DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/16/2020 has been entered.
 
Status of Claims
Applicant's “Request for Continued Examination” filed on 11/16/2020 has been considered.  
Claims 1, 8 and 15 are amended.
Claims 1-20 are currently pending and have been examined.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to 


Claims 1, 3-4, 6-8, 10-11, 13-15, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application No. 2015/0193781 A1 to Dave in view of U.S. Patent Application No. 2015/0161723 A1 to Rose.
	
Regarding Claim 1, Dave discloses a system, comprising: 
A system comprising: one or more computer processors; and a computer-readable medium storing instructions that, when executed by the one or more computer processors, cause the system to perform operations comprising: 
receiving authentication request data from a client; ([0031] The authentication mechanism represents the information presented by user 135 to verify the user's identity. Examples of an authentication mechanism may include an online password, in-house customer or transactional data such as information from the user's last bill, a PIN, an access ID, a verbal password, a typed password, device identification, or biometrics such as a finger print or voice print. [0032] user 135 may be instructed to provide a combination of different authentication mechanisms.)
identifying a plurality of third-party sources for authenticating the client; ([0017] One or more third-party data sources 130 may refer to any channel or entity that is not within enterprise 110. For example, a third-party data source 130 may include Lexis/Nexis.RTM., Experian.RTM., Dunn & Bradstreet.RTM., and Early Warning.sup.SM, and provides information about user 135. Other third-party data sources may provide information regarding device reputation, for example who owns 
transmitting a plurality of authentication requests to servers for the plurality of third-party sources; ([0033] KBVM server 140 receives the request and gathers information from third-party data sources 130 and one or more enterprise channels 125. [0018] Enterprise 110 may refer to a financial institution, such as a bank, and may include one or more servers 140 (servers for the plurality of third party sources), one or more channel modules 125, one or more enterprise centers 151, one or more enterprise administrators 150, and one or more ATMs 152.)
in response to receiving authentication response data from the plurality of third-party sources, determining a first set of privileges and a second set of privileges, ([0014] User 135 provides a request to KBVM server 140 utilizing user device 115. KBVM server 140 may then receive information from a plurality of channels, including channel modules 125 within enterprise 110 and third-party data sources 130 (information received from third party data sources/channels is authentication response data). In some embodiments, KBVM server 140 may calculate a risk score associated with user 135 based on the received information and determine an authentication level (sets of privileges) associated with the activity requested by user 135.) the second set of privileges including one or more privileges excluded from the first set of privileges; ([0024] an authentication level may include categories such as regular inquiry, step-up inquiry, regular maintenance, step-up maintenance, high risk 
granting the client access to first resources with the first set of privileges; and granting the client access to second resources with the second set of privileges. ([0039] If multiple authentication mechanisms comply with the associated risk score and authentication level, KBVM server 140 may generate one token 166 that comprises information regarding multiple authentication mechanisms or may generate multiple tokens 166 that each comprises information regarding one authentication mechanism. [0047] If notification was received, then the system in step 332 determines that the user identity has been verified and then completes the requested activity in step 334.)

But does not explicitly disclose determining a plurality of authentication types for different portions of the authentication request data; identifying a plurality of third-party sources for authenticating the client based on the plurality of authentication types, the plurality of third-party sources corresponding to the plurality of authentication types; each authentication request in the plurality of authentication requests comprising a portion of the authentication request data.
Rose, on the other hand, teaches determining a plurality of authentication types for different portions of the authentication request data; identifying a plurality of third-party sources for authenticating the client based on the plurality of authentication types, the plurality of third-party sources corresponding to the plurality of authentication types; each authentication request in the plurality of authentication requests comprising a portion of the authentication request data. ([0028-0030] a first set/second of information is received from the customer; Fig. 5A [0036] Turning to FIG. 5A, a first verification index is determined as shown in Block 509-3A. A second verification index is determined as shown in Block 509-3B and a third verification index is determined in Block 509-3C. Each verification index (authentication type) represents evaluations using a particular set or area of information (portions of the request data). The sets or areas of information may or may not be mutually exclusive. One verification index may be based on the business information which includes searches drawn from public business records and business directories (third party sources). Another verification index may be based on the applicant information, for example name, address, Social Security Number (SSN) and contact information. Yet another verification index may be based on the relationship between the business and the authorized representative. This latter index may be based on the degree to which the agent can be linked to the business based on public records. These verification indices may be performed internal to the financial institution or by a third party (third party sources for authenticating). In FIG. 5B, the first, second and third verification indices are determined in Blocks 509-5A, 509-5B and 509-5C, respectively. Additional verification indices may also be 
It would have been obvious to one of ordinary skill in the art to include in the system, as taught by Dave, the features as taught by Rose, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. It further would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dave, to include the teachings of Rose, in order to provide verification of qualifications based on a set of criteria  (Rose, [0007]).
 
Regarding Claim 3, Dave in view of Rose teaches the system of claim 1. 
However Dave does not explicitly teach wherein the operations further comprise: storing the authentication response data in an access level tier matrix for the client; and determining at least one of the first set of privileges or the second set of privileges from the access level tier matrix for the client.  
Rose, on the other hand, teaches wherein the operations further comprise: storing the authentication response data in an access level tier matrix for the client; and determining at least one of the first set of privileges or the second set of privileges from the access level tier matrix for the client.  Table 3 illustrates levels of enrollment (an access level tier matrix) for a client (High Med Low Tiers with associated sets of privileges (daily spending limits and ATM withdrawal limits).


Regarding Claim 4, Dave in view of Rose teaches the system of claim 1. 
Dave discloses wherein the operations further comprise verifying an identity associated with the client based on the authentication response data.  ([0012]  receive and aggregate information about a user and user behavior from multiple disparate channels to verify the identity of a user before performing the requested transaction.)

Regarding Claim 6, Dave in view of Rose teaches the system of claim 1. 
However Dave does not explicitly teach wherein the operations further comprise limiting the client to one or more transactions within a publication system that add up to a specified monetary amount based on the first set of privileges excluding the one or more privileges.  
Rose, on the other hand, teaches wherein the operations further comprise limiting the client to one or more transactions within a publication system that add up to a specified monetary amount based on the first set of privileges excluding the one or more privileges.  Table 3 illustrates levels of enrollment (an access level tier matrix) for a client (High Med Low Tiers 
It would have been obvious to one of ordinary skill in the art to include in the method, as taught by Dave, the features as taught by Rose, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. It further would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dave, to include the teachings of Rose, in order to determine a level based upon risk factors or business factors (Rose, [0051]).

Regarding Claim 7, Dave in view of Rose teaches the system of claim 1. 
Dave discloses wherein the operations further comprise: transmitting an authentication challenge to the client; receiving a response to the authentication challenge from the client; identifying a verification program associated with the authentication challenge; applying the verification program to the response to validate the response to the authentication challenge from the client; and determining at least one of the first set of privileges or the second set of privileges based on the verification program.  ([0032] user may be instructed to provide an authentication mechanism (authentication challenge) or a combination of different authentication mechanisms such as a password.  Once user provides authentication mechanism, KBVM server receives and determines whether it complies with risk score and authentication level of requested activity. [0033]  KBVM server gathers information from third-party data sources (identified 

Claim 8 recites a method comprising substantially similar limitations as claim 1.  The claim is rejected under substantially similar grounds as claim 1.
Claim 10 recites a method comprising substantially similar limitations as claim 3.  The claim is rejected under substantially similar grounds as claim 3.
Claim 11 recites a method comprising substantially similar limitations as claim 4.  The claim is rejected under substantially similar grounds as claim 4.
Claim 13 recites a method comprising substantially similar limitations as claim 6.  The claim is rejected under substantially similar grounds as claim 6.
Claim 14 recites a method comprising substantially similar limitations as claim 7.  The claim is rejected under substantially similar grounds as claim 7.
Claim 15 recites a computer-readable storage medium comprising substantially similar limitations as claim 1.  The claim is rejected under substantially similar grounds as claim 1.
Claim 17 recites a computer-readable storage medium comprising substantially similar limitations as claim 3.  The claim is rejected under substantially similar grounds as claim 3.
Claim 18 recites a computer-readable storage medium comprising substantially similar limitations as claim 4.  The claim is rejected under substantially similar grounds as claim 4.
Claim 20 recites a computer-readable storage medium comprising substantially similar limitations as claim 7.  The claim is rejected under substantially similar grounds as claim 7.


Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application No. 2015/0193781 A1 to Dave and U.S. Patent Application No. 2015/0161723 A1 to Rose in view of U.S. Patent No. 9,106,646 B1 to Zheng.

Regarding Claim 2, Dave in view of Rose teaches the system of claim 1. 
However the combination of Dave and Rose does not explicitly teach wherein the operations further comprise identifying the plurality of authentication types of the different portions of the authentication request data based on a plurality of formats of the different portions of the authentication request data.  
Zheng, on the other hand, teaches wherein the operations further comprise identifying the plurality of authentication types of the different portions of the authentication request data based on a plurality of formats of the different portions of the authentication request data.  (Col 6 Ln 23-27: the authentication assistant 124 executed by the client device 102 may monitor incoming messages and may recognize messages having a particular format or using a particular protocol.)
It would have been obvious to one of ordinary skill in the art to include in the system, as taught by Dave and Rose, the features as taught by Zheng, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. It further would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination, to include the teachings of Zheng, in order to provide multi-factor authentication (Zheng, [Col 1 Ln 17-18]).
Claim 9 recites a method comprising substantially similar limitations as claim 2.  The claim is rejected under substantially similar grounds as claim 2.
Claim 16 recites a computer-readable storage medium comprising substantially similar limitations as claim 2.  The claim is rejected under substantially similar grounds as claim 2.


Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application No. 2015/0193781 A1 to Dave and U.S. Patent Application No. 2015/0161723 A1 to Rose in view of U.S. Patent Application No. 5,615,277 A1 to Hoffman.

Regarding Claim 5, Dave in view of Rose teaches the system of claim 1. 
However the combination of Dave and Rose does not explicitly teach wherein the operations further comprise limiting the client to a specified number of transaction activities within a publication system based on the first set of privileges excluding the one or more privileges.  
Hoffman, on the other hand, teaches wherein the operations further comprise limiting the client to a specified number of transaction activities within a publication system based on the first set of privileges excluding the one or more privileges.  (Claim 2: providing a predetermined reduced level of access to said computer system limiting the number, type and amount of applications or transactions that can be conducted.)
It would have been obvious to one of ordinary skill in the art to include in the system, as taught by Dave and Rose, the features as taught by Hoffman, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have 
Claim 12 recites a method comprising substantially similar limitations as claim 5.  The claim is rejected under substantially similar grounds as claim 5.
Claim 19 recites a computer-readable storage medium comprising substantially similar limitations as claim 5.  The claim is rejected under substantially similar grounds as claim 5.


Response to Arguments
Applicant’s arguments with respect to rejection of the claim under 35 USC 103 have been considered but are moot in view of new grounds of rejection. 
Applicant argues that Doctor and Grigg Fail to teach or suggest the features of independent claim 1, and the addition of Johnson and Mehta does not cure the deficiencies.
However, neither Doctor nor Grigg, nor Johnson nor Mehta are relied upon to teach these limitations in the claims.  Examiner directs Applicant’s attention to the office action, above.

Conclusion
	
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

US 2016/0087957 to Shah, discussing multi-factor authentication of a user to provide an assurance level required by a service provider.
US 9,444,824 to Balazs, discussing implementing adaptive levels of authentication assurance requiring higher level of assurance to authorize access to more sensitive data.
US 9,137,228 to Newstadt, discussing multifactor authentication techniques by third parties to augment user access to an IdP.
US 2014/0096199 to Dave, discussing assigning trust levels to data sources and client devices to determine levels of allowed access and permissions
US 2011/0167257 to Gossel, discussing confidence levels for certificates for security using third party information.
US 2009/0119299 to Rhodes, discussing user identity verification to assign access levels in response to validation requests.
US 2008/0256616 to Guarraci, discussing assigning clients different levels of trust based on a bootstrapping procedure and/or information provided during the procedure and utilizing a third-party authentication layer.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Michelle Therese Kringen whose telephone number is (571)270-0159.  The examiner can normally be reached on M-F: 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Marissa Thein can be reached on (571)272-6764.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHELLE T KRINGEN/Primary Examiner, Art Unit 3625