DETAILED ACTION
	Claims 1-20 are presented on 12/18/2019 for examination on merits.  Claims 1, 12, and 20 are independent base claims.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Set #1.

Claim Objections
Claims 1, 12, and 20 are objected to because of the following informalities:  inconsistent terminology or wordings recited.  
Claims 1, 12, and 20 each recite a limitation “an identity of the user” in the authenticating step.  However, the claims also recite “the user's identity” in the generating and selecting steps, in a different wording, for example.  For formality reasons, the same limitation should be worded consistently in the claims.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 1-2, 4-5, 10, 12-13, 18, and 20 each recite the limitation of "the user device" in without sufficient antecedent basis for this limitation in the claims, because independent claims 1, 12, and 20 only define “a user device's request” in the first clause of the respective claims rather than “a user device”.
Claims 4 and 5 each recite the limitation of "the device" in without sufficient antecedent basis for this limitation in the claims, because claim 3 (from which claims 4 and 5 depend) does not further define “a device.”  It appears that the limitation of "the device" in claims 4 and 5 is the same as “the user device” in claim 1 which is found lacking antecedent basis as shown above.
Claim 9 recite a limitation “the action risk profile” which is note defined in claims 1 and 6.  Therefore, there is insufficient antecedent basis for this limitation in the claim.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-8, 10-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Coffing (US 20190273746 A1; hereinafter “Coff”) in view of Zhang (US 20180063132 A1).

As per claim 1, Coff teaches a computer-implemented method for enhancing security controls of a web application, the method comprising: 
in response to a user device's request to access the web application during a current user session, collecting, by a server system, authentication data of a user of the user device from a client system, the client system comprising the user device and an identity provider (Coff, par. 0045-0047 and 0051: Such users/services/things 605 may enter the service mesh … wish to access one or more microservices (e.g., business apps & workloads & microservices) 615, providing user names and passwords as user input (e.g., secrets); par. 0051.  In Coff, the client/use system provides information being used in the request including, “for example, unique device identifiers and location data specifying geographic location information.” see par. 0051.  In other words, Coff discloses an equivalent identity provider at client system 605. Regarding the access to web application, see par. 0019 and 0022 for the server-side application handling HTTP requests); 
authenticating, by the server system, an identity of the user based on the collected authentication data (Coff, par. 0027-0029 and 0047: Security plane 120 managed by  IDaaS server 110 provides authenticating service based on the received authentication data, such as user names, passwords, contact information, and biometric information); 
generating, for the current user session, a user risk profile that characterizes a level of risk that the user's identity will be compromised (Coff, par. 0009-0011: generating via an authentication engine a risk profile for the request based on the context data of the request); 
after the user risk profile has been generated for the current user session, authorizing the user device to access the web application (Coff, par. 0053: dynamically authenticate the user for certain access privileges, which is granted after a risk profile being generated, the risk profile including dynamic risk value/level); 
Coff, par. 0034: The client application 210 may be a web application … may trigger a request (e.g., by a button click).); 
in response to a determination that the step-up authentication is required, dynamically selecting, based on the generated user risk profile, a step-up authentication method for re- authenticating the user's identity (Coff, par. 0024: an intelligent authorization engine may employs a unique adaptive risk-based transaction authorization approach to dynamically assess and score risk across user roles, transactional context, and real-time risk profiles weighing a variety of different factors for maximum protection in a customized manner … escalating identity requirements for authorization on higher risk transactions while detecting, mitigating and blocking nefarious users, devices, or activities; see also par. 0029 and 0034 for successful authentication and authorization, which is triggered by the client application 210).
While Coff teaches escalating identity requirements for authorization on higher risk transactions (par. 0024), Coff is silent about sending a security request defined by the selected step-up authentication method to the user device.  This aspect of the claim is identified as a difference.
In a related art, Zhang teaches, 
providing one or more security requests defined by the selected step-up authentication method to the user device (Zhang, par. 0016-0018 and 0022-0023: first/second step-up authentication prompt(s) generated for the first/second client computing device may include a security question authentication prompt).
Coff and Zhang are analogous art, because they are in a similar field of endeavor in improving step-up authentications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Zhang to modify Coff to send a step-up authentication prompt to the client device such that the 

As per claim 2, the references as combined above teach the method of claim 1, wherein collecting the authentication data of the user from the client system comprises: 
receiving, from the user device through the identity provider, the authentication data through a Security Assertion Markup Language (SAML) assertion (Coff, par. 0023: access delegation and credentials exchange (e.g., OAuth, SAML, OIDC); par. 0029 and 0037: using OAuth token for authentication and inject user context via a token (JWT) to proxied requests.  Here the authentication data through SAML and the authentication data through OAuth are functionally the same because both are known to be used for web SSO.  For example, US 20170346851 A1 by Drake also discloses the identity service of the patron being programmed (such as by using identity language like SAML or OAUTH or the like).

As per claim 3, the references as combined above teach the method of claim 1, wherein the authentication data comprises user authentication data (Coff, par. 0051: users/services/things 605 may enter the service mesh … wish to access one or more microservices …by providing user names and passwords as user input (e.g., secrets), which are user authentication data).

As per claim 4, the references as combined above teach the method of claim 3, wherein the authentication data further comprise user device attributes, wherein the user device attributes comprise at least one of (i) an IP address of the user device or (ii) location data of the Note: optional limitation is recited herein) (Coff, par. 0029 and 0048: current location in Coff means geographic location of the device during the access; including factors as user attributes, roles, relationships, session attributes, current location).

As per claim 5, the references as combined above teach the method of claim 3, further comprising: 
collecting user device attributes from the user device, wherein the user device attributes comprise at least one of (i) an IP address of the user device or, and (ii) location data of the device (Note: optional limitation is recited herein) (Coff, par. 0029 and 0048: geographic location of the device during the access; par. 0051: location of bank).

As per claim 6, the references as combined above teach the method of claim 1, wherein generating, for the current user session, the user risk profile that characterizes the level of risk of the user's identity being compromised comprises: 
computing a user risk score based on one or more of current user identity risk, historical user identity risk, web browser risk, user device risk, user behavior risk, or user network risk (Note: optional limitation is recited herein) (Coff, par. 0024: score risk across user roles; par. 0045: evaluating and scoring various attributes for risk; par. 0050: involve real-time risk profiles /scoring on a transaction basis, as well as step-up authentications on a transactional basis and risk mitigation by combining behavioral baseline and risk attribute decision).

As per claim 7, the references as combined above teach the method of claim 1, wherein determining whether a step-up authentication is required comprises: 
generating an action risk profile for the particular action, and determining whether a step-up authentication is required based on (i) the user risk profile generated for the current user session, and (ii) the action risk profile generated for the particular action (Coff, par. 0024: real-Coff’s risk profile on transaction basis is the action risk profile generated for the particular action, such as location of bank used to construct a risk profile; par. 0051).

As per claim 8, the references as combined above teach the method of claim 7, wherein the particular action is a financial transaction, and wherein generating the action risk profile for the particular action comprises: 
computing an action risk score based on one or more of a value of the financial transaction, a type of the financial transaction, behavioral and historical risk, or reputational risk (Note: optional limitation is recited herein) (Coff, par. 0050: contextual data (e.g., location) into the authorization decision; involve real-time risk profiles /scoring on a transaction basis, as well as step-up authentications on a transactional basis and risk mitigation by combining behavioral baseline and risk attribute decision access control).

As per claim 10, the references as combined above teach the method of claim 1, further comprising: after providing the one or more security requests defined by the selected step-up authentication method to the user device, determining whether the user has satisfied the one or more security requests, and in response to a determination that the user has satisfied the one or more security requests initiated by the selected step-up authentication method, re-authenticating the user's identity and authorizing the user to perform the particular action on the web application (Coff, par. 0053: dynamically authenticate the user for certain access privileges, which is granted after a risk profile being generated, the risk profile including dynamic risk value/level)).

As per claim 11, the references as combined above teach the method of claim 1, wherein the one or more security requests comprise one or more of (Note: optional limitation is recited herein)
(i) sending a one-time password (OTP) to the user via a short message service (SMS) or email and asking the user to provide the OTP (Optional, omitted from examination), 
(ii) asking the user to provide a biometric based authentication (Coff, par. 0047 and 0053: The respective biometric dataset for a user may be used to verify the user's identity (e.g., as part of a step-up authentication measure used for risk mitigation).), 
(iii) invoking identity proofing, (iv) invoking a user registration workflow leading to client re authentication (Optional, omitted from examination), 
(v) asking the user to enter a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) (Optional, omitted from examination), 
(vi) asking the user to click a checkbox reCAPTCHA v2 to indicate that the user is not a robot (Optional, omitted from examination), 
(vii) using reCAPTCHA v2 (invisible badge) which is invoked directly via a javascript call when the user clicks on an existing button (Optional, omitted from examination), 
(viii) asking the user to enter a reCAPTCHA v3 which returns a score for each request (Optional, omitted from examination), or 
(ix) asking the user to provide one or more answers to one or more security questions (Optional, omitted from examination).

As per claim 12, Coff teaches one or more non-transitory computer storage media storing instructions that, when executed by one or more processors, cause the one or more processors to perform operations for enhancing security controls of a web application, the operations comprising: 
Coff, par. 0045-0047 and 0051: Such users/services/things 605 may enter the service mesh … wish to access one or more microservices (e.g., business apps & workloads & microservices) 615, providing user names and passwords as user input (e.g., secrets); par. 0051.  In Coff, the client/use system provides information being used in the request including, “for example, unique device identifiers and location data specifying geographic location information.” see par. 0051.  In other words, Coff discloses an equivalent identity provider at client system 605. Regarding the access to web application, see par. 0019 and 0022 for the server-side application handling HTTP requests); 
authenticating, by the server system, an identity of the user based on the collected authentication data (Coff, par. 0027-0029 and 0047: Security plane 120 managed by  IDaaS server 110 provides authenticating service based on the received authentication data, such as user names, passwords, contact information, and biometric information); 
generating, for the current user session, a user risk profile that characterizes a level of risk that the user's identity will be compromised (Coff, par. 0009-0011: generating via an authentication engine a risk profile for the request based on the context data of the request); 
after the user risk profile has been generated for the current user session, authorizing the user device to access the web application (Coff, par. 0053: dynamically authenticate the user for certain access privileges, which is granted after a risk profile being generated, the risk profile including dynamic risk value/level); 
detecting that the user is attempting a particular action on the web application, in response to the detection of the particular action, determining whether a step-up authentication is required based on the user risk profile (Coff, par. 0034: The client application 210 may be a web application … may trigger a request (e.g., by a button click).); 
Coff, par. 0024: an intelligent authorization engine may employs a unique adaptive risk-based transaction authorization approach to dynamically assess and score risk across user roles, transactional context, and real-time risk profiles weighing a variety of different factors for maximum protection in a customized manner … escalating identity requirements for authorization on higher risk transactions while detecting, mitigating and blocking nefarious users, devices, or activities; see also par. 0029 and 0034 for successful authentication and authorization, which is triggered by the client application 210).
While Coff teaches escalating identity requirements for authorization on higher risk transactions (par. 0024), Coff is silent about sending a security request defined by the selected step-up authentication method to the user device.  This aspect of the claim is identified as a difference.
In a related art, Zhang teaches, 
providing one or more security requests defined by the selected step-up authentication method to the user device (Zhang, par. 0016-0018 and 0022-0023: first/second step-up authentication prompt(s) generated for the first/second client computing device may include a security question authentication prompt).
Coff and Zhang are analogous art, because they are in a similar field of endeavor in improving step-up authentications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Zhang to modify Coff to send a step-up authentication prompt to the client device such that the user can easily learn the additional security requirement needed for access. Given the technique can be implemented by software, the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have 

As per claim 13, the references as combined above teach the one or more non-transitory computer storage media of claim 12, wherein the operations for collecting the authentication data of the user from the client system comprise: receiving, from the user device through the identity provider, the authentication data through a Security Assertion Markup Language (SAML) assertion (Coff, par. 0023: access delegation and credentials exchange (e.g., OAuth, SAML, OIDC); par. 0029 and 0037: using OAuth token for authentication and inject user context via a token (JWT) to proxied requests.  Here the authentication data through SAML and the authentication data through OAuth are functionally the same because both are known to be used for web SSO.  For example, US 20170346851 A1 by Drake also discloses the identity service of the patron being programmed (such as by using identity language like SAML or OAUTH or the like).

As per claim 14, the references as combined above teach the one or more non-transitory computer storage media of claim 12, wherein the operations for generating, for the user session, the user risk profile that characterizes the level of risk that the user's identity will be compromised comprise: 
computing a user risk score based on one or more of current user identity risk, historical user identity risk, web browser risk, user device risk, user behavior risk, and user network risk (Note: optional limitation is recited herein) (Coff, par. 0024: score risk across user roles; par. 0045: evaluating and scoring various attributes for risk; par. 0050: involve real-time risk profiles /scoring on a transaction basis, as well as step-up authentications on a transactional basis and risk mitigation by combining behavioral baseline and risk attribute decision).

As per claim 15, the references as combined above teach the one or more non-transitory computer storage media of claim 12, wherein the operations for determining whether a step-up authentication is required comprise: 
generating an action risk profile for the particular action, and determining whether a step-up authentication is required based on (i) the user risk profile generated for the current user section, and (ii) the action risk profile generated for the particular action (Coff, par. 0024: real-time risk profiles weighing a variety of different factors for maximum protection in a customized manner (e.g., dynamic workflows to mitigate risk); par. 0050-0051: real-time risk profiles/scoring on a transaction basis. Note here that Coff’s risk profile on transaction basis is the action risk profile generated for the particular action, such as location of bank used to construct a risk profile; par. 0051).

As per claim 16, the references as combined above teach the one or more non-transitory computer storage media of claim 15, wherein the particular action is a financial transaction, and wherein the operations for generating the action risk profile for the particular action comprise: 
computing an action risk score based on one or more of a value of the financial transaction, a type of the financial transaction, behavioral and historical risk, and reputational risk (Note: optional limitation is recited herein) (Coff, par. 0050: contextual data (e.g., location) into the authorization decision; involve real-time risk profiles /scoring on a transaction basis, as well as step-up authentications on a transactional basis and risk mitigation by combining behavioral baseline and risk attribute decision access control).


As per claim 18, the references as combined above teach the one or more non-transitory computer storage media of claim 12, wherein the operations further comprise: 
after providing the one or more security requests defined by the selected step-up authentication method to the user device, determining whether the user has satisfied one or more security requests, and in response to a determination that the user has satisfied the one or more security requests, re-authenticating the user's identity and authorizing the user to perform the particular action on the web application (Coff, par. 0053: dynamically authenticate the user for certain access privileges, which is granted after a risk profile being generated, the risk profile including dynamic risk value/level)).

As per claim 19, the references as combined above teach the one or more non-transitory computer storage media of claim 12, wherein the one or more security requests comprise one or more of (Note: optional limitation is recited herein)
(i) sending a one-time password (OTP) to the user via a short message service (SMS) or email and asking the user to provide the OTP (Optional, omitted from examination), 
(ii) asking the user to provide a biometric based authentication (Coff, par. 0047 and 0053: The respective biometric dataset for a user may be used to verify the user's identity (e.g., as part of a step-up authentication measure used for risk mitigation).), 
(iii) invoking identity proofing, (iv) invoking a user registration workflow leading to client re authentication (Optional, omitted from examination), 
(v) asking the user to enter a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) (Optional, omitted from examination), 
(vi) asking the user to click a checkbox reCAPTCHA v2 to indicate that the user is not a robot (Optional, omitted from examination), 
(vii) using reCAPTCHA v2 (invisible badge) which is invoked directly via a javascript call when the user clicks on an existing button (Optional, omitted from examination), 
(Optional, omitted from examination), or 
(ix) asking the user to provide one or more answers to one or more security questions (Optional, omitted from examination).

As per claim 20, Coff teaches a system comprising one or more processors and one or more non-transitory storage media storing instructions that, when executed by the one or more processors, cause the one or more processors to perform operations for enhancing security controls of a web application, the operations comprising: 
in response to a user device's request to access the web application during a current user session, collecting, by a server system, authentication data of a user of the user device from a client system, the client system comprising the user device and an identity provider (Coff, par. 0045-0047 and 0051: Such users/services/things 605 may enter the service mesh … wish to access one or more microservices (e.g., business apps & workloads & microservices) 615, providing user names and passwords as user input (e.g., secrets); par. 0051.  In Coff, the client/use system provides information being used in the request including, “for example, unique device identifiers and location data specifying geographic location information.” see par. 0051.  In other words, Coff discloses an equivalent identity provider at client system 605. Regarding the access to web application, see par. 0019 and 0022 for the server-side application handling HTTP requests); 
authenticating, by the server system, an identity of the user based on the collected authentication data (Coff, par. 0027-0029 and 0047: Security plane 120 managed by  IDaaS server 110 provides authenticating service based on the received authentication data, such as user names, passwords, contact information, and biometric information); 
Coff, par. 0009-0011: generating via an authentication engine a risk profile for the request based on the context data of the request); 
after the user risk profile has been generated for the current user session, authorizing the user device to access the web application (Coff, par. 0053: dynamically authenticate the user for certain access privileges, which is granted after a risk profile being generated, the risk profile including dynamic risk value/level); 
detecting that the user is attempting a particular action on the web application, in response to the detection of the particular action, determining whether a step-up authentication is required based on the user risk profile (Coff, par. 0034: The client application 210 may be a web application … may trigger a request (e.g., by a button click).); 
in response to a determination that the step-up authentication is required, dynamically selecting, based on the generated user risk profile, a step-up authentication method for re- authenticating the user's identity (Coff, par. 0024: an intelligent authorization engine may employs a unique adaptive risk-based transaction authorization approach to dynamically assess and score risk across user roles, transactional context, and real-time risk profiles weighing a variety of different factors for maximum protection in a customized manner … escalating identity requirements for authorization on higher risk transactions while detecting, mitigating and blocking nefarious users, devices, or activities; see also par. 0029 and 0034 for successful authentication and authorization, which is triggered by the client application 210).
While Coff teaches escalating identity requirements for authorization on higher risk transactions (par. 0024), Coff is silent about sending a security request defined by the selected step-up authentication method to the user device.  This aspect of the claim is identified as a difference.
In a related art, Zhang teaches, 

Coff and Zhang are analogous art, because they are in a similar field of endeavor in improving step-up authentications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Zhang to modify Coff to send a step-up authentication prompt to the client device such that the user can easily learn the additional security requirement needed for access. Given the technique can be implemented by software, the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with a timely notification to the user for entering a step-up authentication credential at the user device.

Allowable Subject Matter
Claim 9 and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The claims 9 and 17 each recite features of “generating a client risk profile for the client system, and determining whether the step-up authentication is required based on (i) the user risk profile generated for the current user session, (ii) the action risk profile generated for the particular action, and (iii) the client risk profile generated for the client system”.  These features, in combination with the other limitations in the parent claims, are not anticipated by, nor made obvious over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        09/29/2021