using a default session lifetime would improve token generation and distribution time, especially where the token lifetime could be updated later.  A person having ordinary skill in the art would have been further motivated to combine them at least because checking the device configuration would provide the system with information as to which devices, and therefore which sessions, were most risky.  A person having ordinary skill in the art would have been further motivated to combine them at least because McClintock '927 teaches [McClintock '927 col. 21 l. 64 – col. 22 l. 7; McClintock '927 col. 31 l. 9-26, col. 34 l. 5-19] modifying a authentication scheme [Gaddam '566 ¶ 0074-0078] such as that of Gaddam '566 to arrive at the claimed invention; because doing so constitutes use of a known technique (default session lifetime [McClintock '927 col. 21 l. 64 – col. 22 l. 7]; risk assessment and user role / user 
Further:
Johansson '597 discloses determine a new session lifetime based on the session reputation, wherein the new session lifetime is a new length of validity for the session (determines new session lifetime [Johansson '597 col. 7 l. 7-33, Fig. 2 ref. num. 209]; decreases authentication duration based on sensitivity of operation [Johansson '597 col. 3 l. 36-48, col. 6 l. 7-15] and based on user device "hardware and/or software configuration" [Johansson '597 col. 4 l. 32-43])
Johansson '597 discloses cause the token to be valid for the new session lifetime (determines new session lifetime [Johansson '597 col. 7 l. 7-33, Fig. 2 ref. num. 209])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have 
determine a new session lifetime based on the session reputation, wherein the new session lifetime is a new length of validity for the session 
cause the token to be valid for the new session lifetime 
A person having ordinary skill in the art would have been motivated to combine them at least because updating the session lifetime would allow the security system to adapt to changes in the risk levels over time, e.g. based on requests for sensitive operations.  A person having ordinary skill in the art would have been further motivated to combine them at least because checking the device configuration would provide the system with information as to which devices, and therefore which sessions, were most risky.  A person having ordinary skill in the art would have been further motivated to combine them at least because Johansson '597 teaches [Johansson '597 col. 7 l. 7-33, Fig. 2 ref. num. 209; Johansson '597 col. 4 l. 32-43] modifying a authentication scheme [Gaddam '566 ¶ 0074-0078] such as that of Gaddam '566 to arrive at the claimed invention; because doing so constitutes use of a known technique (revised session lifetime [Johansson '597 col. 7 l. 7-33, Fig. 2 ref. num. 209]; device configuration check [Johansson '597 col. 4 l. 32-43]) to improve similar devices and/or methods (authentication scheme [Gaddam '566 ¶ 0074-0078]) in the same way; because doing so constitutes applying a known technique (revised session lifetime [Johansson '597 col. 7 l. 7-33, Fig. 2 ref. num. 209]; device configuration check [Johansson '597 col. 4 l. 32-43]) to known devices and/or methods (authentication scheme [Gaddam '566 ¶ 0074-0078]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results.  Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the 
Further:
Cahill '807 discloses cause a behavior of the user to be monitored during the session, wherein monitoring the user's behavior includes at least one of (i) employing a camera to monitor for a presence of the user or (ii) monitoring a proximity of a mobile device of the user (monitors user presence via facial recognition automatically during each time period [Cahill '807 ¶ 0018-0019, 0023])
Cahill '807 discloses determine the new session lifetime of the session is expired or will expire within an upcoming time period; determine the user is still present based on the user's monitored behavior; based on determining the user is still present, determine the user is naturally authenticated and extend the new session lifetime of the session to enable the user to continue with the session (monitors user presence via facial recognition automatically during each time period [Cahill '807 ¶ 0018-0019, 0023]; renews user's session automatically if user is still present [Cahill '807 ¶ 0018-0019, 0030-0032])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 reset the session lifetime based on a presence check of the user as taught by Cahill '807 to arrive at an apparatus, method, and product including:
cause a behavior of the user to be monitored during the session, wherein monitoring the user's behavior includes at least one of (i) employing a camera to monitor for a presence of the user or (ii) monitoring a proximity of a mobile device of the user 
determine the new session lifetime of the session is expired or will expire within an upcoming time period; determine the user is still present based on the user's monitored 
A person having ordinary skill in the art would have been motivated to combine them at least because checking for user presence would protect users who step away from an open session, while automatically extending sessions for users who are still working.  A person having ordinary skill in the art would have been further motivated to combine them at least because Cahill '807 teaches [Cahill '807 ¶ 0018-0019, 0023, 0030-0032] modifying a authentication scheme [Gaddam '566 ¶ 0074-0078] such as that of Gaddam '566 to arrive at the claimed invention; because doing so constitutes use of a known technique (presence check used to reset session lifetime [Cahill '807 ¶ 0018-0019, 0023, 0030-0032]) to improve similar devices and/or methods (authentication scheme [Gaddam '566 ¶ 0074-0078]) in the same way; because doing so constitutes applying a known technique (presence check used to reset session lifetime [Cahill '807 ¶ 0018-0019, 0023, 0030-0032]) to known devices and/or methods (authentication scheme [Gaddam '566 ¶ 0074-0078]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results.  Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (authentication scheme [Gaddam '566 ¶ 0074-0078] sets default session lifetime and presence check resets session lifetime depending on whether user is present [Cahill '807 ¶ 0018-0019, 0023, 0030-0032]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion.
Per claim 2 (dependent on claim 1):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Gaddam '566 does not disclose determine the session reputation automatically based on a signal that indicates compliance with a predetermined device configuration
Further:
Johansson '597 discloses determine the session reputation automatically based on a signal that indicates compliance with a predetermined device configuration (decreases authentication duration based on user device "hardware and/or software configuration" [Johansson '597 col. 4 l. 32-43])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 with the risk assessment and device configuration check of Johansson '597 to arrive at an apparatus, method, and product including:
determine the session reputation automatically based on a signal that indicates compliance with a predetermined device configuration
A person having ordinary skill in the art would have been motivated to combine them at least because checking the device configuration would provide the system with information as to which devices, and therefore which sessions, were most risky.  A person having ordinary skill in the art would have been further motivated to combine them at least because Johansson '597 teaches [Johansson '597 col. 4 l. 32-43] modifying a authentication scheme [Gaddam '566 ¶ 0074-0078] such as that of Gaddam '566 to arrive at the claimed invention; because doing so constitutes use of a known technique (device configuration check [Johansson '597 col. 4 l. 32-43]) to improve similar devices and/or methods (authentication scheme [Gaddam '566 ¶ 0074-0078]) in the same way; because doing so constitutes applying a known technique (device configuration check [Johansson '597 col. 4 l. 32-43]) to known devices and/or methods 
Per claim 3 (dependent on claim 1):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Gaddam '566 does not disclose the authenticator determines the session reputation based on a signal that indicates sensitivity of a resource for which access is requested
However, Gaddam '566 discloses the client limiting operations based on a signal that indicates sensitivity of a resource for which access is requested (access device 220 may only process financial transactions below a predetermined financial value [Gaddam '566 ¶ 0086])
Further:
Johansson '597 discloses determine the session reputation based on a signal that indicates sensitivity of a resource for which access is requested (sensitivity of operation [Johansson '597 col. 3 l. 36-48, col. 6 l. 7-15])
For the reasons detailed above with respect to claim 2, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 with the risk assessment of Johansson '597 to arrive at an apparatus, method, and product including:
determine the session reputation based on a signal that indicates sensitivity of a resource for which access is requested
Per claim 4 (dependent on claim 1):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Gaddam '566 does not disclose determine the session reputation based on a signal that indicates a role of the user with respect to access to sensitive data
Further:
McClintock '927 discloses determine the session reputation based on a signal that indicates a role of the user with respect to access to sensitive data (decreases authentication duration for sensitive roles [McClintock '927 col. 31 l. 9-26, col. 34 l. 5-19])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 with the risk assessment and user role / user privileges check of McClintock '927 to arrive at an apparatus, method, and product including:
determine the session reputation based on a signal that indicates a role of the user with respect to access to sensitive data
A person having ordinary skill in the art would have been motivated to combine them at least because checking the device configuration would provide the system with information as to which devices, and therefore which sessions, were most risky.  A person having ordinary skill in the art would have been further motivated to combine them at least because McClintock '927 teaches [McClintock '927 col. 31 l. 9-26, col. 34 l. 5-19] modifying a authentication scheme [Gaddam '566 ¶ 0074-0078] such as that of Gaddam '566 to arrive at the claimed invention; because doing so constitutes use of a known technique (risk assessment and user role / user privileges check [McClintock '927 col. 31 l. 9-26, col. 34 l. 5-19]) to improve similar devices and/or methods (authentication scheme [Gaddam '566 ¶ 0074-0078]) in the same way; 
Per claim 6 (dependent on claim 1):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Gaddam '566 does not disclose determine the device risk based on a signal that indicates device security capability
Further:
Johansson '597 discloses determine the device risk based on a signal that indicates device security capability (device security capabilities [Johansson '597 col. 6 l. 59 – col. 7 . 6, col. 12 l. 30-54, col. 4 l. 32-43, col. 6 l. 16-33])
For the reasons detailed above with respect to claim 2, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 with the risk assessment of Johansson '597 to arrive at an apparatus, method, and product including:
determine the device risk based on a signal that indicates device security capability
Per claim 7 (dependent on claim 1):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Gaddam '566 does not disclose determine the sign-in risk based on a signal that indicates authentication strength
Further:
Johansson '597 discloses determine the sign-in risk based on a signal that indicates authentication strength (authentication strength level [Johansson '597 col. 6 l. 16-33])
For the reasons detailed above with respect to claim 2, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 with the risk assessment of Johansson '597 to arrive at an apparatus, method, and product including:
determine the sign-in risk based on a signal that indicates authentication strength
Per claim 10 (independent):
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 11 (dependent on claim 10):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 12 (dependent on claim 10):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 4 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 17 (independent):
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 18 (dependent on claim 17):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 17 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 19 (dependent on claim 17):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 17 above, incorporated herein by reference
Gaddam '566 discloses a means for determining device risk based on signals regarding one or more of configuration, location, security capabilities, or health (duration of primary token is a function of location risk [Gaddam '566 ¶ 0076-0077])
Claim(s) 5, 8, 9, 13-16, 20 is/are rejected under 35 U.S.C. § 103   as being unpatentable over Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 in in view of U.S. Publication 20180069867 (hereinafter "Grajek '867").  Grajek '867 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).
Per claim 5 (dependent on claim 1):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Gaddam '566 does not disclose determine the device risk based on a signal that indicates device health in terms of presence or absence of malware or virus
Further:
Grajek '867 discloses determine the device risk based on a signal that indicates device health in terms of presence or absence of malware or virus (virus, malware, or malicious reputation [Grajek '867 ¶ 0030-0031])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 with the risk assessment and malware risk assessment of Grajek '867 to arrive at an apparatus, method, and product including:
determine the device risk based on a signal that indicates device health in terms of presence or absence of malware or virus
A person having ordinary skill in the art would have been motivated to combine them at least because checking the device configuration would provide the system with information as to which devices, and therefore which sessions, were most risky.  A person having ordinary skill in the art would have been further motivated to combine them at least because Grajek '867 teaches [Grajek '867 ¶ 0030-0031, 0024-0030, 0010, 0049, 0057] modifying a authentication scheme [Gaddam '566 ¶ 0074-0078] such as that of Gaddam '566 to arrive at the claimed invention; because doing so constitutes use of a known technique (risk assessment and malware risk assessment [Grajek '867 ¶ 0030-0031]) to improve similar devices and/or methods (authentication scheme [Gaddam '566 ¶ 0074-0078]) in the same way; because doing so constitutes applying a known technique (risk assessment and malware risk assessment [Grajek '867 ¶ 0030-0031]) to known devices and/or methods (authentication scheme [Gaddam '566 ¶ 0074-0078]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results.  Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (authentication scheme [Gaddam '566 ¶ 0074-0078] determines duration based on risk while malware risk assessment [Grajek '867 ¶ 0030-0031, 0024-0030, 0010, 0049, 0057] supplies risk information); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion.
Per claim 8 (dependent on claim 1):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 16 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 9 (dependent on claim 1):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 15 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 13 (dependent on claim 10):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference
Gaddam '566 does not disclose determining sign-in risk based on at least one of authentication strength or authentication pattern
Further:
Grajek '867 discloses determining sign-in risk based on at least one of authentication strength or authentication pattern (user behavior, user activity pattern [Grajek '867 ¶ 0024-0030])
For the reasons detailed above with respect to claim 5, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 with the risk assessment and malware risk assessment of Grajek '867 to arrive at an apparatus, method, and product including:
determining sign-in risk based on at least one of authentication strength or authentication pattern
Per claim 14 (dependent on claim 10):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of any of claim(s) 2, 5, or 6 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 15 (dependent on claim 10):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference
Gaddam '566 does not disclose revoking validity of the token prior to expiration of the new session lifetime based on a recomputed and different session reputation
Further:
Grajek discloses revoking validity of the token prior to expiration of the new session lifetime based on a recomputed and different session reputation (uses machine learning to recompute confidence score and terminate session if necessary [Grajek '867 ¶ 0010, 0049, 0057])
For the reasons detailed above with respect to claim 5, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gaddam '566 with the risk assessment and malware risk assessment of Grajek '867 to arrive at an apparatus, method, and product including:
revoking validity of the token prior to expiration of the new session lifetime based on a recomputed and different session reputation
Per claim 16 (dependent on claim 10):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference
Gaddam '566 does not disclose employing machine learning to automatically compute the session reputation and to determine the new session lifetime based on the session reputation
Further:
Grajek '867 discloses employing machine learning to automatically compute the session reputation and to determine the new session lifetime based on the session reputation (uses machine learning to recompute confidence score and terminate session if necessary [Grajek '867 ¶ 0010, 0049, 0057])

employing machine learning to automatically compute the session reputation and to determine the new session lifetime based on the session reputation
Per claim 20 (dependent on claim 17):
Gaddam '566 in view of McClintock '927 in view of Johansson '597 in view of Cahill '807 discloses the elements detailed in the rejection of claim 17 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 7 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475.  The examiner can normally be reached on MTWRF 7:30-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THEODORE C PARSONS/Primary Examiner, Art Unit 2494