Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 16/234,674 is presented for examination by the examiner.  Claims 1, 2, 4, 7, 9, and 18 are amended.  Claims 1-20 are pending.


Response to Arguments
Applicant's arguments filed 3/22/21 have been fully considered but they are not persuasive. With respect to the 35 USC §112(b) rejection Applicant traverses the rejection of claims 12 and 19.  Applicant disagrees with the notion that the claims are unclear.  Examiner finds those claims unclear.  The issue is not understanding that at least one user device means there can be more than one device present.  The confusion arises the phrase “at least one user device comprises”.  There can be more than one user device.  That is clear.  This phrase means the at least one user device comprises two additional devices.  This is not the same as simply having two devices.  One device must contain/consist of/be made up of a first user device and a second user device.  A device is a tangible entity in and of itself.  It is not a placeholder or meta-physical object.  This claim construction is not like a system claim.  For example, I have at least one phone that comprises a memory and a screen.  Claims 12 and 19 in context with their respective parent claims blurs the relationship between what the user has.  If . 
As per the arguments with respect to claims 1 and 16, Applicant purports that the prior art does not explicitly teach repeatedly determining whether the secure communication channel is maintained.  Applicant alleges that monitoring expiration of a credentials validity period is completely different from repeatedly determining where the secure channel is maintained.  Applicant does not further explain how the claims are distinguishable from the prior art.  If a credential is needed to create a secure session for a time and the secure session relies on that credential, then checking to make sure the session is within its time limit is not completely different than repeatedly determining whether the secure channel is maintained.  If there is a more narrow interpretation of determine, maintain, or secure channel that Applicant is imparting in the arguments then the claims should be amended to require more than simply monitoring that the secure channel is maintained.  The prior art clearly showed the channel will not be maintained if the CRED2 expires (0070).  In view of the forgoing, respectfully the rejection must be maintained.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 12 and 19 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 

As per claims 12 and 19 it is unclear how the user device comprises a first user and a second user device.  Furthermore the second user device is not actively recited to perform any functioning so it is unclear how it is distinguishable from the user device and the first user device.  Are the first and second user devices merely part of the user device or are they separate?  If they are separate then the user device would not comprise them.  Appropriate correction is required.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 5, 7, 8, 11, 12, 16, 17, 19 are rejected under 35 U.S.C. 103 as being unpatentable over WO 2015/073979 A1 to GOOD TECHNOLOGY CORPORATION (hereinafter "GTC") in view of US 2014/0157381 A1 to TELESIGN CORPORATION (hereinafter "TELESIGN").

As per claim 1, GTC discloses a security system comprising: 
at least one user device (authenticated communication (security) between a user device and a service associated with a network; abstract), the at least one user device storing a first authentication factor associated with a user for authorized access to plural secure access services (the user device 103 has a storing module 904 with data indicative of a user identity and corresponding password (first authentication factor associated with a user) used in an Authentication Token Protocol/ATP (for authorized access) to access provided services in different domains 201 or 301 (secure access services); paragraphs (0039), (0040), (0077); and 
an authentication server communicatively coupled to the at least one user device via a network (authentication server 203 communicates with user device 103 over network 101 as depicted in figure 1); 
the authentication server configured to: 
receive a first authentication request for authorized access by the user to a first secure access service among the plural secure access services (server 203 (authentication server) receives authentication request REQ1 (for authorized access by the user) for access to a service provided in a first authentication domain 201 (first secure access service) from services provided by respective first or second authentication domains (plural secure access services); paragraphs (0039), [0040); figure 5); and 
responsive to the first authentication request, establish a secure communication channel between the authentication server and the at least one user device (selectively establishing an authenticated communication as communication link L3 (secure communication channel) by the server 203 acting as a proxy with the user device 103 after (responsive to) receiving the authentication request REQ1 (first authentication request); paragraphs (0043), (0056]; figure 5), 
the at least one user device, responsive to the establishing of the secure communication channel, configured to: 
perform an authentication of the user via at least one user device according to a second authentication factor (the user device 103 generates and transmits an access request REQ5 in response to an authentication challenge (to perform an authentication of the user via the user device) comprising data indicative of service credential CRED2 (a second authentication factor) via (responsive to) the third communication link L3 (secure communication channel); paragraph (0057); 
and transmit the authentication response to the authentication server via the secure communication channel (transmitting access request REQ5 in response to an authentication challenge (transmit the authentication response) to the server 203 (authentication server) acting as a proxy for authentication via the third communications link L3 (secure communication channel); paragraphs (0043), (0057); the authentication server granting access to the first secure access service based on the authentication response (server 203 (authentication server) transmitting a portion of the service credential CRED2 (granting access) used for generating the aforementioned access request REQ5 (granting access to the first secure access service based on the authentication response); paragraph [0064]); 
the authentication server further configured to: 
repeatedly determine whether the secure communication channel between the authentication server and the at least one user device is maintained while the user accesses the first secure access service; and permit access to the first secure access service by the user while the secure communication channel is maintained (the server 203 (authentication server) monitors (repeatedly determine) for expiry of a predetermined validity period of service credential CRED2 used for authenticated communication via the third communication link L3 (determining whether the secure communication channel is maintained while the user accesses the first secure access service), which enables the user device to access the service provided via the third communication link L3 (permit access to the first secure access service by the user while the secure communication channel is maintained); paragraphs (0056), (0070); claim 28 of GTC). 
GTC does not disclose responsive to the authentication of the user, generate an authentication response to the authentication server confirming the authentication, the authentication response indicating the first authentication factor. TELESIGN discloses responsive to the authentication of the user, generate an authentication response to the authentication server confirming the authentication, the authentication response indicating the first authentication factor (a client device provides a user response 205 to the authentication server (responsive to the authentication, generating an authentication response) to allow the server to perform an  authentication of the user (confirming the authentication) using a first authentication factor selected from different authentication factors including something the user knows, something the user has, and something the user is (response indicating the first authentication factor); figure 2; paragraphs (0028),
(0029). It would have been obvious to one of ordinary skill in the art, before the effective filing date of invention, to modify the teaching of GTC to include responsive to the authentication of the user, generate an authentication response to the authentication server confirming the authentication, the authentication response indicating the first authentication factor as disclosed by TELESIGN, in order to gain the advantage of utilizing at least an additional authentication layer 

As per claim 16, it is rejected for the same reason as claim 1.
As per claims 2 and 17, GTC in combination with TELESIGN discloses the system of claim 1 and the method of claim 16, respectively. Modified GTC additionally discloses wherein the authentication server is further configured to: receive a second authentication request for authorized access by the user to a second secure access service among the plural secure access services (the user separately generates a request message to server 203 (to receive a second authentication request for authorized access by the user) to subsequently complete authentication with a service in the second authentication domain 301 (a second secure access service among the plural secure access services); paragraph [0041)); 
determine whether the secure communication channel between the authentication server and the at least one user device is maintained within a predefined time limit while the user accesses the first secure access service (the server 203 monitors for expiry of a predetermined validity period of service credential CRED2 used for authenticated communication via the third communication link L3 (determining whether the secure communication channel is maintained within a predefined time limit while the user accesses the first secure access service); paragraphs [0056], [0070]; claim 28 of GTC); and 
permit access to the second secure access service by the user when the secure communication channel between the authentication server and the at least one user device is maintained within the predefined time limit, without re-authenticating the user (enabling (permit) the user device to access the service provided in the second authentication domain (access to the second secure access service by the user) via the third communication link L3 (when the secure communication channel is maintained within the predefined time limit) using the same service credential CRED2 (without re-authenticating the user); paragraphs [0038], [0043], [0056], [0070]; claim 28 of GTC).

As per claim 5, GTC in combination with TELESIGN discloses the system of claim 1. Modified GTC additionally discloses wherein the authentication server is configured to verify the authentication response based on a public verification key (a response is transmitted by the user device to the server 203 (to verify the authentication response) using a communications link that is encrypted on the basis of a pre-shared secret key (public verification key); paragraphs [0053], [0065)).

As per claim 7, GTC in combination with TELESIGN discloses the system of claim 1. Modified GTC additionally discloses wherein the at least one user device and the authentication server are configured to perform a continuous authentication, responsive to the authentication server granting access to the first secure access service (the server 203 monitors for expiry of a predetermined validity period of service credential CRED2 used for authenticated communication via the third communication link L3 with the user device 103 (to perform a continuous authentication), enabling the user device to access the service provided via the third communication link L3 (responsive to the authentication server granting access to the first secure access service); paragraphs (0056), (0070); claim 28 of GTC).
As per claim 8, GTC in combination with TELESIGN discloses the system of claim 1. Modified GTC additionally discloses wherein the second authentication factor includes at least one of a knowledge component and an inherence component (a portion of said credential of the second type (second authentication factor) includes a service ticket and a network address (knowledge component); claims 4, 5 of GTC).
As per claim 11, GTC in combination with TELESIGN discloses the system of claim 1. Modified GTC additionally discloses wherein the plural secure access services include at least one of a computing service and a computing device (the services are provided by application servers such as messaging services, email, document management, application management or remote device management services (a computing service); paragraphs (0038), (00411).
As per claims 12 and 19, GTC in combination with TELESIGN discloses the system of claim 1 and the method of claim 16, respectively. Modified GTC additionally discloses wherein the at least one user device comprises at least one of a first user device and a second user device (user device 103 (a first user device); figure 1).

Claim 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over GTC and TELESIGN as applied to claim 1 above, and further in view of US 8868923 B1 to HAMLET, Jet al. (hereinafter "HAMLET").

As per claim 3, GTC and TELESIGN do not disclose wherein the first authentication factor comprises a cryptographic key. HAMLET discloses wherein the first authentication factor comprises a cryptographic key (the first authentication factor is a smart card comprising both "something the user knows" and a private key; column 6, lines 2-11 ). It would have been obvious to one of ordinary skill in the art, before the effective filing date, to modify the teaching of GTC and TELESIGN to include wherein the first authentication factor comprises a cryptographic key as disclosed by HAMLET, in order to gain the advantage of using a first authentication factor on a smart card that has two elements, making it more difficult for an adversary to spoof.

Claim 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over GTC and TELESIGN as applied to claim 1 above, and further in view of US 2013/0305325 (HEADLEY).

As per claim 4, GTC and TELESIGN do not disclose wherein the first authentication request is initiated via an out-of-bound communication protocol. (during authentication of the claimant (first authentication request is initiated) a query is sent over an out-of-bound communication channel, where the query includes the first and second addresses (an out-of-bound communication protocol); paragraph (00161). It would have been obvious to one of ordinary skill in the art, before the effective filing date, to modify the teaching of GTC and TELESIGN to include wherein the first authentication request is initiated via an out-of-bound communication protocol as disclosed by HEADLEY, in order to gain the advantage of using verification by a service provider on an out-of-bound channel that considers geographic locations of both first and second addresses useful for detecting a man-in-the-middle scenario (HEADLEY; paragraph (00151).

Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over GTC and TELESIGN as applied to claim 1 above, and further in view of US 2010/0281249 A1 to DAS, Set al. (hereinafter "DAS").
As per claim 6, GTC and TELESIGN do not disclose the secure communication channel is established via a transport layer security "TLS" mutual authentication. DAS discloses wherein the secure communication channel is established via a transport layer security "TLS" mutual authentication (transport layer security TLS for the mutual authentication and the key establishment is employed to carry out a TLS handshake between the point of service and the mobile devices over media independent handover protocol where the TLS handshake establishes a security association or a secure session between the peers; paragraph (01091). It would have .

Claim 13, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over GTC and TELESIGN as applied to claim 1 above, and further in view of US 2014/0282877 to Mahaffey (hereinafter "Mahaffey").
As per claim 13, GTC and TELESIGN are silent in explicitly teaching the authentication of the user includes performing the authentication of the user via the first user device according to the second authentication factor and confirming possession of the second user device, possession determined by the first user device based on detection of the second user device, the authentication response confirming the authentication by the first user device and the possession of the second user device.  On the other hand Mahaffey teaches a continuous authentication system whereby the second device must stay in possession of the user during the session (0035 and 0036).  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.   Adding a second device strengthens the security by adding an additional factor in the authentication process.  
As per claim 14, the combined system of GTC, TELESIGN, and Mahaffey teaches establishing a further secure communication channel between the first user device and the second user device, the authentication response confirming the 

As per claim 20, it is rejected for the same reasons as claim 13 and 14.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over GTC and TELESIGN as applied to claim 1 above, and further in view of US 6628671 B1 to DYNARSKI, R et al. (hereinafter "DYNARSKI").
As per claim 15, GTC and TELESIGN do not disclose wherein the authentication server periodically transmits information to at least one of the first secure access service and a service provider associated with the first secure access service indicating an authentication state of the first user device. DYNARSKI discloses wherein the authentication server periodically transmits information to at least one of the first secure access service and a service provider associated with the first secure access service indicating an authentication state of the first user device (the authentication server responsively issues an access-accept message (transmits information) to the network access server (secure access service) if the device is authorized to access the packet-switched network, e.g., the user of the device is a subscriber to the service, has paid its bills, etc. (indicating an authentication state of the first user device); column 3, lines 55-60). It would have been obvious to one of ordinary skill in the art, before the effective filing date, to modify the teaching of GTC to include wherein the  authentication server periodically transmits information to at least one of .

Allowable Subject Matter
Claims 9, 10, and 18 allowed.

Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431