Notice of Pre-AIA  or AIA  Status
The present application, filed on or after September 05, 2018, is being examined under the first inventor to file provisions of the AIA .

Examiner’s Note: The examiner called the applicant representative Melanie Grover Reg. No 63599 on 03/22/2021 and 03/29/2021 for compact precaution and indicated that Claim 1 and Claim 17 would be allowable by incorporating claims 2 or claim 10 into the claims 1 and 17. The examiner further indicated that the amended claim 11 is allowable. The applicant representative was not able to get the approval regarding the proposed examiner amendments from the client in a given time frame. Therefore the examiner had to issue an office action and objecting claim 2, 10 and 11 for allowable subject matter. 
Detailed action
Claims 1-22 are pending and are being considered.
Claims 3, 11 and 17 have been amended.
claims 11-16 are allowable
Claims 2, 10 and 22 are objected for allowable subject matter.
Response to 103
Applicants argument filled on 03/04/2021 have been fully considered. 
In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).
In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, Coats (i.e. primary reference) teaches receiving for controlled access resource and determining that the request is not associated with recognized location and identifying state data for the device identifier Coats further teaches an authentication token sent via an email or SMS used for authenticating client device. The difference between Coats and the instant application is that, the instant application uses a link for transmitting the generated token to the client devoice. However coats uses SMS or email (i.e. which can broadly be interpreted as link for carrying the token) to transmit the authentication token to client device. To remedy the deficiency the examiner relied upon Gajda (i.e. secondary reference) which teaches generating a link and token and providing the generated token in the link for accessing service, which would be obvious for person of ordinary skill in the art to implement the teaching of generating a link and embedding a token in the link into the teaching of Coats with the motivation of securely accessing resources. 

In response to applicants argument on page 13 of remarks that Coats (i.e. primary reference) and Gajda (i.e. secondary reference) fails to teach the limitation “generating a link for accessing the controlled access resource at a serve” and “providing the link to the client device, the link configured to be used by the client device to request the controlled access resource”, because the office fails to make a prima facie case of obviousness of generating a link and providing the link to the client for accessing generating a return link. See on [0033-0035] teaches the token may be a copy of the token generated in block 330 and may be provided as a passed token 224. The passed token 224 may be embedded within the return link 222 or the passed token 224 and the return link 222 may be otherwise transmitted together. The return link may be passed to the client browser 130 running on client system 120 along with the passed token 224 (i.e. providing the link with the token to client). The passed token 224 may be embedded within the return link 222. The return link 222 may be browsed by the client browser 130 causing a return script 230 to be loaded from the web service 110.
The applicant further argues that return link of Gajda is not used for “accessing the controlled access resource”. The examiner acknowledges applicants view point but respectfully disagrees because the limitation “generating a link for accessing the controlled access resource at a serve” and “providing the link to the client device, the link configured to be used by the client device to request the controlled access resource” is intended use of the link. Similarly Gajda on [0020 and 0035] teaches “the return link 222 may be browsed by the client browser 130 upon completion of features associated with the login page 220 causing the return script 230 to be loaded from the web service 110” (i.e. accessing resource). The return link 222 may be browsed to upon completion of the login page 220. The return link 222 may be browsed by the client browser 130 causing a return script 230 to be loaded from the web service 110 (i.e. intended use of link)
Applicants argument regarding claim 11 are persuasive and are moot. Therefore the rejection on Claim 11 and dependent claims 1-16 is withdrawn. 
	Applicant’s argument regarding claim 17-20 are moot in view of new grounds of rejection.  The argument do not apply to the current art being used. 
Information Disclosure Statement
01/07/2021 was filed after the mailing date of the application no. 16/122,294 on 09/05/2018.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
5
                                               Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-9 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over COATS (hereinafter coats) (WO 2016182555) in view of Gajda et al (hereinafter Gajda) (US 20140137248).

Regarding claim 1 Coats teaches a method comprising (Coats on [0002-0003] teaches System and method for multi-factor authentication);
 receiving a request for a controlled access resource from a client device, the request including a client device identifier (Coats on [0040] teaches The mobile device 305 sends an authentication request 307 to the authentication service 320. The authentication service 320 may comprise a web service, such as a ReST API or other similar service, which gathers data about a user (e.g., the user's location). The authentication request 307 may comprise the user credentials and the triangulated position of the device 305. See on [0042] teaches the user's mobile device 505 transmits an authentication request 507 to the authentication service 515. The authentication request 507 may contain the user's credentials and the array of transmitter IDs/proximities (i.e. client device identifier. see 0044 transmitter may be utilized for mobile device for tracing the device). The authentication service 515 retrieves information about the user and the device);
determining that the request is not associated with a recognized location (Coats on [0028-0034] teaches user provides credentials. Determine whether or not the user is in an authorized space time region based on authorized user location and time obtain from user data store. The user's location may be examined to determine if it falls within an approved geospatial rectangle, an approved point-radius, or within the bounds of any restrained area and when authentication is not successful, factor bypass is denied and the user profile is obtained. The user's location may be determined to be outside of the approved geospatial rectangle and/or outside of the associated schedule range (i.e. user is sending request from unauthorized location). As a result, the secured resource obtains the user's profile from the user data store. The user profile may contain an object such as a mobile number or email address);
 and in response to determining that the request is not associated with a recognized location: identifying state data for the client device identifier (Coats on [0028-0034] teaches user provides credentials. Determine whether or not the user is in an authorized space time region based on authorized user location and time obtain from user data store. The user's location may be examined to determine if it falls within an approved geospatial rectangle, an approved point-radius, or within the bounds of any restrained area and when authentication is not successful, factor bypass is denied and the user profile is obtained. The user's location may be determined to be outside of the approved geospatial rectangle and/or outside of the associated schedule range (i.e. user is sending request from unauthorized location). As a result, the secured resource obtains the user's profile (i.e. state data) from the user data store. The user profile may contain an object such as a mobile number or email address. See on [0042] teaches the user device sends authentication request containing transmitter ID (i.e. device identifier for identifying location of device) to authentication service. The authentication service retrieves user profile (i.e. state data)).

	Although Coats teaches generating an authentication token and sending the authentication token via SMS or email, but fails to explicitly teach generating a link for accessing the controlled access resource at a server, generating an encrypted token, the encrypted token including a timestamp, a random number, and licensed resource information, from the state data, including the encrypted token in the link, and providing the link to the client device, the link configured to be used by the client device to request the controlled access resource,  However Gajda from analogous art teaches generating a link for accessing the controlled access resource at a server (Gajda on [0004] teaches A return link, associated with a passed copy of the token, may be generated. The client may perform the redirect and return to the first web service according to the return link);
 generating an encrypted token, the encrypted token including a timestamp, a random number, and licensed resource information, from the state data (Gajda on [0021 and 0031] teaches The client browser 130 may generate a token prior to the redirection. The generated token may comprise one or more of a random number, a nonce, a pseudorandom number, a user identifier, client identifier (i.e. licensed resource information interpreted in view of para 0024 to a subscriber identifier) time stamp, date stamp. The token may incorporate encrypted information or other cryptographically protected information);
including the encrypted token in the link (Gajda on [0021 and 0033-0035] teaches  token 224 may be embedded within, or otherwise transmitted along with, the return link 222);
and providing the link to the client device, the link configured to be used by the client device to request the controlled access resource (Gajda on [0035] teaches the return link may be passed to the client browser 130 running on client system 120 along with the passed token 224. The passed token 224 may be embedded within the return link 222. The return link 222 may be browsed by the client browser 130 causing a return script 230 to be loaded from the web service 110.).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Gajda into the teaching of Coats by generating a link and including encrypted token in the link and providing the link to the client device in a request for accessing the resources. One would be motivated to do so in order to effectively protect against cross-site request forgeries, particularly in the context of browser redirections (Gajda on [0003]).

Regarding claim 6 the combination of Coats and Gajda  teaches all the limitations of claim 1 above, Gajda  further teaches wherein the recognized location is a domain name (Gajda on [0017] teaches information within the client storage 135 may only be accessible to a given web domain or web site that originally placed the information into the client storage 135).

Regarding claim 7 the combination of Coats and Gajda teaches all the limitations of claim 1 above, Coats further teaches  wherein the recognized location is an Internet Protocol (IP) address (Coats on [0039] teaches IP address as recognized geolocation).
Regarding claim 8 the combination of Coats and Gajda teaches all the limitations of claim 1 above, Coats further teaches wherein the request is a query and the controlled access resource is a resource responsive to the query (Coats on [0040] teaches The mobile device 305 sends an authentication request 307 to the authentication service 320. The authentication service 320 may comprise a web service, such as a ReST API or other similar service, which gathers data about a user (e.g., the user's location). The authentication request 307 may comprise the user credentials and the triangulated position of the device 305. See on [0042] teaches the user's mobile device 505 transmits an authentication request 507 to the authentication service 515. The authentication request 507 may contain the user's credentials and the array of transmitter IDs/proximities. The authentication service 515 retrieves information about the user and the device (i.e. request from a location to access a service)).
Regarding claim 9 the combination of Coats and Gajda teaches all the limitations of claim 1 above, Coats further teaches wherein the client device identifier is a user account (Coats on [0016] teaches authenticating user account such as email account based on username and password).


Regarding claim 21 the combination of Coats and Gajda teaches all the limitations of claim 1 above, Gajda further teaches further comprising the client device using the link to request the controlled access resource, wherein using the link comprises sending the link in a request to a controlled resource server (Gajda on [0004] teaches A return link, associated with a passed copy of the token, may be generated. The client may perform the redirect and return to the first web service according to the return link. The passed copy of the token can be extracted from the return link. See on [0020] teaches a return link 222 may be passed to the login page 220 for use when returning from the redirected browsing. The return link 222 may be browsed by the client browser 130 upon completion of features associated with the login page 220 causing the return script 230 to be loaded from the web service.  See on [0035] teaches the return link may be passed to the client browser 130 along with the passed token 224. The passed token 224 may be embedded within the return link 222).

Claims 3-5 are rejected under 35 U.S.C. 103 as being unpatentable over COATS (hereinafter coats) (WO 2016182555) in view of Gajda et al (hereinafter Gajda) (US 20140137248) and further in view of Buhler et al (hereinafter Buhler) (US 20160316365).

3 the combination of Coats and Gajda teaches all the limitations of claim 1 above, although the combination teaches state data but fails to explicitly teach wherein the state data includes a time stamp, the client device identifier, and licensed resource information, However Buhler from analogous art teaches wherein the state data includes a time stamp, the client device identifier, and licensed resource information (Buhler on [0027 and 0032] teaches generate the location credential (i.e. state data record in instant case). See on [0028] teaches location credential stored in database. See on [0034-0035] teaches location credential includes device identifier and the current device location (i.e. licensed resource information in instant case). See on [0059] teaches the location credential generated by MNO server 6 certifies the device identifier sid, the location data l', and a timestamp t' which indicates the issue time for the location credential C.sub.loc. See also [claim 2] teaches the location credential further comprises a timestamp indicating an issue time for the location credential).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Buhler into the combined teaching of Coats and Gajda by having state record including timestamp, device identifier and license resource information. One would be motivated to do so in order to authenticate different users of computer accessing resources (Buhler on [0001-0002]).

Regarding claim 4 the combination of Coats and Gajda teaches all the limitations of claim 1 above, although the combination teaches license resource information such as client identifier but the combination fails to explicitly teach wherein the licensed resource information represents the recognized location, however Buhler teaches wherein the licensed resource information represents the recognized location (Buhler on [0034-0035] teaches location credential includes device identifier and the current device location (i.e. licensed resource information in instant case)).
 into the combined teaching of Coats and Gajda by license resource information representing recognized location. One would be motivated to do so in order to authenticate different users of computer accessing resources (Buhler on [0001-0002]).

Regarding claim 5 the combination of Coats, Gajda and Buhler teaches all the limitations of claim 4 above, Buhler further teaches wherein the licensed resource information represents the recognized location and controlled resources available to the recognized location (Buhler on [0027 and 0037] teaches known location of the verifier server. See on [0019] teaches resource controlled or operated by the service provider that may be used or acquired by a device user on user computer. User computer 2 can be used by the device user in the vicinity of verifier server 4 to authenticate to the verifier server, thereby to obtain or access some resource controlled by the service provider. The location of the verifier server 4 may be predetermined for verifier server 4 or could itself be determined dynamically via a mobile network. See on [0034-0035] teaches location credential includes device identifier and the current device location).

Claims 17 is rejected under 35 U.S.C. 103 as being unpatentable over COATS (hereinafter coats) (WO 2016182555) in view of Gajda et al (hereinafter Gajda) (US 20140137248) and further in view of Subramanya et al (hereinafter Subramanya) (US 20170034152)
Regarding claim 17 Buhler teaches a method comprising (Coats on [0002-0003] teaches System and method for multi-factor authentication);
receiving a request for a controlled access resource from a client device, the request having a location 
 (Coats on [0040] teaches the mobile device 305 sends an authentication request 307 to the authentication service 320. The authentication service 320 may comprise a web service, such as a ReST API or other similar service, which gathers data about a user (e.g., the user's location). The authentication request 307 may comprise the user credentials and the triangulated position (i.e. request having location) of the device 305. See on [0042] teaches the user's mobile device 505 transmits an authentication request 507 to the authentication service 515. The authentication request 507 may contain the user's credentials and the array of transmitter IDs/proximities (i.e. client device identifier. see 0044 transmitter may be utilized for mobile device for tracing the device). The authentication service 515 retrieves information about the user and the device);
determining that the location is not a recognized location (Coats on [0028-0034] teaches user provides credentials. Determine whether or not the user is in an authorized space time region based on authorized user location and time obtain from user data store. The user's location may be examined to determine if it falls within an approved geospatial rectangle, an approved point-radius, or within the bounds of any restrained area and when authentication is not successful, factor bypass is denied and the user profile is obtained. The user's location may be determined to be outside of the approved geospatial rectangle and/or outside of the associated schedule range (i.e. user is sending request from unauthorized location). As a result, the secured resource obtains the user's profile from the user data store. The user profile may contain an object such as a mobile number or email address);
and in response to determining that the location is not a recognized location, determining that the request includes a token (Coats on [0032-0035] determining that the user location is outside of approved location generating and transmitting an authentication token in form of a message);
wherein the client device would otherwise be denied access to the controlled access resource because the location is not a recognized location (Coats on [0020-0021] teaches authenticating a user to resource based on credential provided by user and validating the credential by comparing the store credential in a data store and secured resource obtains users profile from data store. See also on [0024-0026] teaches user is granted or denied access to resource based on validated token provided by user. See on [0032-0034] teaches determining if user is trying to achieve access to resource from an approved location in specific time and granting the access based on meeting the criteria otherwise the access is denied. See also on [0040-0041] teaches the authentication request 307 may comprise the user credentials and the triangulated position of the device 305. The Authentication Service 320 retrieves the user's profile, authorized locations, and any schedule restrictions from a database 325 and determines if these meet the access criteria for the user. An authentication response 322 is sent to the user's mobile device 305 and additional factors may be bypassed to allow the user access);
	Although Coats teaches validating an authentication token for granting access to a resource, but fails to explicitly teach the token including a timestamp, a random number, and licensed resource information, determining that the token is not expired based on the timestamp, However Gajda from analogous art teaches the token including a timestamp, a random number, and licensed resource information, determining that the token is not expired based on the timestamp (Gajda on [0021 and 0031] teaches The client browser 130 may generate a token prior to the redirection. The generated token may comprise one or more of a random number, a nonce, a pseudorandom number, a user identifier, client identifier (i.e. licensed resource information interpreted in view of para 0024 to a subscriber identifier) time stamp, date stamp. The token may incorporate encrypted information or other cryptographically protected information (i.e. timestamp in a token verifies if token is expired)).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Gajda into the teaching of Coats by having an unexpired token for accessing the resources. One would be motivated to do so in order to effectively protect against cross-site request forgeries, particularly in the context of browser redirections (Gajda on [0003]).
Although the combination of Coats and Gajda teaches granting or denying access to request based license resource information, but fails to explicitly teach determining that a resource accessible (Subramanaya on [0034, 0039-0041] teaches access management system 140 can determine the protected resources for which access is restricted, and permit access to those protected resources for which access is not restricted based upon successful authentication of user's 102 credentials. Once credential information for user 102 is authenticated, an authentication session may provide access to protected resources accessible to user. See on [0064 and 0070] teaches a request from a user for accessing a resource and authenticating user based user’s credential information and upon successful authentication providing the requested resource. See on [0086] teaches matching the accessible resource with the requested resource and denying the access to resource if the resource is restricted (i.e. determination is made if the requested resource matches the accessible resources based on user’s credential information)).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Subramanya into the combined teaching of Coats and Gajda by providing the access to resource if it matches the requested resource. One would be motivated to do so in order to enable a user to dynamically select resources for which access is to be restricted for a single SSO session (Subramanya on [0008]).

Claims 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over COATS (hereinafter coats) (WO 2016182555) in view of Gajda et al (hereinafter Gajda) (US 20140137248) in view of Subramanya et al (hereinafter Subramanya) (US 20170034152) and further in view of Pandey et al (hereinafter Pandey) (US 20180332016).
18 the combination of Coats, Gajda and Subramanya teaches all the limitations of claim 17 above, Although the combination teaches token, but fails to explicitly teach wherein the token is encrypted and the method further includes decrypting the token, However Pandey from analogous art teaches wherein the token is encrypted and the method further includes decrypting the token (Pandey on [0060] teaches decrypting the encrypted token).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Pandey into the combined teaching of Coats, Gajda and Subramanya by decrypting the encrypted token that it has not expired and providing access to resource. One would be motivated to do so in order protect resource from unauthorized access based on unexpired token (Pandey on [0001]).

Regarding claim 19 the combination of Coats, Gajda and Subramanya teaches all the limitations of claim 17 above, the combination fails to explicitly teach wherein the token further includes an IP subnet and the method further includes determining that an IP address for the client device has an IP subnet that matches the IP subnet included in the token, however Pandey teaches wherein the token further includes an IP subnet (Pandey on [0051] teaches token includes device IP address. See also Fig 10 block 1020 teaches Token have IP address);
and the method further includes determining that an IP address for the client device has an IP subnet that matches the IP subnet included in the token (Pandey on [0042, 0047 and 0061-0062] teaches an IP address from the header of the data unit associated with the user credentials, and compares the IP address to a known home, or approved location, IP subnet(s) (block 605). A particular IP subnet range may be associated with a known home network access location, or an approved network access location, of user 110).
 into the combined teaching of Coats, Gajda and Subramanya by having IP address in token and matching the IP address. One would be motivated to do so in order to protect unauthorized access to desired resource (Pandey on [0001]).

Claims 20 are rejected under 35 U.S.C. 103 as being unpatentable over COATS (hereinafter coats) (WO 2016182555) in view of Gajda et al (hereinafter Gajda) (US 20140137248) in view of Subramanya et al (hereinafter Subramanya) (US 20170034152) and further in view of Guglani et al (hereinafter Guglani) (US 20160092696).

Regarding claim 20 the combination of Coats, Gajda and Subramanya teaches all the limitations of claim 17 above, the combination fails to explicitly teach incrementing a counter for the token, the token being identified by the random number and determining that the counter for the token has not reached a threshold, However Guglani teaches incrementing a counter for the token (Guglani on [0041] teaches a token's use may be limited by the number of times a LUK can be used. Accordingly, the transaction count limitation reduces the chance that the token may be repeatedly misused. Furthermore, a token may be limited by duration. For example, a token may be limited to the life of a LUK which prevents the token from being used for longer than a specified duration. This may prevent the token from being misused over an extended period of time. See on [0121 and 0147] teaches after every transaction attempt initiated by the user, using a given token, token SDK may check if the number of transactions threshold for replenishing LUK has been exceeded. When the number of transactions threshold increases, token SDK may initiate LUK replenishment);
the token being identified by the random number (Guglani on [0093] teaches the token key may include a random generated number that is associated with the actual token to identify the token);
(Guglani on [0041] teaches a token's use may be limited by the number of times a LUK can be used. Accordingly, the transaction count limitation reduces the chance that the token may be repeatedly misused. Furthermore, a token may be limited by duration. For example, a token may be limited to the life of a LUK which prevents the token from being used for longer than a specified duration. This may prevent the token from being misused over an extended period of time. See on [0121 and 0147] teaches after every transaction attempt initiated by the user, using a given token, token SDK may check if the number of transactions threshold for replenishing LUK has been exceeded. When the number of transactions threshold increases, token SDK may initiate LUK replenishment).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Guglani into the combined teaching of Coats, Gajda and Subramanya by identifying token based on random number and incrementing token counter up to threshold value. One would be motivated to do so in order to protect sensitive data from unauthorized access (Guglani on [0002-0004]).
Allowable Subject Matter
Claims 2, 10 and 22 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claims 11-16 are allowable.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 






/MOEEN KHAN/Examiner, Art Unit 2436            

/KENDALL DOLLY/Primary Examiner, Art Unit 2436