DETAILED ACTION
Responsive to the Applicant reply filed on 10/06/2021, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in the following.  Claims 1-26 are pending for examination with claims 1 and 14 being in independent form.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
The claim amendments and remarks filed by the Applicant on 10/06/2021, have been carefully considered and are responded in the following.

In response to the remarks regarding claim objections to claims 1, 10, 14, and 23 at page 9 of the Remarks, the amendments have resolved the issue. Therefore, the objections are withdrawn.

In response to the Applicant arguments, page(s) 9-10, regarding Claims 1-26 being rejected under 35 U.S.C. 112(b) because of the indefiniteness of claim language, the Applicant arguments are persuasive. Therefore, the rejections are withdrawn.

Applicant’s arguments, page(s) 11-12 of the Remarks, with regards to claims 1-26 being rejected under 35 U.S.C. § 103 have been considered carefully. 

for each of the one or more scenarios, mapping, by the processor, one of the one or more authentication flows to a given scenario” is not taught by Sakamoto.
In response, the Examiner respectfully disagrees because, Sakamoto clearly discloses scenarios denoted as “S” and procedures of authentication or patterns of authentication; par. 0081-0087.  Saka considered two patterns of scenarios, serial and parallel, in multi-factor authentication.  It should be understood that the two patterns of scenarios are two authentication procedures or flows.  Each procedure is composed of a plurality of elements e .di-elect cons wherein an element is an action necessary for each procedure; par. 0073-0074. The Examiner maps the procedure to the flow of authentication which may be in either serial or parallel patterns, or combination of both.  For example, a three-factore authentication such as ID and password and fingerprint authentication can be performed in two different procedures or flows: (1) verifying ID first, then verifying the password, and lastly verifying fingerprint; the authentication flow in this type of serial procedure is shown in FIG. 2A, (2) verifying ID AND the password and the fingerprint independent from each other; the authentication flow in this type of parallel procedure is shown in FIG. 2B.  When an scenario of authentication is selected, for example three factor authentication (ID and password and fingerprint), the user may be allowed to specify the flow or procedure of authentication, which can be different.  Evidently, Saka discloses both scenarios and authentication flows as well as mapping one or more authentication flows to a given scenario.

Secondly, turning to Applicant arguments, at page 12 of the Remarks, that Masiero (US 20180234411 A1) does not discloses “the two different claimed entities of a scenario and authentication flow.”  
receiving, via the user interface, information defining one or more authentication flows.” In Masie, an employer of the user may have a preferred authentication scheme, which is the information defining the authentication or preferences of authentication.  A user can enter or select authentication scheme via user interface; par. 0022. And the favored authentication scheme is based on a policy associated with the user profile.  Masiero discloses that there may be different ways, or different authentication schemes for verifying the user's credentials. For example, the user may login to a server directly, using a username and a password. Alternatively, the user may login to the server using a federated authentication scheme. The illustrative embodiments recognize and take into account that the user may not be aware that that there are additional or different authentication schemes available; additionally, biometrics; par. 0018-0019.  In Masiero, the scenarios may include login from (a) a mobile device or (b) a computer system that includes a display and keyboard.  The login schemes or flows of authentication may be different.  Evidently, the applicant argument is not persuasive.
Lastly, Applicant argues claim 14 by relying on the arguments for claim 1.  For the same reason as for rejecting claim 1, claim 14 remains rejected.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-7, 10-20, and 23-26 are rejected under 35 U.S.C. 103 as being unpatentable over Sakamoto (US 20180032707 A1; hereinafter “Saka”) in view of Masiero (US 20180234411 A1; hereinafter “Masie”).

As per claim 1, Saka teaches a method for generating and implementing a real-time multi-factor authentication policy across multiple channels, the method performed on a computer having a processor, memory, and one or more code sets stored in the memory and executing by the processor (Saka, the Abstract and par. 0018-0019 and 00147; par. 0080: Combination of multiple scenarios is also possible because it is possible to select multiple authentication elements. That is, there are a plurality of scenarios, selection thereof being enabled. Thus, when one scenario (a combination of certain authentication elements) cannot be used for the user u, it is possible to select another scenario (another combination of authentication elements)), the method comprising: 
during a pre-authentication stage: 

receiving, via the user interface, information defining one or more authentication flows (Saka, par. 0098: a user u selects a scenario S associated with a plurality of procedures f.sub.1 to f.sub.n. to be performed; par. 0119: the user selects … a flow of a scenario S …[that] is easy to use.  Note here that the procedure(s) of scenario in Saka is the information defining one or more authentication flows; see also par. 0029-0030 and 0071-0079: the scenario and the procedure f); 
for each of the one or more scenarios, mapping, by the processor, one of the one or more authentication flows to a given scenario (Saka, par. 0081: Two patterns of scenarios, serial and parallel, can be considered in multi-factor authentication; par. 0082-0087: mapping authentication flows to serial and parallel procedures of authentication; see also the illustration of mapping in FIG. 2A-D.  Note here that Saka discloses a scenario S and the authentication flow as a serial procedure or a parallel procedure); and 
generating a multi-factor authentication policy associated with each of the one or more scenarios (Saka, par. 0098-0103: selecting a scenario for authentication of the user u, which is defined in a parallel procedure and a serial procedure, using a probability before the authentication is performed.  In Saka, a multi-factor authentication is performed; par. 0018-0019); and  
during a real-time authentication stage:
Saka, par. 0142-0145: determining an effective scenario based on the evaluation of scenarios; As to selection of an authentication scheme, measures such as change of a scenario, i.e., update of a success probability for each scenario); 
implementing, by the decision engine, the multi-factor authentication policy associated with the relevant scenario (Saka, par. 0145: A unified mechanism that continuously evaluates multi-factor authentication dynamically can be implemented; par. 0146-0147: the multi-factor authentication apparatus 20 is mapped to the decision engine, which includes a storage unit 21 that stores a scenario S composed of a combination of procedures f of multi-factor authentication required for receiving service provision); and  
determining, by the decision engine, an authentication result (Saka, par. 0079: determining … authentication result and the evaluation function returns a value of binary (0, 1); see also par. 0170 and 0203).
However, Saka does not explicitly disclose a user interface being used for receiving information for defining scenarios and authentication flows.  This aspect of the claim is identified as a difference.
In a related art, Masie teaches:
during a pre-authentication stage: 
receiving, via a user interface, information defining one or more scenarios (Masie, par. 0022: the menu displays authentication schemes that are available to select, and allows the user to select a favored authentication scheme; For example, the user may login to a server directly, using a username and a password. Alternatively, the user may login to the server using a federated authentication scheme. The illustrative embodiments recognize and take into account that the user may not be aware that that there are additional or different authentication schemes available; additionally, biometrics; par. 0018-0019); 
Saka and Masie are analogous art, because they are in a similar field of endeavor in improving multi-factor authentications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Masie to modify Saka to include a user interface being used for receiving information for defining scenarios and authentication flows.  The rationale for this combination is to use known technique to improve similar system concerning user authentication with different authentication scenarios.  This technique can be implemented by incorporating a user interface of Masie into Saka’s system such that the preferences for scenarios and authentication schemes can be entered by user before authentication stage.  The combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of adaptability of multi-factor authentication to the changing environment of user.

As per claim 2, the references as combined above teach the method as in claim 1, wherein each of the one or more scenarios comprises at least one scenario parameter and at least one corresponding parameter value (Saka, par. 0118-0120: the usability parameter ub' of the scenario S; the scenario S also has security parameter k associated with the usability parameter ub'; see FIG. 4A and par. 0123).  

As per claim 3, the references as combined above teach the method as in claim 1, wherein a given authentication flow comprises:  27Attorney Docket No.: P-585856-US 

at least one condition vertex, wherein the at least one condition vertex represents a matrix containing a collection of one or more predicates defining one or more conditions for a given result of each authentication method (Saka, par. 0140-0143: user's success/fail rate are the condition vertex of a given authentication procedure with the usability parameter ub); and 
at least one decision vertex, wherein the at least one decision vertex represents one of a plurality of potential authentication results of a given authentication flow (Saka, par. 0030-0031: to evaluate at least one of security and usability based on the success probability).  

As per claim 4, the references as combined above teach the method as in claim 3, wherein the authentication result is satisfied if all predicates in the collection of one or more predicates are determined to be true (Saka, par. 0093-0096: the probability of success may be 100%; p=1, that is, succeeds; par. 0152: returns 1 when the procedure (f) succeeds; ).  

As per claim 5, the references as combined above teach the method as in claim 1, wherein a given authentication flow is mapped to a given scenario based on a user indication linking the authentication flow and the scenario (Saka, par. 0098: a user u selects a scenario S as a combination of authentication elements and performs a plurality of procedures f.sub.1 to f.sub.n).  

As per claim 6, the references as combined above teach the method as in claim 1, wherein an authentication result indicates a relative strength of the authentication (Saka, par. 0030: calculating a success probability of the service through the scenario based on the probability regarding the procedure, to evaluate at least one of security and usability based on the success probability; par. 0140-0141: the service srvc is started so as to satisfy conditions associated security parameter k, showing a relative strength of the authentication).  

As per claim 7, the references as combined above teach the method as in claim 1, further comprising: determining a fraud suspicion level result based on implementation of the multi-factor authentication policy, wherein the fraud suspicion level result indicates a relative level of suspicion of fraud (Saka, par. 0141-0142: When p(S.sup.+(u.sub.j)|a) for user u.sub.j exceeds the security parameter k, in the scenario Si , service provision through the scenario S may be stopped, i.e., potentially a relative level of suspicion of fraud).  

As per claim 10, the references as combined above teach the method as in claim 1, and Saka also teaches wherein one or more authentication flows is executed at least one of in parallel and in series (Saka, par. 0085-0087 and 0102: the procedure f is an authentication flow being all parallel in the scenario S).  

As per claim 11, the references as combined above teach the method as in claim 2, further comprising: 

modifying at least one scenario parameter or at least one corresponding parameter value when the frequency does not meet the predefined threshold (Saka, par. 0145: measures such as change of a scenario, i.e., update of a success probability for each scenario, for example, are performed.  The threshold here is the probability value, which is 0 for fail; par. 0089-0093).  
In the same combination as shown above, Masie teaches:
prioritizing the scenario when the frequency meets a predefined threshold (Masie, par. 0145: Risk score 136 can be a numeric score within a predefined range, where higher scores indicate a greater level of risk. In an illustrative embodiment; par. 0052: may require a "step up" authentication of the user via another authentication method before allowing transaction 132 to proceed when risk score 136 is above a threshold risk score; par. 0009 and 0049-0050: determining that the level of risk is an acceptable level of risk); and 
Saka and Masie are analogous art, because they are in a similar field of endeavor in improving multi-factor authentications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Masie to modify Saka to include a predetermined threshold to assess the succeed probability of the Scenario.  For this combination, the motivation would have been to improve the level of security by timely updated the scenario when the frequency meets a predefined threshold.

As per claim 12, the references as combined above teach the method as in claim 2, Saka also teaches a step of monitoring by the decision engine, an authentication failure rate of the multi-factor authentication policy associated with the relevant scenario (Saka, par. 0129: the Scenario and its success probability … continued to be evaluated with a probability of success; par. 0130: Also, it is possible to accurately estimate a risk of a system by continuing to update a frequency of success probability of a user and an attacker accurately, even for an event such as an occurrence of an attack); and 
Masie teaches: when the authentication failure rate meets a predefined threshold, modifying, by the decision engine, at least one authentication flow mapped to the given scenario (Masie, par. 0145: Risk score 136 can be a numeric score within a predefined range, where higher scores indicate a greater level of risk. In an illustrative embodiment; par. 0052: may require a "step up" authentication of the user via another authentication method before allowing transaction 132 to proceed when risk score 136 is above a threshold risk score; par. 0009 and 0049-0050: determining that the level of risk is an acceptable level of risk).  

As per claim 13, the references as combined above teach the method as in claim 7, and Saka also discloses a step of monitoring by the decision engine, a fraudulent detection rate of the multi-factor authentication policy associated with the relevant scenario; (Saka, par. 0129: the Scenario and its success probability … continued to be evaluated with a probability of success; par. 0130: Also, it is possible to accurately estimate a risk of a system by continuing to update a frequency of success probability of a user and an attacker accurately, even for an event such as an occurrence of an attack) 
And Masie also teaches:

when the fraudulent detection rate meets a predefined threshold, prioritizing the relevant scenario (Masie, par. 0049: prompt additional assurance or "step-up" authentication from user 104, and deny transaction 132 where the likelihood of fraud is very high; par. 0052: Another rule in risk policy 138 may require a "step up" authentication of the user via another authentication method. Here, the "step-up" authentication means a prioritized update of the relevant scenario).  

Regarding claims14-20 and 23-26, they are drawn to a system for generating and implementing a real-time multi-factor authentication policy across multiple channels, comprising the same limitations as those found in claims 1-7 and 10-13, respectively.  Therefore, they are rejected for the same reason as claims 1-7 and 10-13.

Allowable Subject Matter
Claims 8-9 and 21-22 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

providing to a user, via the user interface, a scenario generator, the scenario generator comprising one or more parameter selection boxes for selecting one or more of a plurality of scenario parameters, and one or more value selection boxes for selecting one or more of a plurality of corresponding parameter values; wherein for each scenario parameter selected, a corresponding parameter value is also selected.”  These limitations, when in combination with the other limitations in the their base claims 1 and 14, respectively, are not anticipated by, nor made obvious over the prior art of record, 
The claims 9 and 22 each recite elements of “providing to the user, via the user interface, an authentication flow generator, the authentication flow generator comprising: one or more authentication method selection boxes for selecting one or more of a plurality of authentication methods; one or more condition selection boxes for selecting one or more of a plurality of conditions to be associated with a given authentication method; one or more predicate selection boxes for selecting one or more of a plurality of predicates to be associated with a given condition; and one or more decision selection boxes for selecting a potential authentication result to be associated with the given authentication method.”.  These elements, in combination with the other limitations in their base claims, are not anticipated by, nor made obvious over the prior art of record.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Don Zhao whose telephone number is (571)272-9953.  The examiner can normally be reached on 9 am to 5 pm Monday thru Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Don G Zhao/
Examiner, Art Unit 2493
11/23/2021