Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Jakobsson (US Patent 10348720).

As per claims 1, 8, and 15:  Jacoksson discloses a non-transitory computer-readable medium storing computer-executable instructions that when executed by at least a processor of a computer cause the computer to (see abstract):
receive, by an authentication service, a service-to-service communication where a first service initiates a call that requests access to user data from a second service Col 32, lines 60-67; A request for an authentication setup for a first user of a first service provider is received);
identify, by the authentication service, the first service, the second service, and a user profile associated with the call (Col 33, lines 12-14; provide authentication services on behalf of a second service provider);
access, by the authentication service, a set of cloud policies and a set of tenant policies, and determine, by the authentication service, which selected cloud and tenant policies from the set of cloud policies and the set of tenant policies are associated with the user profile, the first service, and the second service (Col 33, lines 29-36); apply, by the authentication service, the selected cloud and tenant policies to the service-to-service communication to determine if the first service is authorized to access the user data from the second service (Col 33, lines 29-36; wherein stimuli presented to users of the first service provider are selected based at least in part on a first set of policies provided to the authentication system by the first service provider, and wherein stimuli presented to users of the second service provider are selected based at least in part on a second set of policies provided to the authentication system by the second service provider); and
authorize, by the authentication service, access or deny access to the first service based on whether the selected cloud policies and the selected tenant policies related to the user profile, the first service, and the second service have been satisfied (Col 17, lines 55-58; "allow access" or "deny access").
As per claims 2, 9 and 16:  The non-transitory computer-readable medium of claim 1, wherein the apply the selected cloud and tenant policies step is further comprised of the step of:
determine, by an authentication service, (i) if the first service is authorized to contact the second service, and (ii) if the first service is authorized to obtain the user data about the user from the second service by applying the selected cloud and tenant policies by the authorization service (Col 33, lines 29-36; wherein stimuli presented to users of the first service provider are selected based at least in part on a first set of policies provided to the authentication system by the first service provider, and wherein stimuli presented to users of the second service provider are selected based at least in part on a second set of policies provided to the authentication system by the second service provider).
As per claims 3, 10 and 17:  The non-transitory computer-readable medium of claim 1, wherein the step of identify, by the authentication service, the first service, the second service, and a user profile associated with the call is further comprised of the step of:
provide, by the authentication service, a security token to the first service (Col 24, lines 57-67; The service provider (e.g., "Acme Bank") maps a username (e.g., "AliceJones") to a string that represents both a pseudonym and key (e.g., "ABCD12345678"). The string consists of two parts: an index PS.sub.A (e.g., "ABCD") for retrieval by system 102 of the correct profile, and a decryption key PS.sub.B (e.g., "12345678") for decryption of encrypted portions of the profile).
As per claims 4 and 11:  The non-transitory computer-readable medium of claim 1, wherein the authentication service is further comprised of:
Col 11, lines 24-26; Acme Bank (or retailer 122 or Alice) may also forbid the re-use of any existing profiles for a user and require that a completely new profile be created for the user).
As per claims 5, 12 and 18:  The non-transitory computer-readable medium of claim 2, further comprising instructions that when executed by at least the processor cause the processor to:
responsive to the authorization service authorizing access to the first service, instructing the second service by the authentication service to provide access to the user data about the user in the second service to the first service (Col 33, lines 29-36; wherein stimuli presented to users of the first service provider are selected based at least in part on a first set of policies provided to the authentication system by the first service provider, and wherein stimuli presented to users of the second service provider are selected based at least in part on a second set of policies provided to the authentication system by the second service provider).
As per claims 6, 13 and 19:  The non-transitory computer-readable medium of claim 2, further comprising instructions that when executed by at least the processor cause the processor to:
responsive to the authorization service determining that the first service is not authorized to contact the second service, denying, by the authentication service, access to user data by the first service (Col 17, lines 55-58; "allow access" or "deny access"); and
Col 33, lines 29-36; wherein stimuli presented to users of the first service provider are selected based at least in part on a first set of policies provided to the authentication system by the first service provider, and wherein stimuli presented to users of the second service provider are selected based at least in part on a second set of policies provided to the authentication system by the second service provider).
As per claims 7, 14 and 20:  The non-transitory computer-readable medium of claim 2, further comprising instructions that when executed by at least the processor cause the processor to:
responsive to the authorization service determining that the first service is not authorized to obtain the user data about the user from the second service, denying, by the authentication service, access to user data by the first service (Col 17, lines 55-58; "allow access" or "deny access"); and 
instructing the second service by the authentication service that the first service is not authorized to obtain the user data about the user from the second service (Col 33, lines 29-36; wherein stimuli presented to users of the first service provider are selected based at least in part on a first set of policies provided to the authentication system by the first service provider, and wherein stimuli presented to users of the second service provider are selected based at least in part on a second set of policies provided to the authentication system by the second service provider).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANTHONY D BROWN whose telephone number is (571)270-1472.  The examiner can normally be reached on 730-330pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.