DETAILED ACTION
This Office Action is in response to the application 16/836,814 filed on 03/31/2020.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-24 have been examined and are pending in this application. Claims 1 13 are independent.	
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 11/13/2020, 04/02/2020, and 10/28/2021, are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the 
Claims 1-11, and 13-23 are rejected under 35 U.S.C. 103 as being unpatentable over Mathew et al (“Mathew,” US 2017/0118223, published on 04/27/2017), in view of Patter et al (“Pattar,” US 1019/0334921, published on 10/31/2009).
As to claim 1, Mathew teaches a computer-executed method (Mathew: pars 0010-0012, 0043, 0045-0047; Fig 1, systems, methods, and machine-readable media implementing a technique for adjusting the authentication level of access to a resource through a session) comprising: 
[ ] a session of a client of an application (Mathew: pars 0010-0012, 0043-0047; Fig 1, a session is created between user device and resources, resources such as are a file, a web page, electronic content, a document, web content, a computing resource, or an application); 
wherein the application supports a plurality of authentication tiers (Mathew: pars 0010-0012, 0043-0047; an access management system provides multiple authentication levels [i.e. authentication tires] in providing access to multiple protected resources); wherein each authentication tier, of the plurality of authentication tiers, is associated with one or more respective authentication steps of a plurality of authentication steps (Mathew: pars 0010-0012, 0041, 0043-0047; Fig 3, the system provides multiple authentication levels [i.e. authentication tires] in providing access to multiple protected resources associated with levels where different authentication credential input is required for higher levels);
wherein the plurality of authentication tiers includes (a) a higher-security authentication tier that allows first one or more restricted actions, and (b) a lower-security authentication tier that allows second one or more restricted actions (Mathew: pars 0010-0012, 0041, 0043-0047; Fig 3, multiple authentication levels [i.e. authentication tires], that is higher levels and lower levels, in providing access to multiple protected resources associated with levels where different authentication credential input is required for higher levels); 
authenticating the client to the higher-security authentication tier (Mathew: pars 0010-0012, 0041, 0043-0047; Fig 3, authentication level with higher level is performed for a resource requested by the user); 
based on said authenticating the client to the higher-security authentication tier, maintaining authentication-tier data that identifies an authentication tier for the session by associating the particular session identifier with the higher-security authentication tier (Mathew: pars 0010-0012, 0014-0015, 0041, 0043-0047; Fig 3, based on the positive authentication for an a session with higher authentication level the access to the resource requested user allowed or modified. For the period of a session, the user may remain authenticated at the higher authentication level, enabling access to protected resources accessible at the higher authentication level); 
detecting that the session satisfies one or more downgrade criteria (Mathew: pars 0010-0012, 0014-0016, 0041, 0043-0047; Fig  3, the access management system reduces [i.e. downgrade] an authentication level for a session if a lesser authentication level exists [i.e. a criterion], and determination that user may not need access to a protected resource at higher authentication level [i.e. a criterion]. For the period of a session, while the user may remain authenticated at the higher authentication level, the system step-down [i.e. downgrade] the higher authentication level to reduced or lower access level to access the associated resources); 
wherein the one or more downgrade criteria comprise at least one of: an explicit request to downgrade the authentication tier associated with the particular session [ ] (Mathew: pars 0010-0012, 0014-0016, 0041, 0043-0047; Fig  3, the access management system reduces an authentication level for a session For the period of a session, while the user may remain authenticated at the higher authentication level, the system step-down [i.e. downgrade] the higher authentication level to reduced or lower access level to access the associated resources), or passage of a pre-defined amount of time during which no activity involving the higher-security authentication tier occurs (Mathew: pars 0010-0012, 0014-0016, For the period of a session, the user may remain authenticated at the higher authentication level, enabling access right to protected resources accessible at the higher authentication level. Authentication level is reduced after determining that a user may not need access to a protected resource at that authentication level); 
in response to detecting that the session satisfies the one or more downgrade criteria, downgrading the authentication tier of the session by updating the authentication- tier data to associate the particular session identifier with the lower-security authentication tier (Mathew: pars 0010-0012, 0014-0016, 0041, 0043-0047; Fig  3, the access management system reduces an authentication level for a session For the period of a session, while the user may remain authenticated at the higher authentication level, the system step-down [i.e. downgrade] the higher authentication level to reduced or lower access level to access the associated resources. Where, the session information is modified such that the authentication level of the session can be reduced); 
wherein the method is performed by one or more computing devices (Mathew: pars 0010-0012 0043-0047; Fig 1, systems, methods are implanted involving a user device a resource providing device and an access management system device).
Mathew does not explicitly teach generating a particular session identifier for a session; and particular session identifier.
However, in an analogous art, Patter teaches generating a particular session identifier for a session (Pattar: pars 0007-0008, 0054, 0070,  teaches of  systems, methods and computer-readable memory for controlling access to resources with multi-level and multi-factor authentication of a user on a restricted website, or on an enterprise network. Where session information such as cookie [i.e. session identifier] is generated and stored for a user for validating session status); and particular session identifier (Pattar: pars 0007-0008, 0054, 0070, the session information such as cookie [i.e. session identifier] is used for determination of the validity of particular session for accessing requested resource).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Patter with the method/system of Mathew for the benefit of providing a user with a means for marking a session with an identifier like cookie and verify the validity of the session (Pattar: pars 0054, 0070). 
As to claim 2, the combination Mathew and Pattar teaches the computer-executed method of Claim 1, 
Mathew and Pattar further teaches further comprising: after detecting that the session satisfies one or more downgrade criteria, receiving a request associated with the particular session identifier to perform an action that is associated with the higher-security authentication tier; in response to receiving the request: based, at least in part, on (a) the particular session identifier being associated with the lower-security authentication tier and (b) the action being associated with the higher-security authentication tier, providing, to the client, an authentication challenge associated with the higher-security authentication tier, based on user input to the authentication challenge via the client, authenticating the client to the higher-security authentication tier, updating the authentication-tier data to associate the particular session identifier with the higher-security authentication tier, and as a response to the request, performing the action based, at least in part, on the particular session identifier being associated with the higher-security authentication tier (Mathew: pars 0014-0016, 0041, challenging a user for credentials to authenticate to higher authentication levels).
As to claim 3, the combination Mathew and Pattar teaches the computer-executed method of Claim 2, 
Mathew further teaches wherein the action is one of: view a page that is associated with the higher-security authentication tier; view redacted information in a page that is associated with the lower-security authentication tier; or edit information in a page (Mathew: pars 0010-0012, 0043-0047, 0148; Fig 1, a session is created between user device and resources, resources such as are a file, a web page, electronic content, a document, web content, a computing resource, or an application).
As to claim 4, the combination Mathew and Pattar teaches the computer-executed method of Claim 1, 
Mathew and Pattar further teaches further comprising: while the particular session identifier is associated with the lower-security authentication tier, receiving a request associated with the particular session identifier to upgrade the authentication tier that is associated with the particular session identifier to a particular authentication tier of the plurality of authentication tiers; wherein the particular authentication tier is higher than the lower-security authentication tier; and in response to receiving the request: providing, to the client, an authentication challenge associated with the particular authentication tier, based on user input to the authentication challenge via the client, authenticating the client to the particular authentication tier, and  updating the authentication-tier data to associate the particular session identifier with the particular authentication tier (Mathew: pars 0014-0016, 0041, 0047, challenging a user for credentials to authenticate to higher authentication levels. Where, the session information is modified such that the authentication level of the session can be reduced. Patter: pars 0008, 0014, 0067, once enrollment of the user for the factor is completed, collected credential for the factor from the user is validated to provide access to second level).
As to claim 5, the combination Mathew and Pattar teaches the computer-executed method of Claim 4, 
(Mathew: pars 0014-0016, 0041, 0047, challenging a user for credentials to authenticate to higher authentication levels. Where, the session information is modified such that the authentication level of the session can be reduced. Patter: pars 0008, 0014, 0067, once enrollment of the user for the factor is completed, collected credential for the factor from the user is validated to provide access to second level).
As to claim 6, the combination Mathew and Pattar teaches the computer-executed method of Claim 1, 
Mathew and Pattar further teaches further comprising displaying, in a page of the application, information identifying the authentication tier associated with the particular session identifier (Mathew: pars 0010-0012, 0014-0016, 0041, 0043-0047; Fig  3, the access management system reduces an authentication level for a session For the period of a session, while the user may remain authenticated at the higher authentication level, the system step-down [i.e. downgrade] the higher authentication level to reduced or lower access level to access the associated resources. Pattar: pars 0007-0008, 0054, 0070, the session information such as cookie [i.e. session identifier] is used for determination of the validity of particular session for accessing requested resource).
As to claim 7, the combination Mathew and Pattar teaches the computer-executed method of Claim 1, 
Mathew further teaches wherein the session satisfies the one or more downgrade criteria based, at least in part, on passage of the pre-defined amount of time during which no activity involving the higher-security authentication tier occurs (Mathew: pars 0010-0012, 0014-0016, For the period of a session, the user may remain authenticated at the higher authentication level, enabling access right to protected resources accessible at the higher authentication level. Authentication level is reduced after determining that a user may not need access to a protected resource at that authentication level).
As to claim 8, the combination Mathew and Pattar teaches the computer-executed method of Claim 7, 
Mathew further teaches further comprising: prior to authenticating the client to the higher-security authentication tier, authenticating the client to the lower-security authentication tier; based on authenticating the client to the lower-security authentication tier, setting a first timer based on a first timeout period associated with the lower-security authentication tier; wherein said authenticating the client to the higher-security authentication tier is performed prior to expiration of the first timer; based on authenticating the client to the higher-security authentication tier, setting a second timer based on a second timeout period associated with the higher-security authentication tier; determining that the pre-defined amount of time has passed based, at least in part, on expiration of the second timer (Mathew: pars 0017, 0040, 0074, authentication level of a resource is based on specific conditions, such as type of resource and time period, and expiration time of the session for authentication level).
As to claim 9, the combination Mathew and Pattar teaches the computer-executed method of Claim 8, 
Mathew further teaches further comprising: based on said downgrading the authentication tier of the session, setting a third timer based on the first timeout period associated with the lower-security authentication tier; wherein setting the second timer causes the first timer to be cleared (Mathew: pars 0017, 0040, 0074, authentication level of a resource is based on specific conditions, such as type of resource and time period, and expiration time of the session for authentication level).
As to claim 10, the combination Mathew and Pattar teaches the computer-executed method of Claim 1, 
Mathew further teaches wherein: the session satisfies the one or more downgrade criteria based, at least in part, on a particular explicit request to downgrade the authentication tier associated with the particular session identifier; the method further comprises: prior to authenticating the client to the higher-security authentication tier, authenticating the client to the lower-security authentication tier, based on authenticating the client to the lower-security authentication tier, setting a timer based on a particular pre-defined amount of time associated with the lower-security authentication tier, wherein the particular explicit request is received prior to expiration of the timer; after downgrading the authentication tier of the session and in response to expiration of the timer, logging the client out of the application (Mathew: pars 0015-0017, 0040, 0074, For the period of a session, the user may remain authenticated at the higher authentication level, enabling access to protected resources accessible at the higher authentication level. Authentication level of a resource is based on specific conditions, such as type of resource and time period, and expiration time of the session for authentication level).
As to claim 11, the combination Mathew and Pattar teaches the computer-executed method of Claim 1, 
further comprising: based on authenticating the client to the higher-security authentication tier, setting a timer based on a particular pre-defined amount of time associated with the higher- security authentication tier;
wherein the session satisfies the one or more downgrade criteria based, at least in part, on a particular explicit request to downgrade the authentication tier associated with the particular session identifier; wherein the particular explicit request is received prior to expiration of the timer; after downgrading the authentication tier of the session and prior to expiration of the timer, receiving an action request from the client to perform a restricted action of the first one or more restricted actions; and in response to receiving the action request from the client, updating the authentication- tier data to associate the particular session identifier with the higher-security authentication tier without requiring the client to re-execute particular one or more authentication steps associated with the higher-security authentication tier (Mathew: pars 0015-0017, 0040, 0074, For the period of a session, the user may remain authenticated at the higher authentication level, enabling access to protected resources accessible at the higher authentication level. Authentication level of a resource is based on specific conditions, such as type of resource and time period, and expiration time of the session for authentication level).
As to claim 13, Mathew teaches one or more non-transitory computer-readable media storing one or more sequences of instructions that, when executed by one or more processors (Mathew: pars 0010-0012, 0043, 0045-0047; Fig 1, systems, methods, and machine-readable media implementing a technique for adjusting the authentication level of access to a resource through a session), cause: 
[ ] a session of a client of an application (Mathew: pars 0010-0012, 0043-0047; Fig 1, a session is created between user device and resources, resources such as are a file, a web page, electronic content, a document, web content, a computing resource, or an application); 
wherein the application supports a plurality of authentication tiers (Mathew: pars 0010-0012, 0043-0047; an access management system provides multiple authentication levels [i.e. authentication tires] in providing access to multiple protected resources); wherein each authentication tier, of the plurality of authentication tiers, is associated with one or more respective authentication steps of a plurality of authentication steps (Mathew: pars 0010-0012, 0041, 0043-0047; Fig 3, the system provides multiple authentication levels [i.e. authentication tires] in providing access to multiple protected resources associated with levels where different authentication credential input is required for higher levels); 
wherein the plurality of authentication tiers includes (a) a higher-security authentication tier that allows first one or more restricted actions, and (b) a lower-security authentication tier that allows second one or more restricted actions (Mathew: pars 0010-0012, 0041, 0043-0047; Fig 3, multiple authentication levels [i.e. authentication tires], that is higher levels and lower levels, in providing access to multiple protected resources associated with levels where different authentication credential input is required for higher levels); 
authenticating the client to the higher-security authentication tier (Mathew: pars 0010-0012, 0041, 0043-0047; Fig 3, authentication level with higher level is performed for a resource requested by a user); 
based on said authenticating the client to the higher-security authentication tier, maintaining authentication-tier data that identifies an authentication tier for the session by associating the particular session identifier with the higher-security authentication tier (Mathew: pars 0010-0012, 0014-0015, 0041, 0043-0047; Fig 3, based on the positive authentication for an a session with higher authentication level the access to the resource requested user allowed or modified. For the period of a session, the user may remain authenticated at the higher authentication level, enabling access to protected resources accessible at the higher authentication level); 
detecting that the session satisfies one or more downgrade criteria (Mathew: pars 0010-0012, 0014-0016, 0041, 0043-0047; Fig  3, the access management system reduces [i.e. downgrade] an authentication level for a session if a lesser authentication level exists [i.e. a criterion], and determination that user may not need access to a protected resource at higher authentication level [i.e. a criterion]. For the period of a session, while the user may remain authenticated at the higher authentication level, the system step-down [i.e. downgrade] the higher authentication level to reduced or lower access level to access the associated resources); 
wherein the one or more downgrade criteria comprise at least one of: an explicit request to downgrade the authentication tier associated with the particular session [ ] (Mathew: pars 0010-0012, 0014-0016, 0041, 0043-0047; Fig  3, the access management system reduces an authentication level for a session For the period of a session, while the user may remain authenticated at the higher authentication level, the system step-down [i.e. downgrade] the higher authentication level to reduced or lower access level to access the associated resources), or passage of a pre-defined amount of time during which no activity involving the higher-security authentication tier occurs (Mathew: pars 0010-0012, 0014-0016, For the period of a session, the user may remain authenticated at the higher authentication level, enabling access right to protected resources accessible at the higher authentication level. Authentication level is reduced after determining that a user may not need access to a protected resource at that authentication level); 
in response to detecting that the session satisfies the one or more downgrade criteria, downgrading the authentication tier of the session by updating the authentication- tier data to associate the particular session identifier with the lower-security authentication tier (Mathew: pars 0010-0012, 0014-0016, 0041, 0043-0047; Fig  3, the access management system reduces an authentication level for a session For the period of a session, while the user may remain authenticated at the higher authentication level, the system step-down [i.e. downgrade] the higher authentication level to reduced or lower access level to access the associated resources. Where, the session information is modified such that the authentication level of the session can be reduced).
Mathew does not explicitly teach generating a particular session identifier for a session; and particular session identifier.
However, in an analogous art, Patter teaches generating a particular session identifier for a session (Pattar: pars 0007-0008, 0054, 0070,  teaches of  systems, methods and computer-readable memory for controlling access to resources with multi-level and multi-factor authentication of a user on a restricted website, or on an enterprise network. Where session information such as cookie [i.e. session identifier] is generated and stored for a user for validating session status); and particular session identifier (Pattar: pars 0007-0008, 0054, 0070, the session information such as cookie [i.e. session identifier] is used for determination of the validity of particular session for accessing requested resource).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Patter with the method/system of Mathew for the benefit of providing a user with a means for marking a session with an identifier like cookie and verify the validity of the session information/cookie for allowing resource over the access session (Pattar: pars 0054, 0070). 
As to claims 14-23, the claim limitations are similar to the method claims of 2-11, and are rejected for the same reason set forth above for claims 2-11. 
Claims 12 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Mathew et al (“Mathew,” US 2017/0118223, published on 04/27/2017), in view of Patter et al (“Pattear,” US 1019/0334921, published on 10/31/2009), and further in view Jagannathrao et al (“Jagannathrao,” US2014/0109196, published on 04/17/2014).
As to claim 12, the combination Mathew and Pattar teaches the computer-executed method of Claim 1,

However, in an analogous art, Jagannathrao teaches detecting that user-based activity, at a client device running the client, has been inactive for the pre-defined amount of time; wherein the session satisfies the one or more downgrade criteria based, at least in part, on said detecting that user-based activity, at the client device running the client, has been inactive for the pre-defined amount of time (Jagannathrao: pars 0015-0016, 0024, when a client device (e.g., such as a printer, a scanner, a laptop computer, etc.) has been idle and/or inactive for a period of time that exceeds a threshold, client device is re-authenticate for permitting access).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Jagannathrao with the method/system of Mathew and Patter for the benefit of providing a user with a means for monitoring user/client inactiveness for a session and taking a re-authentication or additional security measure taken when a certain threshold for inactive status is passed (Jagannathrao: pars 0015-0016, 0024). 
As to claim 24, the claim limitations are similar to the method claim of 12, and are rejected for the same reason set forth above for claim 12. 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jahangir Kabir whose telephone number is (571) 270-3355.  The examiner can normally be reached on 9:00- 5:00 Mon-Thu.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAHANGIR KABIR/             Primary Examiner, Art Unit 2439