DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 11/10/2020. Claims 1, 3-4, 9, 11-12 and 17 are amended and claims 2 and 10 are canceled. Claims 1, 3-9 and 11-20 remain pending.

Response to Arguments
Applicant's arguments, Remarks: page 7, filed 11/10/2020 have been fully considered but they are not persuasive. 

Applicant argues “[t]he independent claims as amended recite where an authentication application creates a shared authentication token and a hash thereof based on an authentication key. The art of record fails to disclose the features of the independent claims as amended and those claims therefore are allowable, as are the claims that depend therefrom” – Remarks: page 7.

Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.

Examiner’s Note
To expedite prosecution to a conclusion, the office welcomes and encourages an interview request to be initiated by the applicant after they have reviewed the instant office action and prior to or when filing a response. Such interview will be most helpful if examiner is provided with an agenda ahead of time, the agenda briefly itemizing arguments and/or any proposed amendments to be discussed and clarified during the interview.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-9 and 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over Xia, US Patent 10657242 B1 further in view of Agarwal, US2019/0289017A1.

Per claim 1, Xia discloses an authentication system for providing shared credential authentication, the authentication system comprising: 
a client information handling (IHS) system including a resource and a first processor to provide a resource service application (Any appropriate electronic device may be configured to perform the operations of the resource 120 and provide proximity-based access, including desktop computers, laptop computers, tablet computers, wearable computers… The pairing of the mobile device 110 with the resource 120, using the access control agent and the access application as described above, indicates that the mobile device 110 should be treated as an authentication factor or token for granting access to the resource 120 - Xia: col. 11, lines 4-10 and Fig. 2B – 120 – Note: access control agent on resource 120 is read a resource service application); 
and a mobile IHS including a second processor to provide a shared authentication application (the device 110 is not limited to a mobile phone, and may be any appropriate electronic device, such as a tablet computer, a watch, a necklace, a bracelet, a wearable device, and so on… The mobile device 110 has an operating system and also runs an access application.  For example, the access application can manage or provide access to credentials of the user 102 of the mobile device 110 - Xia: col. 11, lines 10-14 and col. 15, lines 28-31 – Note: access application is read a shared authentication application); 
wherein: the resource service application receives a request to access the resource (In stage (A), the resource 120 detects an attempt to access the resource 120.  For example, the resource 120 may initially be in a secured state that requires authentication to change to an unlocked or accessible state – Xia: col. 15, lines 62-67 and col. 16, lines 1-5), and sends an authentication request to an authentication server to authorize access to the resource (In stage (B), in response to the attempt to access the resource 120, the resource 120 sends a message 210 to the server 130 over the network 104.  When the access attempt is detected, the access control agent on the resource 120 initiates further processing to expedite attempt automatic authentication based on proximity, as discussed below.  The message 210 indicates that an attempt to access the resource 120 has been made –Xia: col. 16, lines 6-13); 
the shared authentication application receives a query from the authentication server (Note: server 130) to verify a status of a first shared authentication token (In stage (B), in response to the attempt to access the resource 120, the resource 120 sends a message 210 to the server 130 over the network 104.  When the access attempt is detected, the access control agent on the resource 120 initiates further processing to expedite attempt automatic authentication based on proximity… The message 210 may identify the resource 120, and may indicate the type of access that has been attempted… The resource 120 can provide this information so the server 130 can contact each of the registered devices, to cause each to enter an enhanced discovery mode to potentially complete the authentication needed for the access attempted in stage (A).  Similarly, if the resource 120 has detected the presence of a device that has been designated as an authentication token for access to the resource 120, the resource 120 can indicate the identity of the device.  As another example, the message 210 can indicate the user 102 or credential linked to the attempt to access.  For example, if the resource 120 is locked and a particular user is logged in, the identity of the user can be indicated – Xia: col. 16, lines 6-35), and when the first shared authentication token is valid, responds to the query that the first shared authentication token is valid, the first shared authentication token indicating that an authenticated state between the client IHS and the mobile IHS exists (In stage (C), the server 130 identifies the device 110 as a device that can serve as an authentication token for the access attempted in in stage (A).  The information identifying the device 110 can be obtained using information from the message 210 or data stored by the server 130.  For example, when the user 102 registers the device 110 as an authentication token for accessing the resource 130, a user identifier for the user 102 and a device identifier for the device 110 can be stored at the resource 120.  The message 210 from the resource 120 can thus include the device identifier for the device 110, to indicate which device can provide the needed authentication – Xia: col. 17, lines 20-31); 
the resource service application further receives a response to the authentication request, and grants access to the resource when the first shared authentication token indicates that the first shared authentication token is valid (In stage (G), the server 130 sends the authentication data 230 to the resource 120 over the network 104.  The server 130 need not decrypt or assess the validity of the authentication data 230.  The server 130 can simply provide, e.g., forward, the authentication data 230 to the resource 120 for processing… In stage (J), the resource 120 provides the user 102 access to the resource 120 – Xia: col. 19, lines 4-9 and col. 20, lines 19-20);
the client IHS further provides a first authentication application (FIG. 4A shows an interface of an access control agent of a resource, such as a resource 120 – Xia: col. 25, lines 17-18); 
the mobile IHS further provides a second authentication application (The mobile device 110 has an operating system and also runs an access application.  For example, the access application can manage or provide access to credentials of the user 102 of the mobile device 110 - Xia: col. 15, lines 28-31); 
the first and second authentication applications determine whether or not the client IHS and the mobile IHS are communicatively coupled (In step 308, the mobile device 110 sends the security code for verification.  As illustrated, the mobile device can send the security code to the resource 120 directly, for example, over the wireless connection between the mobile device 110 and the resource 120.  Alternatively, the access application on the mobile device 110 can send the security code to the server 130, and the server 130 can relay the security code to the resource 120 along with an identifier for the device 110.  In step 310, the resource 120 receives the security code from the mobile device 110 (e.g., directly or indirectly). In step 318, the computer verifies that the received security code matches the security code output by the device.  In the example of a QR code, the computer determines that the data received matches the data encoded by the QR code.  By receiving the same security code that was output locally by the resource 120, the access control agent running on the resource 120 can verify that the mobile device 110 is actually in proximity to the resource 120  – Xia: col. 22, lines 58-67 and col. 23, lines 1-8); 
the second authentication application i) requests authentication credentials from the first authentication application, the authentication credentials authenticating that the client IHS is authorized to utilize the mobile IHS (In step 308, the mobile device 110 sends the security code for verification.  As illustrated, the mobile device can send the security code to the resource 120 directly, for example, over the wireless connection between the mobile device 110 and the resource 120 …In step 310, the resource 120 receives the security code from the mobile device 110 (e.g., directly or indirectly… In step 312, the mobile device 110 identifies one or more credentials of the user 102.  For example, the mobile device may send a request to the server 130 for updated information about the credentials that are available for the user 102 to access – Xia: col. 22, lines 58-62 and 66-67 and col. 23, lines 22-26), ii) receives the authentication credentials (In step 314, the server 130 provides credential information to the mobile device 110 over a network.  This information may include a list of credentials for the user.  In some implementations, the mobile device 110 or the resource 120 contacts the server 130 to indicate that proximity-based access is being configured.  For example an identifier for the resource 120 may be provided to the server 130 by either the mobile device 110 or the resource 120...In step 324, the resource 120 receives the data sent by the mobile device 110.  This data may be sent, for example, over the wireless communication link between the devices 110, 120, or may be sent through respective connections with the server 130.  In some implementations, the data may be sent over another communication channel, such as another wireless connection - Xia: col. 23, lines 27-34 and col. 24, lines 5-11), iii) creates an authentication key that represents that the client IHS is authorized to utilize the mobile IHS based upon the authentication credentials (In step 326a and step 326b, the mobile device 110 and the resource 120 form an association.  This association may be a pairing of the mobile device 110 with the resource 120.  Pairing may be performed using the operating system's Bluetooth libraries, and thus may use the native Bluetooth functionality of the device for added security.  The mobile device 110 and the resource 120 each store data that indicates the association.  This may include typical data used for Bluetooth pairing, such as a link key or other identifier, and may additionally include settings and other data respectively stored by the access control agent and the access application – Xia: col. 24, lines 12-22), iv) and 
Xia discloses “[t]he pairing of the mobile device 110 with the resource 120, using the access control agent and the access application as described above, indicates that the mobile device 110 should be treated as an authentication factor or token for granting access to the resource 120” – Xia: col. 24, lines 28-33 – Note: pairing is associated with a link key, Xia is not relied on to explicitly disclose but in view of Agarwal discloses creates a second shared authentication token and a hash thereof based on the authentication key (the application server 68 may receive a cryptographic hash value calculated based on an authentication token, or the requested access may be signed by a private key corresponding to the session held by the browser 66, and the application server 68 may verify the signature with the public key corresponding to the session provided by the application server 68 by the authorization server 70 in an earlier authorization – Agarwal: par. 0061), and 
after creating the second shared authentication token, v) invalidates the second shared authentication token in response to determining that the client IHS and the mobile IHS are not communicatively coupled (As the second electronic device moves away, the first electronic device may lock itself or otherwise restrict access in response.  For example, after access has been allowed, the first electronic device may determine a signal strength of the wireless connection between the first electronic device and the second electronic device.  It may also determine that the signal strength satisfies a threshold level (e.g., decreases to or below a predetermined level), where the threshold level corresponds to distance to automatically restrict access to the first electronic device.  As a result, an access control agent can restrict access to the first electronic device (e.g., by locking a user session, logging out the user, etc.) – Xia: col. 32, lines 43-54 – Note: the second electronic device/device 110 moving away from the first electronic device/the resource 120 causes the signal strength to decrease below a threshold minimum level to a point wherein the device 110 can no longer be used as an authentication token that provides access to the resource 120, i.e., the shared authentication token is invalidated).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Xia in view of Agarwal to include “creates a second shared authentication token and a hash thereof based on the authentication key”.
One of ordinary skill in the art would have been motivated because it would allow “determining whether an authenticated token is appended to the request 74, for instance as a query parameter, and determining that such an appended authentication token corresponds to a valid authenticated session, such as one that is not be expired, and corresponds to a list of authentication tokens that are validly stored in memory of the application server 68” – Agarwal: par. 0061.

Per claim 9, Xia discloses a method for providing shared credential authentication, the method comprising: 
receiving, by a resource service application of a client information handling system (IHS), a request to access a resource of the client IHS (in step 302, the user 102 may login to the resource 120 and indicate that proximity-based access to the resource 120 is desired.  For example the user 102 may access an interface of the access control agent running on the resource 120 and select an option to configure proximity-based access – Xia: col. 22, lines 29-34 – Note: user initiates interacting with resource 120 through browser and/or access control agent); 
sending, by the resource service application, an authentication request to an authentication server to authorize access to the resource (In step 304, the resource 120 outputs a security code.  The resource 120 may generate the security code, or may request a security code from and receive a security code from the server 130. The security code may be, for example, a phrase, a number, or an optical machine-readable code (such as a QR code or a barcode) –Xia: col. 22, lines 35-38); 
receiving, by a shared authentication application of a mobile IHS, a query from a first authentication server to verify a status of a first shared authentication token, the first shared authentication token indicating that an authenticated state between the client IHS and the mobile IHS exists (In step 306, the mobile device 110 receives the security code that was output by the resource 120.  The user may enter the security code into the access application running on the mobile device 110.  For example, the user of the device 110 may use a camera at the mobile device 110 to capture an image of a QR code displayed on the screen of the resource 120.  This image may be processed by the access application on the device 110 to extract data that can be sent to the resource 120 as verification that the user 102 is present and authorized to perform the configuration. As another example, the user 102 may read the code from the resource 120 and enter the code (e.g., speak or type) to the mobile device 110.   In step 308, the mobile device 110 sends the security code for verification – Xia: col. 22, lines 45-59); 
responding, by the shared authentication application when the first shared authentication token is valid, to the query that the first shared authentication token is valid (In step 310, the resource 120 receives the security code from the mobile device 110 (e.g., directly or indirectly). In step 318, the computer verifies that the received security code matches the security code output by the device.  In the example of a QR code, the computer determines that the data received matches the data encoded by the QR code.  By receiving the same security code that was output locally by the resource 120, the access control agent running on the resource 120 can verify that the mobile device 110 is actually in proximity to the resource 120. Further, receipt of the security code through the authorized channels (e.g., from the server 130 or through a message from the access application) can demonstrate that the user's mobile device 110 is a trusted member of the security platform – Xia: col. 22, lines 66-67 and col. 23, lines 1-9); 
receiving, by the resource service application, a response to the authentication request (Further, receipt of the security code through the authorized channels (e.g., from the server 130 or through a message from the access application) can demonstrate that the user's mobile device 110 is a trusted member of the security platform – Xia: col. 23, lines 10-13); and 
granting, by the resource service application, access to the resource when the first shared authentication token indicates that the first shared authentication token is valid (The pairing of the mobile device 110 with the resource 120, using the access control agent and the access application as described above, indicates that the mobile device 110 should be treated as an authentication factor or token for granting access to the resource 120.  For example, the pairing establishes that the presence of the mobile device 110 near the resource 120 can be accepted as evidence of the presence of the authorized user 102 for purposes of granting access to the resource 120  – Xia: col. 24, lines 28-36);
determining, by a first authentication application of the client IHS (Note: access control agent on resource 120) and by a second authentication application of the mobile IHS (Note: access application on device 110), whether or not the client information handling system and the mobile information handling system are communicatively coupled (By receiving the same security code that was output locally by the resource 120, the access control agent running on the resource 120 can verify that the mobile device 110 is actually in proximity to the resource 120.  Further, receipt of the security code through the authorized channels (e.g., from the server 130 or through a message from the access application) can demonstrate that the user's mobile device 110 is a trusted member of the security platform - Xia: col. 23, lines 10-16); 
requesting, by the second authentication application, authentication credentials from the first authentication application, the authentication credentials authenticating that the client IHS is authorized to utilize the mobile IHS (In step 308, the mobile device 110 sends the security code for verification.  As illustrated, the mobile device can send the security code to the resource 120 directly, for example, over the wireless connection between the mobile device 110 and the resource 120 – Xia: col. 22, lines 58-62); 
receiving, by the second authentication application, the authentication credentials (In step 314, the server 130 provides credential information to the mobile device 110 over a network.  This information may include a list of credentials for the user.  In some implementations, the mobile device 110 or the resource 120 contacts the server 130 to indicate that proximity-based access is being configured.  For example an identifier for the resource 120 may be provided to the server 130 by either the mobile device 110 or the resource 120.  Based on records stored by the server 130, the server may determine which credentials possessed by the user 102 associated with the mobile device 110 are able to be used for creating access to the resource 120 – Xia: col. 23, lines 27-38); 
creating, by the second authentication application, an authentication key that represents that the client IHS is authorized to utilize the mobile IHS (In step 326a and step 326b, the mobile device 110 and the resource 120 form an association.  This association may be a pairing of the mobile device 110 with the resource 120.  Pairing may be performed using the operating system's Bluetooth libraries, and thus may use the native Bluetooth functionality of the device for added security.  The mobile device 110 and the resource 120 each store data that indicates the association.  This may include typical data used for Bluetooth pairing, such as a link key or other identifier, and may additionally include settings and other data respectively stored by the access control agent and the access application – Xia: col. 24, lines 13-22;
Xia discloses “[t]he pairing of the mobile device 110 with the resource 120, using the access control agent and the access application as described above, indicates that the mobile device 110 should be treated as an authentication factor or token for granting access to the resource 120” – Xia: col. 24, lines 28-33 – Note: pairing is associated with a link key, Xia is not relied on to explicitly disclose but in view of Agarwal discloses creating, by the second authentication application, a second shared authentication token based on the authentication key (the application server 68 may receive a cryptographic hash value calculated based on an authentication token, or the requested access may be signed by a private key corresponding to the session held by the browser 66, and the application server 68 may verify the signature with the public key corresponding to the session provided by the application server 68 by the authorization server 70 in an earlier authorization – Agarwal: par. 0061); and 
after creating the second shared authentication token, invalidating, by the second authentication application, the second shared authentication token in response to determining that the client IHS and the mobile IHS are not communicatively coupled (As the second electronic device moves away, the first electronic device may lock itself or otherwise restrict access in response.  For example, after access has been allowed, the first electronic device may determine a signal strength of the wireless connection between the first electronic device and the second electronic device.  It may also determine that the signal strength satisfies a threshold level (e.g., decreases to or below a predetermined level), where the threshold level corresponds to distance to automatically restrict access to the first electronic device.  As a result, an access control agent can restrict access to the first electronic device (e.g., by locking a user session, logging out the user, etc.) – Xia: col. 32, lines 43-54 – Note: the second electronic device/device 110 moving away from the first electronic device/the resource 120 causes the signal strength to decrease below a threshold minimum level to a point wherein the device 110 can no longer be used as an authentication token that provides access to the resource 120, i.e., the shared authentication token is invalidated).
The same motivation to modify Xia in view of Agarwal applied above in claim 1 above applies here.

Per claim 17, Xia discloses a mobile information handling system (IHS) for providing shared credential authentication to a client IHS in, the mobile IHS comprising: 
a communication interface (the devices 110, 120 may communicate over multiple wireless communication links, concurrently or at different times, and the techniques discussed herein may be performed using any or all of the links – Xia: col. 11, lines 33-35 – Note: it is inherent that both devices have communication interfaces); and 
a processor to provide a shared authentication application (Note: device 110 and/or resource 120) configured to: 
determine whether or not the client IHS and the mobile IHS are communicatively coupled (In step 308, the mobile device 110 sends the security code for verification.  As illustrated, the mobile device can send the security code to the resource 120 directly, for example, over the wireless connection between the mobile device 110 and the resource 120.  Alternatively, the access application on the mobile device 110 can send the security code to the server 130, and the server 130 can relay the security code to the resource 120 along with an identifier for the device 110.  In step 310, the resource 120 receives the security code from the mobile device 110 (e.g., directly or indirectly). In step 318, the computer verifies that the received security code matches the security code output by the device.  In the example of a QR code, the computer determines that the data received matches the data encoded by the QR code.  By receiving the same security code that was output locally by the resource 120, the access control agent running on the resource 120 can verify that the mobile device 110 is actually in proximity to the resource 120  – Xia: col. 22, lines 58-67 and col. 23, lines 1-8); 
request authentication credentials from the client IHS, the authentication credentials authenticating that the client IHS is authorized to utilize the mobile IHS (In step 314, the server 130 provides credential information to the mobile device 110 over a network.  This information may include a list of credentials for the user.  In some implementations, the mobile device 110 or the resource 120 contacts the server 130 to indicate that proximity-based access is being configured.  For example an identifier for the resource 120 may be provided to the server 130 by either the mobile device 110 or the resource 120.  Based on records stored by the server 130, the server may determine which credentials possessed by the user 102 associated with the mobile device 110 are able to be used for creating access to the resource 120 – Xia: col. 23, lines 27-38); 
receive the authentication credentials (In step 324, the resource 120 receives the data sent by the mobile device 110.  This data may be sent, for example, over the wireless communication link between the devices 110, 120, or may be sent through respective connections with the server 130.  In some implementations, the data may be sent over another communication channel, such as another wireless connection - Xia: col. 24, lines 5-11); 
create an authentication key that represents that the client IHS is authorized to utilize the mobile IHS based upon the authentication credentials (In step 326a and step 326b, the mobile device 110 and the resource 120 form an association.  This association may be a pairing of the mobile device 110 with the resource 120.  Pairing may be performed using the operating system's Bluetooth libraries, and thus may use the native Bluetooth functionality of the device for added security.  The mobile device 110 and the resource 120 each store data that indicates the association.  This may include typical data used for Bluetooth pairing, such as a link key or other identifier, and may additionally include settings and other data respectively stored by the access control agent and the access application – Xia: col. 24, lines 12-22);
Xia discloses “[t]he pairing of the mobile device 110 with the resource 120, using the access control agent and the access application as described above, indicates that the mobile device 110 should be treated as an authentication factor or token for granting access to the resource 120” – Xia: col. 24, lines 28-33 – Note: pairing is associated with a link key, Xia is not relied on to explicitly disclose but in view of Agarwal discloses create a shared authentication token and a hash thereof based on the authentication key, the shared authentication token indicating that an authenticated state between the client IHS and the mobile IHS exists (the application server 68 may receive a cryptographic hash value calculated based on an authentication token, or the requested access may be signed by a private key corresponding to the session held by the browser 66, and the application server 68 may verify the signature with the public key corresponding to the session provided by the application server 68 by the authorization server 70 in an earlier authorization – Agarwal: par. 0061); 
after creating the shared authentication token, invalidate the shared authentication token in response to determining that the client IHS and the mobile IHS are not communicatively coupled (As the second electronic device moves away, the first electronic device may lock itself or otherwise restrict access in response.  For example, after access has been allowed, the first electronic device may determine a signal strength of the wireless connection between the first electronic device and the second electronic device.  It may also determine that the signal strength satisfies a threshold level (e.g., decreases to or below a predetermined level), where the threshold level corresponds to distance to automatically restrict access to the first electronic device.  As a result, an access control agent can restrict access to the first electronic device (e.g., by locking a user session, logging out the user, etc.) – Xia: col. 32, lines 43-54 – Note: the second electronic device/device 110 moving away from the first electronic device/the resource 120 causes the signal strength to decrease below a threshold minimum level to a point wherein the device 110 can no longer be used as an authentication token that provides access to the resource 120, i.e., the shared authentication token is invalidated);
 receive a query from an authentication server to verify a status of the shared authentication token (In some implementations, the access control agent receives a password or data indicating that the phone is authorized to perform actions using the credential.  In other implementations, the user may be required to provide perform an action, such as unlock the phone or enter data into the access application. If the phone determines that all required conditions are met for approval of the session, the phone approves the authentication.  In some implementations, the approval is transmitted from the phone to a server, the server sends the completed authentication session information to the access control agent of the computer, which passes it to the browser – Xia: col. 35, lines 42-51); and 
when the shared authentication token is valid, respond to the query that the shared authentication token is valid (the server sends the completed authentication session information to the access control agent of the computer, which passes it to the browser – Xia: col. 35, lines 51-54).
The same motivation to modify Xia in view of Agarwal applied above in claim 1 above applies here.

Per claim 3, Xia-Agarwal discloses the authentication system of claim 1, wherein the shared authentication application further provides a first update to the authentication server that the second shared authentication token is invalid in response to invalidating the second shared authentication token (The resource 120, the device 110, and/or the server 130 can apply security policies, usage restrictions, reporting functions, and logging functions associated with the credential in addition to determining whether appropriate proximity is detected… the user may set a distance for locking the computer when the user moves the phone away.  In this instance, the computer is set to lock itself automatically when it detects that the phone is has moved at least 15 feet away… after access has been allowed, the first electronic device may determine a signal strength of the wireless connection between the first electronic device and the second electronic device.  It may also determine that the signal strength satisfies a threshold level (e.g., decreases to or below a predetermined level), where the threshold level corresponds to distance to automatically restrict access to the first electronic device.  As a result, an access control agent can restrict access to the first electronic device (e.g., by locking a user session, logging out the user, etc.) –Xia: col. 27, lines 3-7 and 17-19 and col. 32, lines 43-54).

Per claim 4, Xia-Agarwal discloses the authentication system of claim 3, wherein the resource service application further receives a second update from the authentication server that the second shared authentication token is invalid (If the user 102 loses his mobile device 110 for example, the server 130 may communicate with the access application or the access control agent or both to cancel the association, thereby removing the mobile device 110 from being an authentication tractor to access the resource 120 – Xia: col. 25, lines 64-67 and col. 26, lines 1-2 – Note: Further, and as indicated in cited section for claim 3 the user sets distance; therefore, it is implied that when user loses his phone they are able to revoke/invalidate the lost phone so that the lost phone can no longer be used as an authentication factor/token).

Per claim 5, Xia-Agarwal discloses the authentication system of claim 4, wherein the resource service application further denies access to the resource in response to receiving the second update (the first electronic device identifies a security policy corresponding to the user credential, the security policy specifying one or more conditions that limit use of the user credential while the user credential is valid and unexpired.  This security policy can be obtained from a server system in response to identifying the second electronic device or the credential associated with the second electronic device, to obtain the most current security policy…If the first electronic device determines that one or more conditions of the credential are not satisfied, the first electronic device can deny access so that the user must log in manually – Xia: col. 33, lines 40-57 – Note: The first electronic device, i.e., resource 120, denies access to resource 120).

Per claim 6, Xia-Agarwal discloses the authentication system of claim 4, wherein the resource service application further provides an authentication process to a user of the client IHS in further response to receiving the second update (If the first electronic device determines that one or more conditions of the credential are not satisfied, the first electronic device can deny access so that the user must log in manually. As another example, if the first electronic device determines that one or more conditions of the credential are not satisfied, the first electronic device can require the user to enter additional authentication information, such as a biometric identifier or password, to the first electronic device or the second electronic device to further verify the user's identity before granting access  – Xia: col. 33, lines 53-63 – Note: The first electronic device, i.e., resource 120, requires manual login or additional authentication information).

Per claim 7, Xia-Agarwal discloses the authentication system of claim 1, wherein: 
the client IHS (Note: resource 120 with inherent communication interface) further includes a first communication interface (the devices 110, 120 may communicate over multiple wireless communication links, concurrently or at different times, and the techniques discussed herein may be performed using any or all of the links – Xia: col. 11, lines 31-35); 
the mobile IHS (Note: device 110) further includes a second communication interface (the devices 110, 120 may communicate over multiple wireless communication links, concurrently or at different times, and the techniques discussed herein may be performed using any or all of the links – Xia: col. 11, lines 31-35); and 
the first and second authentication applications further determine that the client IHS and the mobile IHS are communicatively coupled when the first and second communication interfaces are coupled (the user may be required to affirmatively indicate that the device 110 serves as an authentication factor. As another example, an access control agent program executing on the resource 120 may be involved in a pairing process specifically for establishing the device 110 as an authentication factor for the resource 120. As a result of the pairing, the device 110 and the resource 120 may store identifiers that allows the devices to identify each other.  Similarly, the device 110 and the resource 120 may store encryption keys or shared secret information (e.g., a unique link key corresponding to the pairing of the device 110 with the resource 120) allowing the devices to communicate securely or prove their identity to each other – Xia: col. 11, lines 44-56).

Per claim 8, Xia-Agarwal discloses the authentication system of claim 4, wherein the resource includes one of a virtual private network, a web service, and a bank payment system (When the user 102 later brings the trusted device 110 into physical proximity of the resource 120,the resource 120 and the trusted device 110 detect each other and communicate to provide the user 102 access to the resource 120 and/or logical resources (e.g., web pages, files, virtual private networks (VPNs), etc.) accessed using the resource 120 – Xia: col. 9, lines 49-55).

Per claim 11, Xia-Agarwal discloses the method of claim 9, further comprising: providing, by the shared authentication application, a first update to the first authentication server that the second shared authentication token is invalid in response to invalidating the second shared authentication token (The resource 120, the device 110, and/or the server 130 can apply security policies, usage restrictions, reporting functions, and logging functions associated with the credential in addition to determining whether appropriate proximity is detected… the user may set a distance for locking the computer when the user moves the phone away.  In this instance, the computer is set to lock itself automatically when it detects that the phone is has moved at least 15 feet away… after access has been allowed, the first electronic device may determine a signal strength of the wireless connection between the first electronic device and the second electronic device.  It may also determine that the signal strength satisfies a threshold level (e.g., decreases to or below a predetermined level), where the threshold level corresponds to distance to automatically restrict access to the first electronic device.  As a result, an access control agent can restrict access to the first electronic device (e.g., by locking a user session, logging out the user, etc.) –Xia: col. 27, lines 3-7 and 17-19 and col. 32, lines 43-54).

Per claim 12, Xia-Agarwal discloses the method of claim 11, further comprising: receiving, by the resource service application, a second update from the first authentication server that the second shared authentication token is invalid (If the user 102 loses his mobile device 110 for example, the server 130 may communicate with the access application or the access control agent or both to cancel the association, thereby removing the mobile device 110 from being an authentication tractor to access the resource 120 – Xia: col. 25, lines 64-67 and col. 26, lines 1-2 – Note: Further, and as indicated in cited section for claim 3, it is implied that when user loses his phone they revoke/invalidate the lost phone so that the lost phone can no longer be used as an authentication factor/token).

Per claim 13, Xia-Agarwal discloses the method of claim 12, further comprising: denying, by the resource service application, access to the resource in response to receiving the second update (the first electronic device identifies a security policy corresponding to the user credential, the security policy specifying one or more conditions that limit use of the user credential while the user credential is valid and unexpired.  This security policy can be obtained from a server system in response to identifying the second electronic device or the credential associated with the second electronic device, to obtain the most current security policy…If the first electronic device determines that one or more conditions of the credential are not satisfied, the first electronic device can deny access so that the user must log in manually – Xia: col. 33, lines 40-57 – Note: The first electronic device, i.e., resource 120, denies access to resource 120).
Per claim 14, Xia-Agarwal discloses the method of claim 12, further comprising: providing, by the resource service application, an authentication process to a user of the client IHS in further response to receiving the second update (If the first electronic device determines that one or more conditions of the credential are not satisfied, the first electronic device can deny access so that the user must log in manually. As another example, if the first electronic device determines that one or more conditions of the credential are not satisfied, the first electronic device can require the user to enter additional authentication information, such as a biometric identifier or password, to the first electronic device or the second electronic device to further verify the user's identity before granting access  – Xia: col. 33, lines 53-63 – Note: The first electronic device, i.e., resource 120, requires manual login or additional authentication information).

Per claim 15, Xia-Agarwal discloses the method of claim 11, further comprising: determining, by the authentication application, that the client IHS and the mobile IHS are communicatively coupled when the first and second communication interfaces are coupled (As a result of the pairing, the device 110 and the resource 120 may store identifiers that allows the devices to identify each other.  Similarly, the device 110 and the resource 120 may store encryption keys or shared secret information (e.g., a unique link key corresponding to the pairing of the device 110 with the resource 120) allowing the devices to communicate securely or prove their identity to each other…the resource 120 detects the paired device 110, and based on stored records of which pairing links or devices represent authentication tokens, the resource 120 determines that the device 110 represents a valid authentication token.  The resource 120 can also determine whether the device 110 is located sufficiently close to the resource 120 to trigger automatic access – Xia: col. 11, lines 24-40 and col. 12, lines 6-14).

Per claim 16, Xia-Agarwal discloses the method of claim 9, wherein the resource includes one of a virtual private network, a web service, and a bank payment system (When the user 102 later brings the trusted device 110 into physical proximity of the resource 120,the resource 120 and the trusted device 110 detect each other and communicate to provide the user 102 access to the resource 120 and/or logical resources (e.g., web pages, files, virtual private networks (VPNs), etc.) accessed using the resource 120 – Xia: col. 9, lines 49-55).

Per claim 18, Xia-Agarwal discloses the mobile IHS of claim 17, wherein the shared authentication application further operates to provide a first update to the authentication server that the shared authentication token is invalid in response to invalidating the shared authentication token (Policies set for the credential generally may be applied when proximity-based access is attempted.  The policies can be maintained and updated at a server system, and these changes may flow through to the local device interactions.  As a result, administrators can more easily track and enforce security across an enterprise environment.  The access can thus be tied to specific credentials, which may be maintained, modified, or revoked independent of the resource that the user's device can unlock…because proximity-based access attempts are tied to a credential, policies for reporting, logging, or other tracking can be applied.  Thus, the device 110 or the resource 120 or both can provide data about successful and unsuccessful access attempts, as defined by policies for the credential – Xia: col. 14, lines 24-33 and 45-50).

Per claim 19, Xia-Agarwal discloses the mobile IHS of claim 18, wherein: 
the mobile IHS further includes a communication interface (in the example of FIG. 1, the trusted device 110 and the resource 120 communicate using a short-range wireless communication channel 105, such as a direct wireless radiofrequency (RF) communication link between the devices 110, 120.  Examples include wireless personal area networks, communications according to IEEE 802.15, and Bluetooth, e.g., communication using IEEE 802.15.1 protocols or other Bluetooth standards– Xia: col. 11, lines 15-35); and 
the authentication application further operates to determine that the client IHS and the mobile IHS are communicatively coupled when the communication interface is coupled to the client IHS (In general, a direct communication link between the devices 110, 120 is used and signal strength over the wireless communication link is used as an indicator of distance between the devices 110, 120.  Other techniques for determining distance between devices, including GPS location tracking and WI-FI triangulation, can additionally or alternatively be used to determine proximity of one device to another.  In some implementations, the devices 110, 120 may communicate over multiple wireless communication links, concurrently or at different times, and the techniques discussed herein may be performed using any or all of the links. In the example, the device 110 and the resource 120 have previously been associated, e.g., paired or bonded using Bluetooth, and the device 110 has been designated to represent an authentication factor, representing authorized user 102, for obtaining access to the resource 120 – Xia: col. 11, lines 24-40).

Per claim 20, Xia-Agarwal discloses the mobile IHS of claim 17, wherein the resource includes one of a virtual private network, a web service, and a bank payment system (When the user 102 later brings the trusted device 110 into physical proximity of the resource 120,the resource 120 and the trusted device 110 detect each other and communicate to provide the user 102 access to the resource 120 and/or logical resources (e.g., web pages, files, virtual private networks (VPNs), etc.) accessed using the resource 120 – Xia: col. 9, lines 49-55).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Ding (US2019/0089693A1) discloses generating authentication tokens based on the identification information of a target device, wherein the authentication tokens may be time limited, and thus a management server saves respective expiration times of the authentication tokens in a database 40. In some embodiments, the authentication tokens saved in the database 40 may include corresponding status fields configured to indicate the current state of the respective authentication token. The status may be saved separately from the authentication token but linked to the authentication token.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533.  The examiner can normally be reached on Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/AREZOO SHERKAT/Examiner, Art Unit 2434