DETAILED ACTION
This Office Action is in response to the amendment filed on May 03, 2021.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-9 are pending and herein considered.

Response to Amendment
The amendment filed on 05/03/2021 has been entered and fully considered.

Response to Arguments
In light of the amendment filed 05/30/2021, the claim objection is withdrawn.
Applicant's arguments filed 05/30/2021 have been fully considered but they are not persuasive. For the following: 
Applicant’s argument:
“Kottahachchi and Gupta do not disclose performing, when the verification is not required by the device, to verify a set of the device and the program”.

In response:
The Examiner respectfully disagrees. Kottahachchi teaches, at least in paragraph 0028 pass results of authentication attempts within the client application to the directory service to enable the use of authentication control policies within the directory service to track failed authentication attempts and enforce security policies, such as lock out of an account after a predetermined number of failures; 0032 Another authentication control policy may permanently lock a user out of an account after five unsuccessful login attempts requiring intervention by an administrator to reset the account and password to allow for future logins (the Examiner interpret performing, when the verification is not required by the device, to verify a set of the device and the program as tracking of failed authentication attempt and since before multiple attempt is not at a predetermined number of time, the password is not reset, the verification is not required) and in paragraph [0033] an authentication request may be initiated when an end user attempts to logon to a client application 102 through front end application 108. Therefore, Kottahachchi teaches the argument above.

Claim Objections
Claim 1 objected to because of the following informalities:  claim 1 recites “… the second process…” in line 10. Appropriate correction is required.
Claims 4 and 6 are objected under similar rationale as claim 1.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1, 4 and 6 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter 

Regarding claims 4 and 6; claims 4 and 6 are rejected with similar rationale as claim 1.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-9 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta et al. (Gupta) U.S. Pub. Number 2014/0150100, in view of Kottahachchi U.S. Pub. Number 2009/0077645. 
Regarding claim 1; Gupta discloses a method executed by a computer that serves as an authentication apparatus for a program that operates on a device, the determination method comprising:
counting a number of times of execution of a first process related to the device (para. [0004] observing mobile device behaviors over a period of time to recognize mobile device behaviors inconsistent with normal operation patterns; para. [0010] mobile device hardware counters may include one or more of hardware counters that denote the state or status of the mobile computing device…that are configured to store a count or state of hardware-related activities or events); and
determining [[whether or not a verification is required]] based on a result of comparison between the number of times of execution of the first process and a number of times of execution of the second process, [[the number of times of execution of the second process is included in an authentication request which is received]] (para. [0058] by selecting new behaviors to observe, observing fewer behaviors, etc. based on the results of the on-line real-time analysis operations and/or the availability of system resources; para. [0086] the analyzer module 204 may be configured to analyze information…compare the generated models to information/observations received from the observer module 202 to identify suspicious mobile device behaviors; para. [0182] observed in block 904 for user interaction hardware drivers include the number of times …For example, users may repeatedly interact with the user interface to unlock the mobile device or login to an account … Monitoring the mobile device conditions and events at the driver level for user interaction hardware drivers may aid in determining, for example, whether unauthorized access to the user interaction with the user interface statistics are being monitored). The Examiner interpret first process as user 
Gupta does not disclose, which Kottahachchi discloses whether or not a verification is required based on a result of comparison between the number of times of execution of the first process and a number of times of execution of the second process, the number of times of execution of the second process is included in an authentication request which is received (focusing on underlined) (Kottahachchi: para. [0018] authenticating a user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures;  Kottahachchi: para. [0019] sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred if the authentication token does not match the security information);
performing, when the verification is not required, to verify a set of the device and the program (Kottahachchi: para. [0028] pass results of authentication attempts within the client application to the directory service to enable the use of authentication control policies within the directory service to track failed authentication attempts and enforce security policies, such as lock out of an account after a predetermined number of failures), and
transmitting, when the verification is required, a message for requesting the verification to the device (Kottahachchi: para. [0034] a search of the directory service may be done by passing the user identity information to directory service 104 by an operation defined in the protocol used to interact with the directory service. For example, in an LDAP directory service a search operation may be performed by an LDAP Search operation. Directory service 104 then searches the entries stored therein to determine if an entry matches the user identity information (step 206). If no match is found, the authentication request fails (step 208) and client application 102 can report back to end user 110 that the identity information submitted by the user is not recognized by the application).
whether or not a verification is required to verify the device based on a result of comparison; performing, when the verification is not required, to verify a set of the device and the program; and transmitting, when the verification is required, a message for requesting the verification to the device, as taught by Kottahachchi, in order to tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures. The motivation is to provide secure end user authentication and protection of resource against improper access to end user accounts. 

Regarding claim 2; the combination of Gupta and Kottahachchi discloses the determination method according to claim 1, wherein the first process is a credential authentication process for the program (Kottahachchi: para. [0017] receiving a authentication token from the directory service associated with the end user identity information), and the second process is a process of detecting reception of a result of the credential authentication process by the authentication apparatus (Kottahachchi: para. [0018] if a match is found, sending an authentication token associated with the user identity information to a client application; and receiving a request at the directory service to update the directory service with information that indicates whether successful authentication of the user occurred at the client application). The rationale to combine Gupta and Kottahachchi is the same as claim 1.

Regarding claim 3; the combination of Gupta and Kottahachchi discloses the determination method according to claim 2, further comprising adding a number of times of a process of communication with an external program performed in accordance with a procedure in which the authentication apparatus is not involved to the number of times of execution of the second process (Gupta: para. [0078] monitor/observe one or more hardware counters that denote the state or status of the mobile computing device… A hardware counter…is configured to store a count…or events occurring in the mobile computing device; Gupta: para. [0184] mobile device conditions and events at the driver level that may be selected in block 902 and observed in block 904 for synchronization hardware drivers include the number of times and/or when a type of channel security is read; para. [0185] Examples of mobile device conditions and events at the driver level that may be selected … include the number of times and/or when a usage mode is read. Such modes may include peer-to-peer, mobile-to-mobile, vehicle-to-vehicle, and infrastructure modes… Unauthorized reading of the various communications during different modes may provide information to relate mobile devices and users with other connected machines).

Regarding claim 4; Gupta discloses an authentication apparatus for a program that operates on a device, the authentication apparatus comprising:
a memory (fig.1 element 112); and
a processor coupled to the memory (fig.1 element 101) and configured to
count a number of times of execution of a first process related to the device (para. [0004] observing mobile device behaviors over a period of time to recognize mobile device behaviors inconsistent with normal operation patterns; para. [0010] mobile device hardware counters may include one or more of hardware counters that denote the state or status of the mobile computing device…that are configured to store a count or state of hardware-related activities or events); and
determine [[whether or not a verification is required]] based on a result of comparison between the number of times of execution of the first process and a number of times of execution of the second process, [[the number of times of execution of the second process is included in an authentication request which is received]] (para. [0058] by selecting new behaviors to observe, observing fewer behaviors, etc. based on the results of the on-line real-time analysis operations and/or the availability of system resources; para. [0086] the analyzer module 204 may be configured to analyze information…compare the generated models to information/observations received from the observer module 202 to identify suspicious mobile device behaviors; para. [0182] observed in block 904 for user interaction hardware drivers include the number of times …For example, users may repeatedly interact with the user interface to unlock the mobile device or login to an account … Monitoring the mobile device conditions and events at the driver level for user interaction hardware drivers may aid in determining, for example, whether unauthorized access to the user interaction with the user interface statistics are being monitored). The Examiner interpret first process as user interacting with the interface to make a login to a user’s account and a second process as a result of the login request, for instance.
Gupta does not disclose, which Kottahachchi discloses whether or not a verification is required based on a result of comparison between the number of times of execution of the first process and a number of times of execution of the second process, the number of times of execution of the second process is included in an authentication request which is received (focusing on underlined) (Kottahachchi: para. [0018] authenticating a user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures;  Kottahachchi: para. [0019] sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred if the authentication token does not match the security information);
perform, when the verification is not required, to verify a set of the device and the program (Kottahachchi: para. [0028] pass results of authentication attempts within the client application to the directory service to enable the use of authentication control policies within the directory service to track failed authentication attempts and enforce security policies, such as lock out of an account after a predetermined number of failures). And
transmit, when the verification is required, a message for requesting the verification to the device (Kottahachchi: para. [0034] a search of the directory service may be done by passing the user identity information to directory service 104 by an operation defined in the protocol used to interact with the directory service. For example, in an LDAP directory service a search operation may be performed by an LDAP Search operation. Directory service 104 then searches the entries stored therein to determine if an entry matches the user identity information (step 206). If no match is found, the authentication request fails (step 208) and client application 102 can report back to end user 110 that the identity information submitted by the user is not recognized by the application).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gupta to provide whether or not a verification is required to verify the device based on a result of comparison; perform, when the verification is not required, to verify a set of the device and the program; and transmit, when the verification is required, a message for requesting the verification to the device, as taught by Kottahachchi, in order to tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures. The motivation is to provide secure end user authentication and protection of resource against improper access to end user accounts. 

Regarding claim 5; claim 5 is directed to an authentication apparatus for a program which has similar scope as claim 2. Therefore, claim 5 remains un-patentable for the same reasons.

Regarding claims 6-7; claims 6-7 are directed to a non-transitory computer-readable storage medium which has similar scope as claims 1-2, respectively. Therefore, claims 6-7 remains un-patentable for the same reasons. 

Regarding claim 8; the combination of Gupta and Kottahachchi discloses the determination method according to claim 1, further comprising:
acquiring a difference value between the number of times of execution of the first process and the number of times of execution of the second process, wherein the determining includes determining whether or not the verification is required based on the difference value (Kottahachchi: para. [0018] authenticating a user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures;  Kottahachchi: para. [0037] LDAP directory service the update may be performed by an LDAP Modify operation. The update in step 216 may include, for example, setting an account state variable that tracks status of the last authentication attempt to "successful", resetting the count of failed authentication attempts to zero, clearing data associated with tracking the time of previous unsuccessful authentication attempts and the like. The actual updates performed to the account state information will depend on the type of information tracked by directory service 104 and the control policies implemented by the directory service). The rationale to combine Gupta and Kottahachchi is the same as claim 1.

Regarding claim 9; the combination of Gupta and Kottahachchi discloses the determination method according to claim 8, wherein the determining includes determining that the verification is required, when the different value is greater than a threshold value (Kottahachchi: para. [0018] authenticating a user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures;  Kottahachchi: para. [0019] sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred if the authentication token does not match the security information). The rationale to combine Gupta and Kottahachchi is the same as claim 8.

Examiner’s remarks to overcome the rejection above
Applicant is encouraged to contact the examiner to expedite prosecution with Examiner’s proposed amendment to overcome the rejection.

Related Art
The following prior art made of record and cited on PTO-892, but not relied upon, is considered pertinent to applicant’s disclosure:
U.S. Pat. No. 9,916,442 to “Lindo et al.” –Lindo discloses monitoring data input to and output from an application on a mobile device and determining whether a behavior of the application is anomalous based on the meta-data stored on the mobile device. Such systems and methods may include providing detailed data, which includes the data input to and output from the application, to another device in response to determining that the behavior of the application is anomalous based on the meta-data stored on the mobile device.

U.S. Pub. No. 2017/0220791 to “Shibutani et al.” – Shibutani discloses a fraud detection when a result of transmitting authentication information in response to the authentication request from a certain authentication device indicates that the number of authentication failures exceeds a threshold value preset in the wearable device, the wearable device detects that the transmitted authentication 

U.S. Pat. No. 10,594,678 to “Yoshii”. Yoshii discloses counting a number of times a request signal is received from the authentication target apparatus before completion of the authentication after the transmission of the challenge code; and performing a predetermined fail-safe process when the number of times the request signal is received is a set number of times or more based on a result of the counting.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VU V TRAN whose telephone number is (571)270-1708.  The examiner can normally be reached on M-F, 8 AM- 4 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/VU V TRAN/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491