DETAILED ACTION
Continued Examination Under 37 CFR 1.114
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 10/25/2021 has been entered.
As per instant Amendment, Claims 1, 4-5, 8, 11-12, 15, and 17-18 have been amended. Claims 1, 8, and 15 are independent claims.  Claims 1-20 have been examined and are pending. This Action is made Non-FINAL. 
Response to Arguments
Applicants’ arguments with respect to claims 1, 8, and 15 have been considered but are moot in view of the new ground(s) of rejection, which was necessitated by amendment.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Girdhar et al. (2020/0110870; Hereinafter “Girdhar”) in view of Alameh et al. (US 2020/0026830; Hereinafter “Alameh”) in view of Zellner (US 2019/0019363; Hereinafter “Zellner”).
Regarding claim 1, Girdhar teaches a server device comprising: a processor device; a non-transitory computer-readable medium comprising: a data store configured to store user activity observations that are recorded during one or more login attempts to access a user account (Girdhar: Para. [0070], Risk assessment module 210 bases the value of risk level 211 on one or more detected characteristics associated with the failed login attempts. For example, risk assessment module 210 may increase risk level 211 in response to determining that the sequence of failed login attempts has occurred at a time of day at which user account 220 has not been previously accessed, or in response to determining that the sequence of failed login attempts has occurred at a geographic location from which the user account has not been previously accessed. Para. [0068]-[0069], [0028]-[0030] ); and 
Girdhar does not explicitly teach a control access module that is executable by the processor device to determine a confidence score associated with a current successful login attempt of the user account, wherein the confidence score is based on the user activity observations and the level of access is associated with the functions and the data that are executable and accessible subsequent to the current successful login attempt.
In an analogous art, Alameh teaches a control access module that is executable by the processor device to determine a confidence score associated with a current successful login attempt of the user account (Alameh: Para. [0041], Additionally, in one or more embodiments a user can store one or more predefined facial features such as hair color, eye color, skin color, head-to-neck size or diameter ratio, neck-to-body size or diameter ratio, location history, and so forth. In one or more embodiments, only when one or more of these predefined facial features are sufficiently matched will authentication occur. [authentication factor may include location history] Para. [0043] Para. [0020]-[0021], Para. [0043], Para. [0183], [number of authentication factors meets confidence score associated with current login limitation as a higher number of passed authentication factors correlates to a higher authentication level], Para. [0053]), 
(Alameh: Para. [0183], Step 408 and decision 409 can repeat iteratively. This allows the method 400 to slowly "build up" confidence that the user is indeed the authorized user of the electronic device. As more authentication factors sufficiently match predefined authentication references by repeating step 408 and decision 409, increasing operational access can be granted to the features, applications, or data of the electronic device at step 410. In one or more embodiments, the number of authentication factors required to match predefined authentication references to grant access to various applications, features, or data can be user definable using a settings application of the electronic device. Thus, some users can grant full access to the features, applications, or data of the electronic device when only two authentication factors sufficiently match predefined authentication references, while other users can require more authentication factors to sufficiently match predefined authentication factors prior to granting access to, for example, sensitive personal data. [an increased number of authentication factors which when achieved, creates a higher authentication level for accessing application functionality and user data meets confidence score associated with level of access limitation] Para. [0020], Embodiments of the disclosure provide systems and methods that grant increasing operational access permissions for features, applications, and/or data of an electronic device as an authentication confidence level increases. Para. [0021]).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Alameh with the system and method of Girdhar to include a control access module that is executable by the processor device to determine a confidence score associated with a current successful login attempt of the user account, wherein the confidence score is based on the user activity observations and the level of access is associated with the functions and the data that are executable and accessible subsequent to the current successful login attempt because this functionality provides for increased authentication levels associated with a predetermined number of authentication factors to enable operational access to features, applications, and data (Alameh: Para. [0183]). 

In an analogous art, Zellner teaches a control access module that is executable by the processor device to use the confidence score to determine a level of access prior to granting access to the user account and subsequent to the current successful login attempt to an application with functions and data for the user account (Zellner: Fig. 2, Para. [0084], In some embodiments of the concepts and technologies disclosed herein, the functionality of operation 202 can be replaced with an operation for detecting, by the computing device 102, a request or event. Para. [0083], the access attempt detected in operation 202 can correspond to an attempt to access a resource 110 or asset 112 at or via the environment 106, the computing device 102, or a component associated with the environment 106 and/or the computing device 102. Para. [0037], Para. [0085]-[0086], From operation 202, the method 200 can proceed to operation 204. At operation 204, the computing device 102 can collect data from the sensors 116 and/or other hardware. Para. [0088]-[0089], The computing device 102 can be configured to compare one or more identifiers collected in operation 204 to the list and to identify, based on this comparison, an entity 114 and/or an identity associated with entity 114. As explained above, the identity sources 120 and/or the server computer 126 can be configured to perform various operations to identity the entity 114 including, but not limited to, facial recognition, accessing libraries such as the library 128, biometric data comparisons, and/or other operations. [entity identification of step 206 may include identity data comparison of biometric or facial recognition to perform authorization] Para. [0091], Para. [0094], As explained above, some embodiments of the trust indicators 134 can include a trust value, an entity identifier, and an associated activity. Para. [0097]-[0100], In some embodiments, the trust indicators 134 can be used to generate a trust score 138 that corresponds to an average of the trust indicators 134. At operation 216, the computing device 102 can determine if the activity determined in operation 208 should be blocked or allowed. It can be appreciated that the determination made in operation 216 can be based at least on the activity determined in operation 208 and either the trust score 138 or a trust indicator 134. [sensor data collected during step 204 and before the entity identification is utilized to determine activity, trust indicators associated with the activity, and a trust score, after the comparison of biometric data to identify the entity and before determined activity is allowed]).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Zellner with the system and method of Girdhar and Alameh to include and subsequent to the current successful login attempt to an application with functions and data for the user account because this functionality provides for utilizing trust scores derived from indicators and sensor data to determine whether or not an activity should be allowed (Zellner: Para. [0005]). 
Regarding claim 2, Girdhar, in combination with Alameh and Zellner, teaches the server device of claim 1, wherein the control access module is executable by the processor device to modify permissions that are executable, and the data that is accessible, via the user account (Girdhar: Para. [0065], As another example, if the user has multiple failed login attempts and initiates a lockout period before successfully sending the valid account credentials, is logging in from an unknown location and/or from an unknown computing device or network, and/or other risks criteria are detected, then risk level 411 may be assigned a highest risk value. A session timeout policy selected under such conditions may, therefore, have a relatively short session timeout period. It is contemplated that, in some embodiments, a highest risk level may include blocking access to user account 420 until a secondary form of authorization is successfully completed, such as contacting an approved user via a telephone call, text message, email or other such methods. [denial of access while avoiding blocking meets the modify permissions that are executable, and the data that is accessible, via the user account limitation]).
Regarding claim 3, Girdhar, in combination with Alameh and Zellner, teaches the server device of claim 2, wherein the control access module is executable by the processor device to modify permissions and data by preventing at least one function from being executed by a user via the user account (Girdhar: Para. [0065], As another example, if the user has multiple failed login attempts and initiates a lockout period before successfully sending the valid account credentials, is logging in from an unknown location and/or from an unknown computing device or network, and/or other risks criteria are detected, then risk level 411 may be assigned a highest risk value. A session timeout policy selected under such conditions may, therefore, have a relatively short session timeout period. It is contemplated that, in some embodiments, a highest risk level may include blocking access to user account 420 until a secondary form of authorization is successfully completed, such as contacting an approved user via a telephone call, text message, email or other such methods.).
Regarding claim 4, Girdhar, in combination with Alameh and Zellner, teaches the server device of claim 1, wherein the user activity observations include IP address of a device used by a user to execute the current successful login attempt, MAC address of the device, location of the device, and number of times that incorrect credentials were provided (Girdhar: Para. [0038], Risk assessment module 110 may also increase the assessed risk level in response to determining that the sequence of failed login attempts 135 has occurred at a geographic location from which the approved user has never or has very rarely logged in previously. For example, if the approved user typically logs into user account 120 from a location in New York City, but failed login attempts 135 originate from a location in London, then the assessed risk level may be increased. Para. [0040]-[0041]; Zellner: Para. [0086], In addition to obtaining the various readings and/or other data from the sensors 116, the computing device 102 can package the various sensor readings, audio data, video data, image data, presence data, location data, device identifiers, communication data (e.g., protocols, device identifiers, user identifiers, Internet protocol ("IP") addresses, international mobile subscriber identities ("IMSIs"), international mobile equipment identities ("IMEIs"), combinations thereof, or the like) and/or other data to form the captured data 118.).
Regarding claim 5, Girdhar, in combination with Alameh and Zellner, teaches the server device of claim 1, wherein the control access module is executable by the processor device to determine the confidence score by comparing attributes of the current successful login attempt with typical user behavior represented in the user activity observations (Girdhar: Para. [0176], Location can also serve as a contextual inference. For example, if authentication is occurring at a new and strange area where the electronic device has never been, this could increase the number of higher authentication factors required in comparison to authentication occurring in a trusted location, such as the user's home. Para. [0053], As used herein, "sufficiently" means within a predefined threshold. For example, if one of the predefined reference images 108 includes 500 reference features, such as facial shape, nose shape, eye color, background image, hair color, skin color, and so forth, the image 103 will sufficiently correspond to at least one of the one or more predefined reference images 108 when a certain number of features in the image 103 are also present in the predefined reference images 108. This number can be set to correspond to the level of security desired.).
Regarding claim 6, Girdhar, in combination with Alameh and Zellner, teaches the server device of claim 1, wherein the control access module is executable by the processor device to require a user to successfully complete a further authentication process based on the confidence score being below a selected threshold (Alameh: Para. [0034], For example, in one or more embodiments the authentication process repeats the obtaining of the at least one additional authentication factor and the comparing the at least one additional authentication factor with one or more authentication references a predetermined number of times. Where the at least one additional authentication factor sufficiently corresponds to the at least one of the one or more predefined authentication references the predetermined number of times, the authentication system can grant full operational access to the features, applications, or data of the electronic device. However, if an inadequate match is collected along the way, in one or more embodiments user access is limited and higher security measures are automatically triggered by the device.).
Regarding claim 7, Girdhar, in combination with Alameh and Zellner, teaches the server device of claim 1, wherein the control access module is executable by the processor device to limit capabilities of at least one function based on the confidence score (Alameh: Para. [0021], The user may be able to use features such as a telephone application, a calculator application, a web browsing application, and so forth. However, in one or more embodiments the user, having only limited operational access to the features, applications, or data of the electronic device, may not be able to see private information such as photographs, calendar data, contacts lists, financial information, or health information. They may not be able, for example, to access social media applications as well. They may not, for instance, be able to make voice calls using cellular data, and may instead be relegated to only making calls when the electronic device is in communication with a Wi-Fi network, and so forth. It should be noted that these limited operational access examples are illustrative only. Para. [0034], Para. [0046]-[0047]).
Regarding claims 8-14, claims 8-14 are rejected under the same rational as claims 1-7, respectively.
Regarding claim 15, claim 15 is rejected under the same rational as claim 1.
Regarding claim 16, claim 16 is rejected under the same rational as claims 9-10.
Regarding claims 17-20, claims 17-20 are rejected under the same rational as claims 4-7, respectively.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571) 272-7993.  The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO 




/NELSON S. GIDDINS/Primary Examiner, Art Unit 2437