Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/03/2021 has been entered.

Status of Claims
Claims 1, 10 and 19 have been amended.  Claims 8, 17 and 20 have been cancelled.  Claims 1-7, 9-16, 18 and 19 are pending and have been considered.

Priority
Acknowledgment is made of no claims of foreign priority.

Drawings
The drawings filed on 09/24/2018 are accepted.

Specification
The specification filed on 09/24/2018 is accepted.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/10/2021 and 04/06/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
Applicant's arguments with respect to newly amended independent claims such as “As noted during the teleconference, none of the cited references disclose or suggest at least the limitations of generating “an authentication score object comprising a plurality of fields for determining whether the user is authorized to initiate the electronic communications session or unauthorized to initiate the electronic communications session,” along with the specific fields listed in independent claims 1, 10, or 19.” Remarks page 8 have been fully considered and are moot in view of newly find prior art to Amar et al U.S.  2018/0109540 A1.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 10 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Avital et al U.S. 9,516010 B1 in view of Nguyen et al U.S.10, 237,298 B1 in further view of Jang et al 2016/0147987 A1 and in further view of  Amar et al U.S.  2018/0109540 A1.
Claim 1, 10 and 19: Avital et al teaches a tangible, non-transitory computer-readable medium storing instructions that, when executed by a server computer system, and a method comprising (col.3, lines 37-43, a computer program product having a non-transitory computer readable medium which stores a set of instructions to perform authentication) a server computer system comprising: 
a processor (col.3, lines 37-43, processing circuitry); and 
memory coupled to the processor and storing instructions that, when executed by the processor (col.3, lines 17-23memory, and processing circuitry coupled to the network interface and the memory), cause the server computer system to perform operations comprising: 
detecting an attempt, by a client computing device of a user, to initiate an electronic communications session (Fig.5, item 202, col.1, lines 30-40, col.4, lines 35-55, col.9, line 63 to col.10, line 16col.3, line receive an authentication request from a user operating a client apparatus, during an authentication session, the user to provide a device fingerprint from the client apparatus (i.e., "something you are"), a personal identification number or PIN (i.e., "something you know"), and an electronic credential from an integrated circuit credit card (i.e., "something you have")); 
retrieving a plurality of parameters, the plurality of parameters including: a username associated with the user, a password associated with the user, and a user agent identifier (col.2, lines 21-30, col.10, lines 5-17, the initial set of credentials includes a user identifier which uniquely identifies the user among other users, user password, and a set of smart phone parameters provided by the smart phone). 
generating, based on the plurality of parameters, an authentication score object comprising a plurality of fields, wherein the plurality of fields of the authentication score object includes a numerical score identifying a risk level associated with allowing the electronic communication session with the client computing device (col.10, lines 17-45, performing the risk-based authentication operation includes inputting the user identifier, the user password, and the set of smart phone parameters into a risk engine to produce, as the risk score, a numerical value indicating an amount of riskiness that the user is not authentic) an identifier associated with the authentication score object, a time the authentication score object was created, a time the authentication score object was modified, an indicator of whether the numerical score identifying the risk level associated with allowing the electronic communication session with the client computing device exceeds a predetermined threshold, an identifier associated with the user of the client computing device, or an indicator of whether the electronic communication session is allowed or rejected (Avital et al, col.10, lines 17-45,   Nguyen et al, col.5, lines  30-65, Cashman et al par.141-150); and
 allowing or rejecting the electronic communication session with the client computing device based on the authentication score object (col.10, lines 17-45, the policy server 144 can perform a normal authentication operation which compares the generated risk score to a risk score threshold to determine whether authentication is deemed successful or unsuccessful. if the generated risk score is less than the risk score threshold, the policy server 144 indicates that authentication is successful and allows the user 42 to access the protected resource 48). 
Avital et al teaches and allowing the electronic communication session with the client computing device based on the authentication score object and further the generated risk score is greater than the risk score threshold (signifying high risk that the user 42 is an imposter), the policy server 144 indicates that authentication is unsuccessful and takes remedial action see col.10, lines 17-45.
Nguyen et al in a similar field of endeavor teaches
 rejecting the electronic communication session with the client computing device based on the authentication score object (col.6, lines 34-45, The scoring component 130 may calculate a security score for one or more of the entities, one or more authentication credentials, etc. based on a number of sessions initiated from a set of authentication credential. The security score may be utilized by the security component 140 to determine one or more actions, such as denying one or more additional sessions from being created or initiated or terminating one or more existing sessions associated with an entity or set of authentication credentials).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Avital et al with the addition feature of Nguyen et al in order to provide a session management to detect and mitigate potentially malicious activity to thereby minimizing potential losses or damage, as suggested by Nguyen et al col.1, line 40 to col.2, line35.
Jang et al in a similar field of endeavor teaches wherein the one or more fields of the authentication score object include: 
an identifier associated with the authentication score object, a time the authentication score object was created, a time the authentication score object was modified (par.307-309).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Avital et al with the addition feature of Jang et al in order to provide method and an electronic device for performing an authentication on the basis of biometrics, as suggested by Jang et al abstract.
The combination does not explicitly teaches, however Amar et al in the same field of endeavor teaches 
an authentication score object comprising a plurality of fields for determining whether the user is authorized to initiate the electronic communications session or unauthorized to initiate the electronic communications session (Fig.7, par. 34, 40-42, The process determines 705 whether a risk token exists, and if so, evaluates 710 the risk token to determine if the risk token has a sufficient risk score relative to a threshold. When the risk token exists and reflects an insufficient or `bad` score, the resource may be blocked 715. When the risk token exists and has a sufficient score, an authorization may be generated 720 for the resource and/or for additional resources as discussed above)
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Avital et al with the addition feature of Amar et al in order to provide to securing access to content, and particularly to enforcing an ordered access to content by a client device, as suggested by Amar et al par.2.

Claims 2-5 and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Avital et al U.S. 9,516010 B1 in view of Nguyen et al U.S.10, 237,298 B1 in further view of Jang et al 2016/0147987 A1 and Amar et al U.S.  2018/0109540 A and Cashman et al 2013/0124229 A1.
Claims 2 and 11: the combination does not explicitly teach, however Cashman et al in a similar field of endeavor teaches wherein the memory further stores instructions for causing the server computer system to perform operations comprising: 
updating one or more fields in the authentication score object subsequent to allowing the electronic communication session (par.132-137); and 
par.137).
 Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Avital et al with the addition feature of Cashman et al in order to provide systems and methods for computerized user self-registration, authentication, and authorization for access to a number of computerized services, as suggested by Cashman et al par.1.
Claims 3 and 12: the combination teaches
 wherein updating the one or more fields in the authentication object is performed periodically or in response to identifying a change in a parameter from the plurality of parameters (Cashman et al, par.138, 141). 
The same motivation to modify Avital et al in view of Cashaman et al as applied to claims 1 and 10 above applies here.
Claims 4 and 13:  the combination does not explicitly teach, however Cashman et al in a similar field of endeavor teaches wherein the memory further stores instructions for causing the server computer system to perform operations comprising:
 updating one or more fields in the authentication score object subsequent to rejecting the electronic communication session (Cashman et al, par.132-137); and
Cashman et al, par.132-137). 
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Avital et al with the addition feature of Cashman et al in order to provide systems and methods for computerized user self-registration, authentication, and authorization for access to a number of computerized services, as suggested by Cashman et al par.1.
Claims 5 and 14:  the combination teaches
 wherein updating the one or more fields in the authentication object is performed periodically or in response to identifying a change in a parameter from the plurality of parameters (Cashman et al, par.138, 141). 
The same motivation to modify Avital et al in view of Cashaman et al as applied to claims 1 and 10 above applies here.

Claims 6, 7, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Avital et al U.S. 9,516010 B1 in view of Nguyen et al U.S.10, 237,298 B1 in further view of Jang et al 2016/0147987 A1 and Amar et al U.S.  2018/0109540 A and Crajek et al 2018/0069867 A1.
Claims 6 and 15: the combination teaches wherein the plurality of parameters include: 
Avital et al, col.10, lines 17-45,   Nguyen et al, col.5, lines 30-65). 
The combination does not explicitly teaches, however Grajek et al in a similar field of endeavor teaches 
wherein the plurality of parameters include: an indicator that an IP address associated with the client computing device is valid or invalid, an indicator that a profile associated with the user has IP restrictions, or an indicator that an IP address associated with the client computing device is known to the server computer system (par31-32). 
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Avital et al with the addition feature of Grajek et al in order to provide systems and methods for computer user authentication using machine learning, as suggested by Grajek et al abstract.
Claims 7 and 16:  the combination teaches wherein a field of the authentication score object includes a parameter from the plurality of parameters (Avital et al, col.10, lines 17-45, Nguyen et al, col.5, lines 30-65). 
Avital et al in view of Nguyen et al as applied to claims 1 and 10 above applies here.

Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Avital et al U.S. 9,516010 B1 in view of Nguyen et al U.S.10, 237,298 B1 in further view of Jang et al 2016/0147987 A1 and Amar et al U.S.  2018/0109540 A and Harmon et al 2016/0021117 A1.
Claims 9 and 18: the combination teaches wherein the one or more fields of the 
The combination does not explicitly teaches, however Harmon et al in a similar field of endeavor teaches wherein generating the authentication score object includes: 
assigning a first weight to a first parameter from the plurality of parameters; assigning a second weight to a second parameter from the plurality of parameters, wherein the first weight is different from the second weight; and determining a field for the authentication score object based on the first parameter and the second parameter (par.65-67).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Avital et al with the addition feature Harmon et al in order to provide electronic authentication for access to computing resources, and more particularly, to devices and methods for threat-based authentication, as suggested by Harmon et al
The following prior art are cited to further show the state of the art at the time of Applicants’ invention with respect to user session authentication 
Schultz et al U.S. 20090116703 A1  As illustrated, database 600 may maintain a group of entries in the following exemplary fields: a date/time field 610, a user identification (ID) field 620, a voice score field 630, a facial score field 640, and a file(s) field 650. Database 600 may maintain additional or different information than illustrated in FIG. 6. For example, database 600 may include fields that store other authentication score.
Moganti et al U.S. 20120084078 A1 teaches a scalable voice signature authentication capability is provided herein. The scalable voice signature authentication capability enables authentication of varied services such as speaker identification (e.g. private banking and access to healthcare account records), voice signature as a password (e.g. secure access for remote services and document retrieval) and the Internet and its various services (e.g., online shopping), and the like 
Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






Friday, June 18, 2021
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436