Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant's submission filed on 1/18/2022 has been entered.   Claims 21-40 are pending.
 Response to Arguments
Applicant's arguments filed 1/18/2022 have been fully considered but they are not persuasive. 
On pages 11-12 of the Remarks, the Applicants argue that Choyi does not determine an updated assurance level associated with the user based on a received authentication result because Choyi only describes determining an aggregate assurance level.
In response, the Examiner respectfully disagrees and submits Guccione at least discloses a Service Provider (SP) requires or performs various combination of authentication factors to a achieve a required assurance (¶ [0024], [0037]-[0039]).  Guccione discloses that a user is authenticated by one of the identity providers (IdPs), and the authentication result is sent to a master IdP.  Then the user is redirect to other identity provides to perform multi-factor authentication until the required assurance level is met (¶ [0024], [0053]-[0054]).  Guccione does not explicitly discloses determining, by the server, an updated assurance level associated with the user at least based on the received authentication result.   However, Choyi discloses each authentication factor is associated with an assurance level, and at least a MFAP, similar to Guccione’s master .   
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 21-25, 28-32 and 35-39 are rejected under 35 U.S.C. 103 as being unpatentable over Guccione et al. (US 2015/0319156 hereinafter Guccione) in view of Choyi et al. (US 2016/0050234 hereinafter Choyi).
Regarding claim 21, Guccione discloses a computer-implemented method for online authentication of online attributes, the method including: 
receiving, at a server over an electronic network, an authentication request from a relying party, the authentication request including identity information to be authenticated and credential information to be authenticated (FIG 4 & 11, ¶ [0022]-[0024], [0052]-[0054], [0069]; i.e. receiving at the master Idp from the service provider an user authentication request including user identity and association key, 2-factor required, assurance level or user proof of presence); 
determining, by the server, whether a user account is associated with the received identity information by accessing an internal database (FIG. 4 & 11, ¶ [0037], [0052]; i.e. mapping the user identity with the use identity known by other Idp server(s) and/or mapping user identity to other identities correspond to other identity providers); 
determining, by the server, a required assurance level associated with the authentication request based on the authentication request and the relying party (FIG. 2 & 11, ¶ [0030]-[0033]; i.e. determining an assurance level required by the authority or service provider for different services); 
determining, by the server, an assurance level associated with a user, the user associated with the user account (FIG. 2 & 11, ¶ [0037]-[0039], [0044]-[0045]; i.e. determining the authentication information such as password provided by the user does not meet the required assurance level); 
(FIG. 2 & 11, ¶ [0037]-[0039], [0044]-[0045]; i.e. determining the authentication information such as password provided by the user does not meet the required assurance level); 
as a result of determining that the assurance level associated with the user falls below the required assurance level associated with the authentication request, transmitting, by the server over the electronic network to the user associated with the user account, a request for authentication data (FIG. 2, 4 & 11, ¶ [0024], [0037]-[0039], [0053]-[0054]; i.e. as the result that the user authentication or assurance level does not meet the required assurance level, requesting or redirecting user for multi-factor authentication); 
receiving, at the server over the electronic network, authentication data associated with the user (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. receiving user multi-factor authentication or login credentials); 
transmitting, by the server over the electronic network to a verification data source server, authentication data associated with the user (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. requesting other identity providers perform designated user multi-factor authentication or login credentials); 
receiving, at the server over the electronic network, an authentication result from the verification data source server for the user associated with authentication data (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. receiving authentication assertions from the identity providers).

However, Choyi discloses determining, by the server, an updated assurance level associated with the user at least based on the received authentication result (FIG. 1 & 3, ¶ [0032]-[0034], [0045]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of claimed invention to incorporate Choyi’s teaching into Guccione in order to use multiple devices to achieve strong multi-factor authentication while seamlessly switching between each of the multiple devices (Choyi, ¶ [0002]-[0007], [0025]).
Regarding claim 22, Guccione in view of Choyi discloses the method of claim 21, further comprising: storing, by the server, the authentication data in the user data of the user account associated with the user (Guccione, FIG. 12B, ¶ [0052]; Choyi, ¶ [0025]).
Regarding claim 23, Guccione in view of Choyi discloses the method of claim 21, further comprising: encrypting, by the server, the authentication data in the user data of the user account associated with the user (Guccione, ¶ [0038]; Choyi, ¶ [0033]).
Regarding claim 24, Guccione in view of Choyi discloses the method of claim 21, further comprising: determining, by the server, the required assurance level associated with the authentication request further based on one or more predetermined policies associated with the relying party (Guccione, FIG. 4, ¶ [0052]; Choyi, ¶ [0039]).
Regarding claim 25, Guccione in view of Choyi discloses the method of claim 21, further comprising: determining, by the server, the required assurance level associated 
Regarding claim 28, Guccione discloses a system for online authentication of online attributes, the system including: 
a data storage device that stores instructions system for online authentication of online attributes (FIG. 12B); and 
a processor (FIG. 12B) configured to execute the instructions to perform a method including: 
receiving, over an electronic network, an authentication request from a relying party, the authentication request including identity information to be authenticated and credential information to be authenticated (FIG 4 & 11, ¶ [0022]-[0024], [0052]-[0054], [0069]; i.e. receiving at the master Idp from the service provider an user authentication request including user identity and association key, 2-factor required, assurance level or user proof of presence); 
determining whether a user account is associated with the received identity information by accessing an internal database (FIG. 4 & 11, ¶ [0037], [0052]; i.e. mapping the user identity with the use identity known by other Idp server(s) and/or mapping user identity to other identities correspond to other identity providers); 
determining a required assurance level associated with the authentication request based on the authentication request and the relying party (FIG. 2 & 11, ¶ [0030]-[0033]; i.e. determining an assurance level required by the authority or service provider for different services); 
determining an assurance level associated with a user, the user associated with the user account (FIG. 2 & 11, ¶ [0037]-[0039], [0044]-[0045]; i.e. determining the authentication information such as password provided by the user does not meet the required assurance level); 
comparing the assurance level associated with the user to the required assurance level associated with the authentication request (FIG. 2 & 11, ¶ [0037]-[0039], [0044]-[0045]; i.e. determining the authentication information such as password provided by the user does not meet the required assurance level); 
as a result of determining that the assurance level associated with the user falls below the required assurance level associated with the authentication request, transmitting, over the electronic network to the user associated with the user account, a request for authentication data (FIG. 2, 4 & 11, ¶ [0024], [0037]-[0039], [0053]-[0054]; i.e. as the result that the user authentication or assurance level does not meet the required assurance level, requesting or redirecting user for multi-factor authentication); 
receiving, over the electronic network, authentication data associated with the user (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. receiving user multi-factor authentication or login credentials); 
transmitting, over the electronic network to a verification data source server, authentication data associated with the user (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. requesting other identity providers perform designated user multi-factor authentication or login credentials); 
receiving, over the electronic network, an authentication result from the verification data source server for the user associated with authentication data; and (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. receiving authentication assertions from the identity providers).
Guccione does not explicitly disclose determining an updated assurance level associated with the user at least based on the received authentication result.
However, Choyi discloses determining an updated assurance level associated with the user at least based on the received authentication result (FIG. 1 & 3, ¶ [0032]-[0034], [0045]).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of claimed invention to incorporate Choyi’s teaching into Guccione in order to use multiple devices to achieve strong multi-factor authentication while seamlessly switching between each of the multiple devices (Choyi, ¶ [0002]-[0007], [0025]).
Regarding claims 29 and 36, see claim 22 above for the same reasons of rejections.
Regarding claim 30 and 37, see claim 23 above for the same reasons of rejections.
Regarding claim 31 and 38, see claim 24 above for the same reasons of rejections.

Regarding claim 35, see claim 21 above for the same reasons of rejections.
Claims 26-27, 33-34 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Guccione in view of Choyi et al. (US 2016/0050234 hereinafter Choyi) and further in view of Balazs et al. (US 9,444,824 hereinafter Balazs).
Regarding claim 26, Guccione in view of Choyi discloses the method of claim 21.
Guccione does not explicitly discloses wherein the request for authentication level comprises an assurance level request for a one-time-password ("OTP").
However, Balazs discloses wherein the request for authentication level comprises an assurance level request for a one-time-password ("OTP") (col. 19, line 60-col. 20, line 12).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of claimed invention to incorporate Balazs’s teaching into Guccione in view of Choyi in order to raise the assurance level for subsequent requests to detect and prevent fraudulent transactions (Balazs, col. 10, lines 22-33).
Regarding claim 27, Guccione in view of Choyi discloses the method of claim 26, wherein the OTP request is conducted by at least one of an interactive voice response ("IVR") method and a short message service ("SMS") method (Balazs, col. 10, lines 22-33).
Regarding claim 33 and 40, see claim 26 above for the same reasons of rejections.
Regarding claim 34, see claim 27 above for the same reasons of rejections.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHI D NGUY whose telephone number is (571)270-7311. The examiner can normally be reached Monday-Friday 9-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on (571)272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-272-8311.






/C.D.N/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435