Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on January 18, 2022 has been entered.

Response to Arguments
Applicant’s arguments with respect to claims 1, 3-6, 8-11, 13-15 and 21-28 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-6, 10-11, 13, 15, 21-25 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Ramanujan et al. (Hereinafter referred to as Ramanujan, US 10715327 B1) in view Coulier et al. (Hereinafter referred to as Coulier, US. Pub. No.: US 20110258452 A1).

As per claim 1:
Ramanujan discloses a computing device comprising:
a memory and a processor connected to the memory (Column 3: lines 53-67:  A Personal Computing Device), the processor for
storing an authentication token (Column 3: lines 38-39: issuing and using software credential tokens for users having an existing hardware credential token; Column 8: lines 56-61: In response to receiving the software credential token, the mobile device 102 can store the software credential token for use in accessing the data server 104. In an example the mobile device 102 can store the software credential token in a secondary storage device coupled thereto, such as a USB flash memory device), in the memory including a user identity associated with a user and a device identity (Column 4: lines 22-53:  A hardware credential token is a physical device having embedded information therein that allows a user to gain access to an electronically restricted resource. The hardware credential token can communicate with another electronic 
communicating the authentication token to a server (Column 5: lines 26-34:  The software credential token is intended as an alternative credential to the hardware credential token for authenticating a user for access to the online resource/data server 104. Thus, the software credential token is possessed by the user and presented in order to authenticate the user for access to the data server 104. The process 300 of presenting the software credential token, 
responding to a challenge from the server to validate that the device identity from the authentication token is associated with the computing device based upon a device credential (column 5: lines 59-67; Column 6: lines 1-5:  The software credential token is issued by the authentication server 106. The authentication server 106 identifies a user corresponding to the computing device 102 and authenticates that user via their hardware credential token prior to issuing the user a software credential token. This process 200 of software credential token issuance attempts to ensure that a user corresponding to a computing device 102 possesses a valid hardware credential token, which would enable the user to access data on the data server 104. Successful software credential token issuance results in a software credential token being issued to the computing device 102. The software credential token can then be used for subsequent “session authentications” (method 300) of the user); Column 7: lines 23-30: In response to receiving an indication that the hardware credential token is valid and, optionally, receiving other requested information for a user (e.g., the email address, the public key), the authentication server 106 can send an email with a one-time password therein to the email address linked to the hardware credential token (208). In an example, additional security is provided by encrypting the one-time password in the email sent to the hardware credential token's email address.
communicating a user credential to the server to validate that the user is associated with the user identity from the authentication token (Column 6: lines 35-55: The authentication server 106 can receive the request for a software credential token and attempt to authenticate a user 
accessing a session via the server responsive to validation identity from the authentication token (Column 9: lines 46-67; Column 10: lines 1-10: Once the user is issued a software credential token via a computing device 102, the user can use that computing device 102 and software credential token to authenticate themselves for access to the data server 104. Notably, with a valid software credential token, the user can access the data server 104 via the app on the mobile device 102 without requiring use of their hardware credential token. Use of the software credential token to access the data server 104 includes providing the software credential token to the authentication server 106 in a request for session authentication. Session authentication verifies that the computing device 102 has a valid software credential token and, 

Ramanujan does not explicitly disclose the validated identity is the device identity and the user identity. Coulier, in analogous art however, discloses the validated identity is the device identity and the user identity ([0342]: A function or functionality for verifying a dynamic authentication credential that has been generated by a reader device (1600: FIG. 16). The interface 1813 of the outer layer allows a calling application to pass a dynamic authentication credential 1807 to be verified along with a value 1808 that is related to the identity of the user that is supposed to have submitted the dynamic credential or an identifier 1809 of the reader that is supposed to have generated the dynamic credential and may optionally also allow to pass one or more external dynamic variables 1816 such as a challenge or transaction data. Using the received user identity related value 1808 or reader identifier 1809, determines or retrieves the 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the validated identity disclosed by Ramanujan to include the device identity and the user identity. This modification would have been obvious because a person having ordinary skill in the art would have been 

As per claim 3:
Coulier discloses wherein the user credential is stored in the memory at the computing device ([0022]. Strong authentication token the token submits the one or more input values to a symmetric encryption/decryption algorithm and/or one-way hash function parameterized by a personalized secret key stored securely in the token; [0037]: all personalized secrets and security sensitive data are stored and managed by the card (e.g. the PIN is stored and verified by the card, the secret keys are stored on the card and all cryptographic operations involving those keys are done by the card, counters used as input for the token algorithm are stored and managed by the card)].

As per claim 4:
Coulier discloses wherein the user credential is stored in a virtual smart card with an authentication service ([0143]: Smart card 100 stores a PKI private key 301 which is used in an asymmetric cryptographic operation [0265-0267]: On behalf of the server, the reader locally authenticates the user by means of a traditional certificate based authentication of the user's PKI card (Virtual smart card)). In addition, Ramanujan also discloses wherein the user credential is stored in a virtual smart card with an authentication service (Column 4: lines 33-44: The hardware credential token is typically small enough to easily fit in a hand of an individual and can have any 

As per claim 5:
Coulier discloses wherein the second authentication credential comprises a public key associated with the computing device ([0202]: The card generating the private and public key pair on-board without any possibility of extracting the private key from the card. In other cases the key pair is generated externally and then injected into the card, but then procedures would normally ensure that the private key in the card personalization system is immediately destroyed after injection into the card and no copy of the private key is allowed to exist outside the card). In addition, Ramanujan also discloses wherein the device credential comprises a public encryption key associated with the computing device (Column 4: lines 38-42: A public key infrastructure (PKI) digital certificate can be stored (e.g., permanently stored/burnt) into the hardware device (e.g., into memory of the USB dongle, or the ICC of the smartcard); Column 7: lines 1-12:  The request for status of the hardware credential token can include a request for a public key corresponding to the hardware credential token. In an example, the key server 108 can store digital certificates corresponding to each hardware credential token/user, and each digital certificate can include a public key that is paired with the hardware credential token (e.g., the private key thereof). In such an example, the key server 108 can send the digital certificate 

As per claim 6:
Coulier discloses wherein the public encryption key is signed by a Root of Trust (RoT) ([0268-0270]: The reader 800 validates the card's certificate 806 (or certificate chain); Note: this assumes that the reader has access to the trusted public key of the (root) Certificate Authority; This can be done by storing the trusted public key of the (root) Certificate Authority in the reader. The reader 800 does not have to do an explicit verification of the entire certificate (chain) starting from the (root) CA public key each time the card is inserted in the reader. Instead the reader 800 can do the entire verification when a card 805 is inserted for the first time into the reader).

As per claim 10:
Coulier discloses wherein the session comprises at least one of a Web application session, Software as a Service (SaaS) application session, virtual application session, and a virtual desktop session ([0339]: The computer-hosted application is typically hosted by an application server which the user can access via a network; the application is web-based, the application server is a web server, the network is the internet, and the user can access the application by means of a browser on a web-enabled client device; 0376]: In some embodiments the application to be secured comprises a financial application such as an internet-banking application. In other embodiments the application to be secured comprises an e-government such as electronically 

As per claims 11 and 13:
Claims 11 and 13 are directed to a method having substantially similar claimed limitation features as recited in corresponding claims 1 and 5 respectively and therefore, claims 11 and 13 are rejected with the same rationale given above to reject claims 1 and 5 respectively. 

As per claims 21-25 and 28:
Claims 21-25 and 28 are directed to a non-transitory computer-readable medium having computer-executable instructions for causing a computing device to perform steps having substantially similar claimed limitation features as recited in corresponding claims 1, 3-6 and 10 respectively and therefore, claims 21-25 and 28 are rejected with the same rationale given above to reject claims 1, 3-6 and 10 respectively. 

Claims 8-9, 15 and 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over Ramanujan et al. (Hereinafter referred to as Ramanujan, US 10715327 B1) in view Coulier et al. (Hereinafter referred to as Coulier, US. Pub. No.: US 20110258452 A1) in further view of Dave et al. (Hereinafter referred to as Dave, US. Pub. No.: US 20160065568 A1)

As per claim 8:


As per claim 9:
Dave discloses wherein the authentication token comprises a polymorphic authentication token (0007; he one or more polymorphic authentication factors may include one or more time-based factors. Additionally or alternatively, the one or more polymorphic authentication factors may include one or more counter-based factors. Additionally or alternatively, the one or more polymorphic authentication factors may include one or more external risk factors. Additionally or alternatively, the one or more polymorphic authentication factors may include one or more geographic factors. Additionally or alternatively, the one or more polymorphic authentication factors may include one or more event-based factors. Additionally or alternatively, the one or more polymorphic authentication factors may include one or more user-specific factors; 0037; 0040-0043).

As per claim 15:
Claim 15 is directed to the method having substantially similar claimed limitation features as recited in corresponding claim 8 and therefore, claim 15 is rejected with the same rationale given above to reject claim 8. 

As per claims 26-26:
. 

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Ramanujan et al. (Hereinafter referred to as Ramanujan, US 10715327 B1) in view Coulier et al. (Hereinafter referred to as Coulier, US. Pub. No.: US 20110258452 A1) in further view of BEN-DAVID et al. (Hereinafter referred to as BEN-DAVID, US. Pub. No.: US 20190372977A1)

As per claim 14:
Ramanujan and Coulier do not explicitly disclose wherein the computing device communicates with the server to access the sessions further based upon a connection lease assigned to the computing device. BEN-DAVID, in analogous art however, discloses wherein the computing device communicates with the server to access the sessions ([0013-0014]:  The token module may also be designed to instruct the computerized device to maintain communication-sessions with said computerized device operated by an agent, and generate a token associated with the communication-session, wherein the token defining a communication lease. The token associated with the communication-session may be sent by the access management system to the agent's device. The access management system may also comprise the computerized device to receive from the token module a token associated with a communication-session and an 

BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as they would be interpreted by one of ordinary skill in the art and the following claim words or terms or phrases or languages have been given to them the following reasonable BRI considerations and context in view of the applicant’s disclosure in order to construe boundary and scope of the claimed limitations. For example, for the following claim 
[Authentication Token and Authentication Credentials: 0004: one of the first and second authentication credentials may comprise a user credential; 0005: one of the first and second authentication credentials may comprise a public key associated with the client device…one of the first and second authentication credentials may comprise a ticket or token pointing to an encrypted user credential stored in cloud storage; 0074: the first and second authentication credentials are different from one another, such as user and device credentials.
[Client : 0029-0030; Server: 0031-0034].
[Connection Lease: 0024: Connection leases (CLs) provide an approach for offline authorized access by client or endpoint devices to resource locations in terms of network connectivity and initial session establishment; 0076: Connection leases provide long-lived authorization to establish a network connection to a virtual delivery appliance 253 (e.g., Citrix VDA), as well as published resource entitlements].
[Authentication credentials are stored in different locations: 0093:  The long-lived authentication token may be polymorphic, in that it may include different types of credentials and/or may have different storage locations of credential blob].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior art.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784.  The examiner can normally be reached on 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.