DETAILED ACTION
Claims 1-20 are pending in this application. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/22/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: device configured to collect (claim 11). 
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 



Claims 1 and 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Sprague et al (“Sprague,” US 20150089568) and further in view of Dean et al (“Dean,” US 8,856,894)

Regarding claim 1, Sprague discloses a non-transitory computer readable medium comprising instructions stored thereon, the instructions effective to cause at least one processor to:
collect, by a multifactor identification device, a plurality of types of user identifying
data; (Sprague, [0009] & [0093] describes multifactor identification; [0094]-[0107], describe collecting a plurality of types of user identifying data such as biometric information from a trusted device [multifactor identification device]) 
determine, by the multifactor identification device, (Sprague, [0009] & [0093] [0094]-[0107], describe determining from a trusted device [multifactor identification device])
a trust score based on a confidence that the plurality of the user identifying data identifies a specified user; (Sprague, [0093]-[0107] describes a trust score based on a confidence that the plurality of the user identifying data identifies a specified user) 
when the trust score is greater than a threshold, (Sprague, [0038], [0132], [0092]-[0093], describes the trust score passing a threshold [greater than a threshold])

However, in an analogous art, Dean discloses send an identification credential identifying the user to an authentication provider, (Dean, Col. 9, Lines 9-35 discloses sending a virtual credential which can be token identifying the user to the service provider to perform authentication). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Dean with the
method and system of Sprague to include send an identification credential identifying the user to an authentication provider. One would have been motivated to provide a server that automatically monitors and authenticates an individual's online transactions and/or activities using an Always On Authentication scheme (Dean, Col. 1, Lines 33-36). 

Regarding claim 6, Sprague and Dean disclose the non-transitory computer readable medium of claim 1. 
Sprague further discloses wherein the instructions are further effective to cause at least one processor to: decrement the trust score (Sprague, 262, FIG 2B describes decreasing the trust score calculation)
based on elapsed time since at least one of the plurality of types of user identifying data has been collected (Sprague, [0142] describes based on elapsed time; [0094]-[0107], describe collecting a plurality of types of user identifying data such as biometric information from a trusted device [multifactor identification device])

Regarding claim 7, Sprague and Dean disclose the non-transitory computer readable medium of claim 6. 
Sprague further discloses of the multifactor identification device (Sprague, [0009] & [0093] [0094]-[0107], describe determining from a trusted device [multifactor identification device])
wherein a rate at which the trust score is decremented (Sprague, 262, FIG 2B, specify factors to decrease trust score calculation; also see [0038], [0044] and [0049]). 
Dean further discloses is based on a determination of a spatial-temporal context (Dean, Col. 12, Lines 50-64 describes based on a determination of the risk profile containing context such as location and time). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Dean with the
method and system of Sprague to include is based on a determination of a spatial-temporal context. One would have been motivated to provide a server that automatically monitors and authenticates an individual's online transactions and/or activities using an Always On Authentication scheme (Dean, Col. 1, Lines 33-36).

Regarding claim 8, Sprague and Dean disclose the non-transitory computer readable medium of claim 6. 
Sprague further discloses wherein the rate at which the trust score is decremented (Sprague, 262, FIG 2B, specify factors to decrease trust score calculation)
(Dean, Col. 2, Lines 50-64; Col. 3, Lines 1-18 describes allowing the threshold trust level to be adjusted up or down). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Dean with the
method and system of Sprague to include is based on a rate set by the service provider. One would have been motivated to provide a server that automatically monitors and authenticates an individual's online transactions and/or activities using an Always On Authentication scheme (Dean, Col. 1, Lines 33-36).

Claims 2-5 and 9-20 are rejected under 35 U.S.C. 103 as being unpatentable over Sprague et al (“Sprague,” US 20150089568) in view of Dean et al (“Dean,” US 8856894) and further in view of Sheller et al (“Sheller,” US 20150373007). 

Regarding claim 2, Sprague and Dean disclose the non-transitory computer readable medium of claim 1. 
Sprague and Dean fail to explicitly disclose wherein the trust score is determined based on factors specified in an access policy configured by a service provider, wherein the access policy specifies conditions required to initiate a session with the service
provider and conditions required to maintain the session with the service provider.
However, in an analogous art, Sheller discloses wherein the trust score is determined based on factors specified in an access policy configured by a service provider, (Sheller, [0071], [0078], [0042] & [0017], describes a confidence score is determined based on factors specified in an access policy configured by a service provider)
 wherein the access policy specifies conditions required to initiate a session with the service provider (Sheller, [0071], [0078], [0050] & [0017], describes an access policy that specifies conditions required to start a session with the service provider)
and conditions required to maintain the session with the service provider, (Sheller, [0082], [0091] & [0017] describes conditions required to maintain the session with the service provider)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Sheller with the
method and system of Sprague and Dean to include wherein the trust score is determined based on factors specified in an access policy configured by a service provider, wherein the access policy specifies conditions required to initiate a session with the service provider and conditions required to maintain the session with the service provider. One would have been motivated to a system and method configured to provide continuous authentication from initial authentication (e.g., by a user to a user device) to session closure, e.g., by the authenticated user (Sheller, [0014]). 

Regarding claim 3, Sprague and Dean disclose the non-transitory computer readable medium of claim 2. 
Dean further discloses wherein the identification credential is at least partially a composite of the multiple types of the plurality of the user identifying data, (Dean, Col. 10, Lines 39-44 describes an AOA ID or a virtual credential may have one or more levels of associated data attributes for the individual. The one or more levels may correspond to different degrees of privacy and/or amount of data associated with the individual. For example, some levels may include basic, private, identity, payment, and/or marketing).
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Dean with the
method and system of Sprague to include wherein the identification credential is at least partially a composite of the multiple types of the plurality of the user identifying data. One would have been motivated to provide a server that automatically monitors and authenticates an individual's online transactions and/or activities using an Always On Authentication scheme (Dean, Col. 1, Lines 33-36).

Regarding claim 4, Sprague, Dean and Sheller disclose the non-transitory computer readable medium of claim 3. 
Dean further discloses define the multiple of the plurality of the user identifying data to make up the identification credential, (Dean, Col. 10, Lines 39-67; Col. 11, Lines 1-9; Col. 14, Lines 10-45 describes defining An AOA ID or a virtual credential may have one or more levels of associated data attributes for the individual. The one or more levels may correspond to different degrees of privacy and/or amount of data associated with the individual. For example, some levels may include basic, private, identity, payment, and/or marketing and associating risk levels that are low, medium and high depending on the transaction; Col. 2, Lines 65-67; Col. 3, Lines 1-18 describe a threshold trust level). 
where at least one of the multiple types of the plurality of the user identifying data is required such that the trust score cannot be greater than the threshold without the required identifying data, (Dean, Col. 10, Lines 39-67; Col. 11, Lines 1-9; Col. 14, Lines 10-45 describes defining An AOA ID or a virtual credential may have one or more levels of associated data attributes for the individual. The one or more levels may correspond to different degrees of privacy and/or amount of data associated with the individual. For example, some levels may include basic, private, identity, payment, and/or marketing and associating risk levels that are low, medium and high depending on the transaction; Col. 2, Lines 65-67; Col. 3, Lines 1-18 describe a threshold trust level).
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Dean with the
method and system of Sprague to include to define the multiple of the plurality of the user identifying data to make up the identification credential, where at least one of the multiple types of the plurality of the user identifying data is required such that the trust score cannot be greater than the threshold without the required identifying data. One would have been motivated to provide a server that automatically monitors and authenticates an individual's online transactions and/or activities using an Always On Authentication scheme (Dean, Col. 1, Lines 33-36).
Sheller further discloses wherein the access policy conditions required to initiate the session with the service provider (Sheller, [0071], [0078], [0050] & [0017], describes an access policy that specifies conditions required to start a session with the service provider)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Sheller with the
method and system of Sprague and Dean to include wherein the access policy conditions required to initiate the session with the service provider. One would have been motivated to a system and method configured to provide continuous authentication from initial authentication (e.g., by a user to a user device) to session closure, e.g., by the authenticated user (Sheller, [0014]). 

Regarding claim 5, Sprague and Dean disclose the non-transitory computer readable medium of claim 1. 
Sprague further discloses a multifactor identification device (Sprague, [0009] & [0093] describes multifactor identification; [0094]-[0107], describe collecting a plurality of types of user identifying data such as biometric information from a trusted device [multifactor identification device])
Dean further discloses wherein the instructions are further effective to cause at least one processor to: determine a spatial-temporal context (Dean, Col. 12, Lines 50-64 describes based on a determination of the risk profile containing context such as location and time). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Dean with the

wherein the trust score can only be greater than the threshold when the spatial-temporal context (Dean, Col. 2, Lines 50-64; Col. 3, Lines 1-18 describes allowing the threshold trust level to be adjusted up or down based on factors such as the risk profile that contains location and time data [spatial-temporal context]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Dean with the
method and system of Sprague to include wherein the instructions are further effective to cause at least one processor to: determine a spatial-temporal context of the multifactor identification device, wherein the trust score can only be greater than the threshold when the spatial-temporal context complies with an access policy. One would have been motivated to provide a server that automatically monitors and authenticates an individual's online transactions and/or activities using an Always On Authentication scheme (Dean, Col. 1, Lines 33-36).
	Sprague and Dean fail to explicitly disclose complies with an access policy. 
However, in an analogous art, Sheller discloses complies with an access policy (Sheller, [0071] & [0132] describes agreeing with the policy for access to open a session). 
Therefore, it would have been obvious to one of ordinary skill in the art before the

method and system of Sprague and Dean to include complies with an access policy. One would have been motivated to a system and method configured to provide continuous authentication from initial authentication (e.g., by a user to a user device) to session closure, e.g., by the authenticated user (Sheller, [0014]).
Regarding claim 9, Sprague and Dean disclose the non-transitory computer readable medium of claim 1. 
Sprague further discloses wherein the instructions are further effective to cause at least one processor to: when the trust score drops below the threshold, (Sprague, 262, FIG 2 specify factors that decrease the trust score calculation; [0038], [0044] and [0049] describe less than a threshold)
Sprague and Dean fail to explicitly disclose send a notification to the authentication provider.
However, in an analogous art, Sheller discloses send a notification to the authentication provider (Sheller, 210, FIG 2, notify the remote communication partner. [0017] describes the remote communication partner as a server that performs continuous authentication)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Sheller with the
method and system of Sprague and Dean to include send a notification to the authentication provider. One would have been motivated to a system and method configured to provide continuous authentication from initial authentication (e.g., by a 

Regarding claim 10, Sprague and Dean disclose the non-transitory computer readable medium of claim 9. 
Sprague and Dean fail to explicitly disclose wherein the notification causes the service provider to suspend a session.
However, in an analogous art, Sheller discloses wherein the notification causes the service provider to suspend a session (Sheller, [0025] the remote communication partner 106a may then be configured to monitor the confidence score and to end the session if the confidence score goes below a remote communication partner session close threshold).
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Sheller with the
method and system of Sprague and Dean to include wherein the notification causes the service provider to suspend a session. One would have been motivated to a system and method configured to provide continuous authentication from initial authentication (e.g., by a user to a user device) to session closure, e.g., by the authenticated user (Sheller, [0014]).

Regarding claim 11, Sprague discloses a multifactor authentication system, the system comprising:
(Sprague, [0094]-[0107] describes a trusted device [a multifactor identification device] configured to)
collect a plurality of types of user identifying data, (Sprague, [0009] & [0093] describes multifactor identification; [0094]-[0107], describe collecting a plurality of types of user identifying data such as biometric information from a trusted device [multifactor identification device])
determine a trust score based on a confidence that the plurality of the user identifying data identifies a specified user, (Sprague, [0093]-[0107] describes a trust score based on a confidence that the plurality of the user identifying data identifies a specified user) and
when the trust score is greater than a threshold, (Sprague, [0038], [0132], [0092]-[0093], describes the trust score passing a threshold)
and instructions are further effective to cause at least one processor to: when the trust score drops below the threshold, (Sprague, 262, FIG 2 specify factors that decrease the trust score calculation; [0038], [0044] and [0049] describe less than a threshold)
and instructions are further effective to cause at least one processor to: when the trust score drops below the threshold, (Sprague, 262, FIG 2B, specify factors to decrease trust score calculation; [0038], [0044] and [0049] describe a threshold). 
Sprague fails to explicitly disclose send an identification credential identifying the user to an authentication provider; 
However, in an analogous art, Dean discloses send an identification credential identifying the user to an authentication provider; (Dean, Col. 9, Lines 9-35 discloses sending a virtual credential which can be token identifying the user to the service provider to perform authentication).
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Dean with the
method and system of Sprague to include send an identification credential identifying the user to an authentication provider; and instructions are further effective to cause at least one processor to: when the trust score drops below the threshold, send a notification to the authentication provider. One would have been motivated to provide a server that automatically monitors and authenticates an individual's online transactions and/or activities using an Always On Authentication scheme (Dean, Col. 1, Lines 33-36). 
Sprague and Dean fail to explicitly disclose send a notification to the authentication provider
However, in an analogous art, Sheller discloses send a notification to the authentication provider (Sheller, 210, FIG 2, notify the remote communication partner. [0017] describes the remote communication partner as a server that performs continuous authentication)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Sheller with the
method and system of Sprague and Dean to include send a notification to the authentication provider. One would have been motivated to a system and method configured to provide continuous authentication from initial authentication (e.g., by a 

Regarding claim 12, claim 12 is directed to the multifactor authentication system of claim 11. Claim 12 is similar in scope to claim 2 and is therefore rejected under similar rationale.

Regarding claim 13, claim 13 is directed to the multifactor authentication system of claim 11. Claim 13 is similar in scope to claim 3 and is therefore rejected under similar rationale.

Regarding claim 14, claim 14 is directed to the multifactor authentication system of claim 13. Claim 14 is similar in scope to claim 4 and is therefore rejected under similar rationale.

Regarding claim 15, claim 15 is directed to the multifactor authentication system of claim 11. Claim 15 is similar in scope to claim 5 and is therefore rejected under similar rationale.

Regarding claim 16, claim 16 is directed to the multifactor authentication system of claim 11. Claim 16 is similar in scope to claim 6 and is therefore rejected under similar rationale.

Regarding claim 17, claim 17 is directed to the multifactor authentication system of claim 16. Claim 17 is similar in scope to claim 7 and is therefore rejected under similar rationale.

Regarding claim 18, claim 18 is directed to the multifactor authentication system of claim 16. Claim 18 is similar in scope to claim 8 and is therefore rejected under similar rationale.

Regarding claim 19, claim 19 is directed to the multifactor authentication system of claim 11. Claim 19 is similar in scope to claim 9 and is therefore rejected under similar rationale.

Regarding claim 20, claim 20 is directed to the multifactor authentication system of claim 19. Claim 20 is similar in scope to claim 10 and is therefore rejected under similar rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/           Examiner, Art Unit 2439  


/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439