DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given by Geoff Trotter (Reg. No. 64,204) on November 30, 2021.

The application has been amended as follows:
Regarding claim 1: (Currently Amended) A method comprising:
at a policy server, obtaining a client security policy and an authenticator security policy
obtaining an encrypted passwordless credential request with client metadata from a client
determining whether the client metadata satisfies the client security policy;
passwordless credential request to an authenticator device;
obtaining an encrypted passwordless credential response with authenticator metadata from the authenticator device
determining whether the authenticator metadata satisfies the authenticator security policy; [[and]]
obtaining additional metadata from an external computing device, the additional metadata providing context for a user of the client or a user of the authenticator device;
determining whether the additional metadata violates either the client security policy of the authenticator security policy; and
processing the encrypted passwordless credential response, without decrypting the encrypted passwordless credential request or the encrypted passwordless credential response, based on a determination of whether any of the client metadata, the authenticator metadata, or the additional metadata violates either the client security policy or the authenticator security policy. 

Regarding claim 2: (Currently Amended) The method of claim 1, further comprising storing a record of the encrypted passwordless credential request, the record including at least a portion of the client metadata.

Regarding claim 4: (Currently Cancelled) 

Regarding claim 5: (Currently Amended) The method of claim 1, further comprising, responsive to a determination that the client metadata satisfies the client security policy and the authenticator metadata satisfies the authenticator security policy, providing the encrypted passwordless credential response to the client.

Regarding claim 9: (Currently Cancelled) 

Regarding claim 10: (Currently Amended) An apparatus comprising:
a network interface configured to communicate with a client and an authenticator device across one or more computer networks; and
a hardware processor configured to:
obtain a client security policy and an authenticator security policy
obtain from the client via the network interface, an encrypted passwordless credential request with client metadata

cause the network interface to provide the encrypted passwordless credential request to the authenticator device;
passwordless credential response with authenticator metadata

obtain additional metadata from an external computing device, the additional metadata providing context for a user of the client or a user of the authenticator device; 
determine whether the additional metadata violates either the client security policy of the authenticator security policy; and
process the encrypted passwordless credential response, without decrypting the encrypted passwordless credential request or the encrypted passwordless credential response, based on a determination of whether any of the client metadata, the authenticator metadata, or the additional metadata violates either the client security policy or the authenticator security policy. 

Regarding claim 11: (Currently Amended) The apparatus of claim 10, wherein the hardware processor is further configured to store a record of the encrypted passwordless credential request, the record including at least a portion of the client metadata or at least a portion of the authenticator metadata.

Regarding claim 12: (Currently Amended) The apparatus of claim 10, wherein the hardware processor is further configured to, responsive to a determination that the client metadata satisfies the client security policy and the authenticator metadata satisfies the authenticator security policy, cause the network interface to provide the encrypted passwordless credential response to the client.

Regarding claim 15: (Currently Amended)

Regarding claim 16: (Currently Amended) One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a policy server, cause the processor to:
obtain a client security policy and an authenticator security policy
obtain an encrypted passwordless credential request with client metadata from a client

provide the encrypted passwordless credential request to an authenticator device;
obtain an encrypted passwordless credential response with authenticator metadata from the authenticator device

obtain additional metadata from an external computing device, the additional metadata providing context for a user of the client or a user of the authenticator device; 
determine whether the additional metadata violates either the client security policy of the authenticator security policy; and
process the encrypted passwordless credential response, without decrypting the encrypted passwordless credential request or the encrypted passwordless credential response, based on a determination of whether any of the client metadata, the authenticator metadata, or the additional metadata violates either the client security policy or the authenticator security policy. 

Regarding claim 17: (Currently Amended) The non-transitory computer readable storage media of claim 16, further comprising instructions operable to cause the processor to store a record of the encrypted passwordless credential request, the record including at least a portion of the client metadata or at least a portion of the authenticator metadata.

Regarding claim 18: (Currently Amended) The non-transitory computer readable storage media of claim 16, further comprising instructions operable to cause the processor to, responsive to a determination that the client metadata satisfies the client security policy passwordless credential response to the client.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
Claims 1-3, 5-8, 10-14 and 16-20 are considered allowable.

The Prior Art Oberheide et al. US Patent Application Publication No. 2015/0304110 teaches systems and methods for authentication. At an authentication service, key synchronization information is stored for an enrolled authentication device for a user identifier of a service provider. The key synchronization information indicates that a private key stored by the authentication device is synchronized with a public key stored at the service provider. Responsive to an authentication request provided by the service provider for the user identifier, the authentication service determines an authentication device for the user identifier that stores a synchronized private key by using the key synchronization information, and provides the authentication request to the authentication device. The authentication service provides a signed authentication response to the service provider. The authentication response is responsive to the authentication request and signed by using the private key. The service provider verifies the signed authentication response by using the public key.

The Prior Art Fattal et al. US Patent Application Publication No. 2020/0213116 teaches a system includes a network interface and a processor. The processor is configured 

The Prior Art KHALIL et al. US Patent Application Publication No. 2015/0249540 teaches a device may receive an authentication request generated based on a request to access a service. The authentication request may include a user identifier. The device may identify a mobile device associated with the user identifier. The device may authenticate the mobile device, and may generate an access notification based on authenticating the mobile device. The access notification may include information relating to the request to access the service. The device may provide the access notification to the mobile device, and may receive an access response from the mobile device. The access response may indicate whether to permit access to the service. The device may cause access to the service to be permitted when the access response indicates to permit access to the service, or may cause access to the service to be denied when the access response indicates to deny access to the service.

The instant application is allowable over Oberheide et al., Fattal et al., and KHALIL et al. described above, either singularly or in combination, due to the instant application teaching a different and detailed authentication system handles authentication requests to apply introspection and policy enforcement. A policy server obtains a client security policy and an authenticator security policy. The policy server obtains an encrypted credential request with client metadata from a client and determines whether the client metadata satisfies the client security policy. The policy server provides the encrypted credential request to an authenticator device and obtains an encrypted credential response with authenticator metadata in response. The policy server determines whether the authenticator metadata satisfies the authenticator security policy. The policy server processes the encrypted credential response, without decrypting the encrypted credential request or the encrypted credential response, based on a determination of whether the client metadata satisfies the client security policy and the authenticator metadata satisfies the authenticator security policy.

The prior art of record does not disclose, teach, or suggest neither singly nor in combination the claimed limitations of “obtaining an encrypted passwordless credential request with client metadata from a client; obtaining an encrypted passwordless credential response with authenticator metadata from the authenticator device; determining whether the authenticator metadata satisfies the authenticator security policy; obtaining additional metadata from an external computing device, the additional metadata providing context for a user of the client or a user of the authenticator device; determining whether the additional metadata violates either the client security policy of the authenticator security policy; and 
[AltContent: textbox ()]
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/FAHIMEH MOHAMMADI/Examiner, Art Unit 2439                                                                                                                                                                                                        

/JAHANGIR KABIR/Primary Examiner, Art Unit 2439