Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received November 18, 2021.  Claims 1, 4-7, 10, 12-15, 17, and 18 have been amended.  Claims 2, 3, and 11 has been canceled.  Therefore, claims 1, 4-10, 12-20 are pending and addressed below. 

Response to Amendment
Applicant's amendments to claims 1, 4-7, 10, 12-15, 17, 18 and response to arguments are sufficient sufficient to overcome the 35 USC 101 rejection of claims 1-20, rejections set forth in previous office action.  Therefore, the rejections are withdrawn.  



Based on claim’s amendments, the Examiner rejects claims 1, 4-10, 12-20 with the new ground of rejections.





Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 4-10, 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Masters et al. (US2019/0251765 A1, filed 08/11/2015) in view of DiAcetis et al. (US2018/0145990 A1, publish date 05/24/2018). (on Applicant’s IDS filed 07/27/2021) in view of Leonard et al. (US2019/0236866 A1, provisional date 01/29/2018) further in view of Yan (US2006/0236408 A1, publish date 10/19/2006).

Claim 1:
With respect to claim 1, Masters et al. discloses an apparatus (remote authentication service 116, Figures 1, 2, 3) comprising:
a processor (processor 0018, 0024); and
a memory (memory 0018) on which is stored machine-readable instructions that cause the processor to:
receive, through a network connection, a user credential from a terminal (authentication credentials, access control system, Figure 1) (receive first/second authentication credentials from user, Figure 3, 302, 312), wherein the user credential is stored in a machine-readable code on a user device (badge scanners 0027) (e.g., demonstrating possession of a security and/or an identification card, a security token, a hardware token, a software token, a security key, etc.), 0032) and the terminal obtained the machine-readable code from the user device (one or more users 110, 112 may communicate with the access control system 102 via one or more physical access control interfaces 114 (e.g., keypads, buttons, biometric scanners, badge scanners, and/or the like) to authenticate physical access to the access-controlled area 104, the authentication credentials may comprise a biometric sensor input, information received from a security key or card in communication with the interface (e.g., using a near field communication ("NFC") standard), and/or the like, 0027-0028) (the access control system 102 may communicate authentication credentials 118, 120 provided by users 110, 112 (e.g., via an interface 114 or the like) to the remote authentication service 116, 0031);
identify at least one authentication factor associated with the user based on the user credential (an access authentication policy may be identified based, at least in part, on the credentials provided to the access control system 102 by the first user, 0049), wherein the at least one authentication factor comprises a physical location associated with the user and/or a time-based factor (policy may articulate one or more rules and/or conditions for allowing the first user access to the access-controlled area, 0050) (an organization may wish to condition physical access based on access time periods (e.g., normal business hours) and/or roles and/or other identity attributes associated with users requesting physical access, 0014) (e.g., a junior technician attribute) authenticates their rights to gain physical access to the access-controlled area 104, the user 112 may be granted access for a second period of time different than the first period of time (e.g., during normal business hours), 0037);
determine whether the at least one authentication factor indicates that the user is to be granted access to the terminal (access to the access-controlled area 104 may be managed based on an identity of an authenticating user, 0037); and
based on a determination that the at least one authentication factor indicates that the user is to be granted access to the terminal, grant the user access to the terminal (to gain physical access to the access-controlled area 104 may be varied based on one or more attributes associated with authenticating users 110, 112, 0037) (Grant first/second user access to access controlled area, Figure 3, 310, 318).

Masters et al. does not disclose wherein the at least one authentication factor is based on a physical location associated with the user as claimed.

However, DiAcetis et al. teaches multi-factor authentication using positioning data (0003) (Figure 1A), wherein the at least one authentication factor is based on a physical location associated with the user (receive a request from a user 101 that requires authentication before the user can access a secured resource, identify a location of a user, determine whether the location is within a predetermined area, may generate permission data allowing the user to access secure data while the user remains within a particular area, 0079-0082, Figure 4).

Masters et al. and DiAcetis et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use DiAcetis et al. in Masters et al. for wherein the at least one authentication factor comprises a physical location associated with the user as claimed for purposes of enhancing the access authentication system of Masters et al. by being beneficial in assisting users and business entities by providing more security to protect 

Leonard et al. teaches smart identification badge, the authentication module 270 may be configured to acquire the system's location (e.g., the location services 230) to determine the current location of the user/smart identification badge and utilize user credentials (e.g., a user identifier, biometric information and/or login credentials) (0061) (Figure 1B, 2B,, Figure 4C), the terminal obtained the machine-readable code from the user device (the user provides each input to the smart identification badge which in turn communicates with the remote server 430 using the network 420 to determine the user's access privileges for their current location, 0081) (a smart identification system may include a reusable badge, may utilize location services (e.g. GPS, NFC, or other location service) and user authentication to determine 
whether the badge should display a visual indicator to show that a user is 
authorized to be present in an area, 0069) (the user authentication may be embedded in the smart identification, 0070) (the smart identification badge may include a GPS receiver, the smart identification badge may connect to the smart identification application and access the smartphone's location services, the system may then determine the user's access or other sensors to verify the current location of the user (e.g. using GPS), privileges at their current secure location (S320).  For example, a user may have access rights at certain secure locations at certain times and for certain periods of times., 0072).

Masters et al., DiAcetis et al., and Leonard et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Leonard et al. in Masters et al. and DiAcetis et al. for the terminal obtained the machine-readable code from the user device as claimed for purposes of enhancing the access authentication system of Masters et al. and DiAcetis et al. by providing a more time-effective and secure system for verifying person’s identity and access rights (see Leonard et al. 0003)

Neither Masters et al., DiAcetis et al., nor Leonard et al. discloses determine a security level associated with the terminal; select, from a plurality of authentication policies, an authentication policy to be applied to authenticate the user, wherein the authentication policy is selected based on the determined security level associated with the terminal; identify, from the selected authentication policy, at least one authentication factor associated with the user based on the user credential as claimed. 

Yan teaches an administrator may control access to resources based on security levels of the individual devices used by the user, in addition to user roles (0041), matrix 500 is a three-dimensional matrix that includes user role axis 502, resource axis 504, and (0038-0039), determine a security level associated with the terminal; select, from a plurality of authentication policies, an authentication policy to be applied to authenticate the user, wherein the authentication policy is selected based on the determined security level associated with the terminal; identify, from the selected authentication policy, at least one authentication factor associated with the user based on the user credential  (performs a lookup of the matrix based on a user role of the user device, a type and security level of user device, and the resource requested, and determines based on one of a plurality of devices of the device axis. If permission is granted to the user device, the module allows the user device to access the resource based on the permission. However, if the permission is not granted, the module denies the user device access to the resource and sends a warning to the user device, 0012) (After a user logs into the server successfully (step 708), the device dependent access control module on a server detects the client device type and security level (step 710). Based on the user role, device type and security levels in the matrix assignment tables, the module looks up the matrix tables for a given user and a given device type or security for the specific resource (step 712) and determines if the combination has access to a resource based on the permissions in the content of the matrix (step 714), 0045, Figure 7).



It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Yan in Masters et al, DiAcetis et al., and Leonard et al. for determine a security level associated with the terminal; select, from a plurality of authentication policies, an authentication policy to be applied to authenticate the user, wherein the authentication policy is selected based on the determined security level associated with the terminal; identify, from the selected authentication policy, at least one authentication factor associated with the user based on the user credential as claimed for purposes of enhancing the access authentication system of Masters et al., DiAcetis et al., and Leonard et al. by dynamically configures new devices by not only user roles access control but also on device security to achieve fine-grained access control, such that sensitive data may only be delivered to secured devices.  (see Yan 0009-0010)

Claims 4, 12:
With respect to claims 4, 12, the combination of Masters et al., DiAcetis et al., Leonard et al., and Yan discloses the limitations of claims 1, 10, as addressed. 

DiAcetis et al. teaches multi-factor authentication using positioning data (0003) (Figure 1A), wherein the determined authentication policy includes the physical location of the user associated with the user (identify location associated with a user, Figure 4, 405) (determine whether location is within a predetermined area, Figure 4, 407) and wherein the instructions cause the processor to:
determine the physical location of the user when the terminal obtained the machine-readable code from the user device (identify location associated with a user, Figure 4, 405);
determine whether the physical location of the user is within an approved physical location of the user when the terminal obtained the machine-readable code from the user device to determine whether the at least one authentication factor indicates that the user is to be granted access to the terminal (determine whether location is within a predetermined area, Figure 4, 407); and
determine that the user is to be granted access to the terminal based on a determination that the physical location of the user is within the approved physical location (generate permission data, Figure 4, 413) (receive a request from a user 101 that requires authentication before the user can access a secured resource, identify a location of a user, determine whether the location is within a predetermined area, may generate permission data allowing the user to access secure data while the user remains within a particular area, 0079-0082, Figure 4).

Masters et al. and DiAcetis et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

The motivation for combining Masters et al. and DiAcetis et al. is recited in claims 1, 10.  

Claims 5, 14:
With respect to claims 5, 14, the combination of Masters et al., DiAcetis et al., Leonard et al., and Yan discloses the limitations of claims 1, 10, as addressed. 

DiAcetis et al. teaches multi-factor authentication using positioning data (0003) (Figure 1A), wherein the determined authentication policy includes the physical location associated with the user (identify location associated with a user, Figure 4, 405) (determine whether location is within a predetermined area, Figure 4, 407) and wherein the instructions cause the processor to:
determine the physical location of the user when the terminal obtained the machine-readable code from the user device; determine whether the user is currently or was recently logged into another terminal at a different geographic location to determine whether the at least one authentication factor indicates that the user is to be granted access to the terminal; and determine that the user is not to be granted access to the terminal based on a determination that the user is currently or was recently logged into another terminal at the different geographic location (As a user travels through rooms and hallways of a building, the system can determine whether or not to continue to allow access to secured data or continue to authorize the user to perform a requested operation.  For example, the system can authorize the user to access the data or perform the requested operation while in one area of the building, but not in other areas of the building, 0011).



The motivation for combining Masters et al. and DiAcetis et al. is recited in claims 1, 10.  

Claims 6, 13:
With respect to claims 6, 13, the combination of Masters et al., DiAcetis et al., Leonard et and Yan discloses the limitations of claims 1, 10, as addressed. 

DiAcetis et al. teaches multi-factor authentication using positioning data (0003) (Figure 1A), wherein the determined authentication policy includes the physical location associated with the user (identify location associated with a user, Figure 4, 405) (determine whether location is within a predetermined area, Figure 4, 407) and wherein the instructions cause the processor to:
determine a movement of the user prior to when the terminal obtained the machine-readable code from the user device; determine whether the movement of the user complies with a predefined movement prior to when the terminal obtained the machine-readable code from the user device to determine whether the at least one authentication factor indicates that the user is to be granted access to the terminal (The positioning data can indicate a position of a user in an outdoor environment or an indoor environment, the positioning data can indicate that the user is within a particular room of a building, near a particular resource (e.g., a printer) within the building, and the like, indoor map data identifies resources of the indoor environment, 0009) (the positioning data can be used by the system to identify movement patterns of user devices, 0010) (receive a request from a user 101 that requires authentication before the user can access a secured resource, identify a location of a user, determine whether the location is within a predetermined area, may generate permission data allowing the user to access secure data while the user remains within a particular area, 0079-0082, Figure 4); and
determine that the user is to be granted access to the terminal based on a determination that the movement of the user complies with the predefined movement (the system authorizes the user to perform the requested operation (e.g., change a password, access an account, access secured data, access a secure location, and the like)., 0005).

Masters et al. and DiAcetis et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

The motivation for combining Masters et al. and DiAcetis et al. is recited in claims 1, 10.

Claims 7, 15:
With respect to claims 7, 15, the combination of Masters et al., DiAcetis et al., Leonard et al., and Yan discloses the limitations of claims 1, 10, as addressed. 

Masters et al. discloses wherein the determined authentication policy includes the time-based factor (the user 112 may be granted access for a second period of time different than the first period of time (e.g., during normal business hours), 0037) and wherein the instructions cause the processor to:
determine whether the user is scheduled to be on-duty when the terminal obtained the machine-readable code from the user device to determine whether the at least one authentication factor indicates that the user is to be granted access to the terminal; and
determine that the user is to be granted access to the terminal based on a determination that the user is scheduled to be on-duty when the terminal obtained the machine-readable code from the user device (an organization may wish to condition physical access based on access time periods (e.g., normal business hours) and/or roles and/or other identity attributes associated with users requesting physical access, 0014) ((e.g., a junior technician attribute) authenticates their rights to gain physical access to the access-controlled area 104, the user 112 may be granted access for a second period of time different than the first period of time (e.g., during normal business hours), 0037).

DiAcetis et al. teaches multi-factor authentication using positioning data (0003) (Figure 1A), user is scheduled (contextual data, e.g., a user's Schedule, 0006).

Masters et al. and DiAcetis et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

The motivation for combining Masters et al. and DiAcetis et al. is recited in claims 1, 10.

Claims 8, 16, 19:
With respect to claims 8, 16, 19, the combination of Masters et al., DiAcetis et al., Leonard et al., and Yan discloses the limitations of claims 1, 10, 17, as addressed. 

Masters et al. discloses wherein the instructions cause the processor to:
access a statistical model of the user; and determine whether the at least one authentication factor indicates that the user is to be granted access to the terminal based on the statistical model of the user (data relating to physical access to the access-controlled area 104 may be generated and stored by the access control system 102, access information 136 may comprise, without limitation, information regarding which user 110, 112 physically accessed the access-controlled area 104, a time of such access, and/or any other information relating to such access, 0043). 

DiAcetis et al. teaches multi-factor authentication using positioning data (0003) (Figure 1A), access a statistical model of the user (contextual data, e.g., a user's schedule, calendar invitations, emails, text messages, indicates they had a meeting in his or her manager's office within a predetermined time, the system can track the user's location to determine if the user's pattern of movement is consistent with the activity indicated in the contextual data, 0006).

Masters et al. and DiAcetis et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

The motivation for combining Masters et al. and DiAcetis et al. is recited in claims 1, 10, 17.

Claim 8:
With respect to claim 8, the combination of Masters et al., DiAcetis et al., Leonard et al., and Yan discloses the limitations of claim 1, as addressed. 

Masters et al. discloses wherein the machine-readable code comprises
a quick response code, a bar code, or a graphical code, and wherein the user device comprises a user-wearable device or a badge (badge scanners 0027) (e.g., demonstrating possession of a security and/or an identification card, a security token, a hardware token, a software token, a security key, etc.), 0032).

DiAcetis et al. teaches multi-factor authentication using positioning data (0003) (Figure 1A), device comprises a user-wearable device or a badge (wearable computer, including a head-mounted display (HMD) or a watch, or any other computing device having components for interacting with one or more users 101, 0056).

Leonard et al. teaches wherein the machine-readable code comprises
a quick response code, a bar code, or a graphical code, and wherein the user device comprises a user-wearable device or a badge (using a smart identification system 
may include a reusable badge, determine whether the badge should display a visual indicator to show that a user is authorized to be present in an area, 0069) (the marker may be a physical marker that is visually recognizable such as a QR code, 0071).

Masters et al. and DiAcetis et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

The motivation for combining Masters et al. and DiAcetis et al. is recited in claim 1.

Claim 10:
With respect to claim 10, Masters et al. discloses a method (remote authentication service 116, Figures 1, 2, 3) comprising:
receiving, by a processor though a network connection (processor 0018, 0024), a user credential from a terminal (badge scanners 0027) (authentication credentials, access control system, Figure 1) (receive first/second authentication credentials from user, Figure 3, 302, 312), wherein the user credential is stored in a machine-readable code on a user device (badge scanners 0027) (e.g., demonstrating possession of a security and/or an identification card, a security token, a hardware token, a software token, a security key, etc.), 0032) and wherein a terminal obtained the machine-readable code from the user device to obtain the user credential (one or more users 110, 112 may communicate with the access control system 102 via one or more physical access control interfaces 114 (e.g., keypads, buttons, biometric scanners, badge scanners, and/or the like) to authenticate physical access to the access-controlled area 104, the authentication credentials may comprise a biometric sensor input, information received from a security key or card in communication with the interface (e.g., using a near field communication ("NFC") standard), and/or the like, 0027-0028) (the access control system 102 may communicate authentication credentials 118, 120 provided by users 110, 112 (e.g., via an interface 114 or the like) to the remote authentication service 116, 0031);
determining, by the processor, an authentication policy to be applied to authenticate the user (an access authentication policy may be identified based, at least in part, on the credentials provided to the access control system 102 by the first user, 0049), the authentication policy identifying at least one authentication factor comprising a physical location associated with the user and/or a time-based factor (policy may articulate one or more rules and/or conditions for allowing the first user access to the access-controlled area, 0050) (an organization may wish to condition physical access based on access time periods (e.g., normal business hours) and/or roles and/or other identity attributes associated with users requesting physical access, 0014) (e.g., a junior technician attribute) authenticates their rights to gain physical access to the access-controlled area 104, the user 112 may be granted access for a second period of time different than the first period of time (e.g., during normal business hours), 0037);
determining, by the processor, whether the at least one authentication factor indicates that the user is to be granted access to the terminal (access to the access-controlled area 104 may be managed based on an identity of an authenticating user, 0037); and 
granting, by the processor, the user access to the terminal based on a determination that the at least one authentication factor indicates that the user is to be granted access to the terminal (to gain physical access to the access-controlled area 104 may be varied based on one or more attributes associated with authenticating users 110, 112, 0037) (Grant first/second user access to access controlled area, Figure 3, 310, 318).

Masters et al. does not disclose wherein the at least one authentication factor comprises a physical location associated with the user as claimed.

However, DiAcetis et al. teaches multi-factor authentication using positioning data (0003) (Figure 1A), wherein the at least one authentication factor comprises a physical location associated with the user (receive a request from a user 101 that requires authentication before the user can access a secured resource, identify a location of a user, determine whether the location is within a predetermined area, may generate permission data allowing the user to access secure data while the user remains within a particular area, 0079-0082, Figure 4).

Masters et al. and DiAcetis et al. are analogous art because they are from the same field of endeavor of access based authentication factors.



Leonard et al. teaches smart identification badge, the authentication module 270 may be configured to acquire the system's location (e.g., the location services 230) to determine the current location of the user/smart identification badge and utilize user credentials (e.g., a user identifier, biometric information and/or login credentials) (0061) (Figure 1B, 2B,, Figure 4C), the terminal obtained the machine-readable code from the user device (the user provides each input to the smart identification badge which in turn communicates with the remote server 430 using the network 420 to determine the user's access privileges for their current location, 0081) (a smart identification system may include a reusable badge, may utilize location services (e.g. GPS, NFC, or other location service) and user authentication to determine 
whether the badge should display a visual indicator to show that a user is 
authorized to be present in an area, 0069) (the user authentication may be embedded in the smart identification, 0070) (the smart identification badge may include a GPS receiver, the smart identification badge may connect to the smart identification application and access the smartphone's location services, the system may then determine the user's access or other sensors to verify the current location of the user (e.g. using GPS), privileges at their current secure location (S320).  For example, a user may have access rights at certain secure locations at certain times and for certain periods of times., 0072).

Masters et al., DiAcetis et al., and Leonard et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Leonard et al. in Masters et al. and DiAcetis et al. for the terminal obtained the machine-readable code from the user device as claimed for purposes of enhancing the access authentication system of Masters et al. and DiAcetis et al. by providing a more time-effective and secure system for verifying person’s identity and access rights (see Leonard et al. 0003)

Neither Masters et al., DiAcetis et al., nor Leonard et al. discloses determining, by the processor, a type of the terminal; determining a security level associated with the determined type of the terminal; selecting, by the processor, and from a plurality of authentication policies, an authentication policy to be applied to authenticate the user, wherein the authentication policy is selected based on the determined security level associated with the determined type of the terminal, and wherein the selected 

Yan teaches an administrator may control access to resources based on security levels of the individual devices used by the user, in addition to user roles (0041), matrix 500 is a three-dimensional matrix that includes user role axis 502, resource axis 504, and device axis 506, device axis 506 may represent security levels of different devices, if device axis 506 represents individual devices, device 1 508 may represent a PDA while device 2 510 may represent a smart phone, device axis 506 may represent devices or device groups with different security levels (0038-0039), determining, by the processor, a type of the terminal; determining a security level associated with the determined type of the terminal; selecting, by the processor, and from a plurality of authentication policies, an authentication policy to be applied to authenticate the user, wherein the authentication policy is selected based on the determined security level associated with the determined type of the terminal, and wherein the selected authentication policy identifies at least one authentication factor that is based on associated with the user credential (performs a lookup of the matrix based on a user role of the user device, a type and security level of user device, and the resource requested, and determines based on one of a plurality of devices of the device axis. If permission is granted to the user device, the module allows the user device to access the resource based on the permission. However, if the permission is not granted, the module denies the user device access to the resource and sends a warning to the user device, 0012) (After a user logs into the server successfully (step 708), the device dependent access control module on a server detects the client device type and security level (step 710). Based on the user role, device type and security levels in the matrix assignment tables, the module looks up the matrix tables for a given user and a given device type or security for the specific resource (step 712) and determines if the combination has access to a resource based on the permissions in the content of the matrix (step 714), 0045, Figure 7).

Masters et al., DiAcetis et al., Leonard et al., and Yan are analogous art because they are from the same field of endeavor of access based authentication factors.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Yan in Masters et al, DiAcetis et al., and Leonard et al. for 
determining, by the processor, a type of the terminal; determining a security level associated with the determined type of the terminal; selecting, by the processor, and from a plurality of authentication policies, an authentication policy to be applied to authenticate the user, wherein the authentication policy is selected based on the determined security level associated with the determined type of the terminal, and wherein the selected authentication policy identifies at least one authentication factor that is based on associated with the user credential as claimed for purposes of enhancing the access authentication system of Masters et al., DiAcetis et al., and Leonard et al. by dynamically configures new devices by not only user roles access control but also on device security to achieve fine-grained access control, such that sensitive data may only be delivered to secured devices.  (see Yan 0009-0010)
Claim 17:
With respect to claim 17, Masters et al. discloses a computer-readable medium on which is stored computer-readable instructions (remote authentication service 116, Figures 1, 2, 3) that when executed by a processor (processor 0018, 0024), cause the processor to:
Receive, through a network connection, a user credential from a terminal (authentication credentials, access control system, Figure 1) (receive first/second authentication credentials from user, Figure 3, 302, 312), wherein the user credential is stored in a machine-readable code on a user device (badge scanners 0027) (e.g., demonstrating possession of a security and/or an identification card, a security token, a hardware token, a software token, a security key, etc.), 0032) and the terminal obtained the machine-readable code from the user device (one or more users 110, 112 may communicate with the access control system 102 via one or more physical access control interfaces 114 (e.g., keypads, buttons, biometric scanners, badge scanners, and/or the like) to authenticate physical access to the access-controlled area 104, the authentication credentials may comprise a biometric sensor input, information received from a security key or card in communication with the interface (e.g., using a near field communication ("NFC") standard), and/or the like, 0027-0028) (the access control system 102 may communicate authentication credentials 118, 120 provided by users 110, 112 (e.g., via an interface 114 or the like) to the remote authentication service 116, 0031);
identify at least one authentication factor associated with the user based on the user credential (an access authentication policy may be identified based, at least in part, on the credentials provided to the access control system 102 by the first user, 0049), wherein the at least one authentication factor comprises a physical location associated with the user and/or a time-based factor (policy may articulate one or more rules and/or conditions for allowing the first user access to the access-controlled area, 0050) (an organization may wish to condition physical access based on access time periods (e.g., normal business hours) and/or roles and/or other identity attributes associated with users requesting physical access, 0014) (e.g., a junior technician attribute) authenticates their rights to gain physical access to the access-controlled area 104, the user 112 may be granted access for a second period of time different than the first period of time (e.g., during normal business hours), 0037);
compare the at least one authentication factor against authentication information (access to the access-controlled area 104 may be managed based on an identity of an authenticating user, 0037);
determine whether the comparison indicates that the user is to be granted access to the terminal; and based on a determination that the user is to be granted access to the terminal, grant the user access to the terminal (to gain physical access to the access-controlled area 104 may be varied based on one or more attributes associated with authenticating users 110, 112, 0037) (Grant first/second user access to access controlled area, Figure 3, 310, 318).

Leonard et al. teaches smart identification badge, the authentication module 270 may be configured to acquire the system's location (e.g., the location services 230) to (0061) (Figure 1B, 2B,, Figure 4C), the terminal obtained the machine-readable code from the user device (the user provides each input to the smart identification badge which in turn communicates with the remote server 430 using the network 420 to determine the user's access privileges for their current location, 0081) (a smart identification system may include a reusable badge, may utilize location services (e.g. GPS, NFC, or other location service) and user authentication to determine 
whether the badge should display a visual indicator to show that a user is 
authorized to be present in an area, 0069) (the user authentication may be embedded in the smart identification, 0070) (the smart identification badge may include a GPS receiver, the smart identification badge may connect to the smart identification application and access the smartphone's location services, the system may then determine the user's access or other sensors to verify the current location of the user (e.g. using GPS), privileges at their current secure location (S320).  For example, a user may have access rights at certain secure locations at certain times and for certain periods of times., 0072).

Masters et al., DiAcetis et al., and Leonard et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Leonard et al. in Masters et al. and DiAcetis et al. for the 

Neither Masters et al., DiAcetis et al., nor Leonard et al. discloses determine a security level associated with the terminal; select, from a plurality of authentication policies, an authentication policy to be applied to authenticate the user, wherein the authentication policy is selected based on the determined security level associated with the terminal; identify, from the selected authentication policy, at least one authentication factor associated with the user based on the user credential as claimed. 

Yan teaches an administrator may control access to resources based on security levels of the individual devices used by the user, in addition to user roles (0041), matrix 500 is a three-dimensional matrix that includes user role axis 502, resource axis 504, and device axis 506, device axis 506 may represent security levels of different devices, if device axis 506 represents individual devices, device 1 508 may represent a PDA while device 2 510 may represent a smart phone, device axis 506 may represent devices or device groups with different security levels (0038-0039), determine a security level associated with the terminal; select, from a plurality of authentication policies, an authentication policy to be applied to authenticate the user, wherein the authentication policy is selected based on the determined security level associated with the terminal; identify, from the selected authentication policy, at least one authentication factor (performs a lookup of the matrix based on a user role of the user device, a type and security level of user device, and the resource requested, and determines based on one of a plurality of devices of the device axis. If permission is granted to the user device, the module allows the user device to access the resource based on the permission. However, if the permission is not granted, the module denies the user device access to the resource and sends a warning to the user device, 0012) (After a user logs into the server successfully (step 708), the device dependent access control module on a server detects the client device type and security level (step 710). Based on the user role, device type and security levels in the matrix assignment tables, the module looks up the matrix tables for a given user and a given device type or security for the specific resource (step 712) and determines if the combination has access to a resource based on the permissions in the content of the matrix (step 714), 0045, Figure 7).

Masters et al., DiAcetis et al., Leonard et al., and Yan are analogous art because they are from the same field of endeavor of access based authentication factors.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Yan in Masters et al, DiAcetis et al., and Leonard et al. for determine a security level associated with the terminal; select, from a plurality of authentication policies, an authentication policy to be applied to authenticate the user, wherein the authentication policy is selected based on the determined security level 

Claim 18:
With respect to claim 18, the combination of Masters et al., DiAcetis et al., Leonard et al., and Yan discloses the limitations of claims 17, as addressed. 

Yan teaches an administrator may control access to resources based on security levels of the individual devices used by the user, in addition to user roles (0041), matrix 500 is a three-dimensional matrix that includes user role axis 502, resource axis 504, and device axis 506, device axis 506 may represent security levels of different devices, if device axis 506 represents individual devices, device 1 508 may represent a PDA while device 2 510 may represent a smart phone, device axis 506 may represent devices or device groups with different security levels (0038-0039), wherein the instructions further cause the processor to: determining a type of the terminal; determine a security level associated with the determined type of the terminal; select the authentication policy to be applied to authenticate the user based on the determined security level associated with the determined type of the terminal (performs a lookup of the matrix based on a user role of the user device, a type and security level of user device, and the resource requested, and determines based on one of a plurality of devices of the device axis. If permission is granted to the user device, the module allows the user device to access the resource based on the permission. However, if the permission is not granted, the module denies the user device access to the resource and sends a warning to the user device, 0012) (After a user logs into the server successfully (step 708), the device dependent access control module on a server detects the client device type and security level (step 710). Based on the user role, device type and security levels in the matrix assignment tables, the module looks up the matrix tables for a given user and a given device type or security for the specific resource (step 712) and determines if the combination has access to a resource based on the permissions in the content of the matrix (step 714), 0045, Figure 7).

Masters et al., DiAcetis et al., Leonard et al., and Yan are analogous art because they are from the same field of endeavor of access based authentication factors.

The motivation for combing Masters et al., DiAcetis et al., Leonard et al., and Yan is recited in claim 17. 

Claim 20:
With respect to claim 20, Masters et al. discloses wherein the authentication information comprises information that identifies properties pertaining to instances in which the user (for example, group membership information, user role information (e.g., authorized service technician, seniority, supervisory rights, etc.),, 0036) (a first user (e.g., "User 1" 110) associated with a first attribute (e.g., a senior technician attribute) authenticates their rights to gain physical access to the access-controlled area 104, the user 110 may be granted access for a first period of time (e.g., 24-hours).  a role-based policy may articulate that when a second user (e.g., "User 2" 112) associated with a second attribute (e.g., a junior technician attribute) authenticates their rights to gain physical access to the access-controlled area 104, the user 112 may be granted access for a second period of time different than the first period of time (e.g., during normal business hours), 0037).

DiAcetis et al. teaches multi-factor authentication using positioning data (0003) (Figure 1A), the authentication information comprises information that identifies properties pertaining to instances in which the user is to be granted access to the terminal (the techniques disclosed herein can be applied to a school, a store, a factory, oil refinery, or any other environment that may benefit from a system that can provide different levels of access for different resources to individual identities or select groups of identities, 0026).

Masters et al. and DiAcetis et al. are analogous art because they are from the same field of endeavor of access based authentication factors.

.  


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm., every other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433