DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 11 is objected to because of the following informalities:
Claim 11 should be corrected as: “…goods or services conducted at a geolocation at a particular point in time…” 
Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention 

Claims 1, 2, 7, 9-10, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over US 2008/0146193 to Bentley et al. (hereinafter, “Bentley”) in view of Y. Albayram et al. (hereinafter, “Albayram”), "Designing challenge questions for location‐based authentication systems: a real‐life study." Human-centric Computing and Information Sciences 5.1 (2015): 1-28.
As per claim 1: Bentley discloses: A computer-implemented method, comprising: under one or more processors (a server 920 is a data processing system [Bentley, ¶0082; Fig. 9]; the elements of Fig. 9 and its associated paragraphs of Bentley depict the second embodiment, where a user of an arbitrary data processing system (instead of the wireless device 110/901 itself, as described in the first embodiment) is attempting to access protected resources of server 920 [Bentley, ¶0076]): (the server 920 generates a challenge question based on the geo-location history of a particular username [Bentley, ¶0084]); receiving, from a second client device, an authentication request for access to a set of service features associated with the first client device (a user of the a data processing system 902 wishes to access a restricted resource and provides the username to the server [Bentley, ¶¶0076, 0082]; an authentication ; transmitting, to the second client device, a subset of authentication challenges from the one or more authentication challenges (presents the authentication challenge to the user [Bentley, ¶0055]); receiving, from the second client device, authentication responses that correspond to the subset of authentication challenges (receive the response at the server [Bentley, ¶0057]); and in response to determining that the authentication responses correspond to correct responses for the subset of authentication challenges, verifying a user identity associated with the first client device (if the response to the challenge is correct, the user is authenticated [Bentley, ¶0063, 0072-0074]).
Bentley does not disclose: monitoring, at a first client device, location-based telemetry data associated with the first client device over a predetermined time interval. However, Albayram is directed to analogous art of using knowledge-based question authentication by generating location-based challenge questions from users’ monitored locations [Albayram, Abstract]. Albayram discloses: monitoring, at a first client device, location-based telemetry data associated with the first client device over a predetermined time interval (“…we leverage users’ location information tracked by smartphones over an extended period to generate challenge questions and authenticate users,” [Albayram, pg. 2]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to implement a means for obtaining the geo-location data for the database 140 in Bentley, such as by monitoring users over an extended period in Albayram. The means for populating the geo-location history database 140 in Bentley would 

As per claim 2: Bentley in view of Albayram disclose all limitations of claim 1. Furthermore, Bentley discloses: further comprising: granting the second client device with access to the service features associated with the first client device, based at least in part on verifying the user identity associated with the first client device (the user is authenticated before access is granted to one or more resources [Bentley, ¶0082]; the username provided to the server is associated with the user’s wireless device (e.g. wireless device 901) [Bentley, ¶0083, 0086; Fig. 11]).

As per claim 7: Bentley in view of Albayram disclose all limitations of claim 1. Furthermore, Bentley discloses: wherein the location-based telemetry data corresponds to a geolocation visited by the first client device at a particular time of day or day of week (from the geo-location data, challenge questions are generated, such as “What time did you get into work yesterday?” [Bentley, ¶0044-0045]), .
Bentley does not disclose the strikethrough limitations for claim 7. However, Albayram discloses: generating a map of a geographic region that includes the geolocation, and wherein at least one authentication challenge of the subset of authentication challenges includes prompting, via a user interface of the second client device, a response to identify the location on the map of the geographic region as a place visited at the particular time of day or the day of week (in [Albayram, Fig. 4, pg. 11], a question requires the user to click on the location as an answer).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to implement any reasonable form of challenge questions to test the knowledge of a user. A visual map requiring the user to select a location to answer a location-based question would have more accessible than typing in an answer. This would also have provided a more user-friendly approach for devices with limited typing capabilities (e.g. a smartphone).

As per claim 9: Bentley in view of Albayram disclose all limitations of claim 1. Furthermore, the same motivation for incorporating Albayram with Bentley is also applicable for claim 9. Therefore, Bentley in view of Albayram disclose: wherein monitoring the location-based telemetry data at the first client device (as stated above in claim 1, Albayram discloses tracking user location information by their smartphones) includes identifying a geolocation visited by the first client device within a predetermined time interval (geo-location history databases includes rows for an identifier to the wireless device, time, and location (latitude/longitude) [Bentley, ¶0043-0044; Fig. 3]), the location-based telemetry data further including an event that occurs at the geolocation at a same point in time as a visit by the first client device, a weather condition associated with the geolocation, a landmark associated with the geolocation, or a calendar event associated with the first client device that occurs at the geolocation, and wherein, the one or more authentication challenges are based at least in part on the event, the weather condition, the landmark, or the calendar event (a list of example questions asked are listed, such as: Where were you Tuesday at 14:45? “, “What was the weather when you were last here?” [Bentley, ¶0005-0017]; landmarks are also recorded, e.g. Yankee Stadium [Bentley, ¶0045; fig. 4]).

As per claim 10: Bentley in view of Albayram disclose all limitations of claim 1. Furthermore, Bentley disclose: wherein the location-based telemetry data further includes sensor data associated with a motion of the client device at a geolocation at a particular point in time, and further comprising: determining a motion of the client device at the geolocation at the particular point in time, and wherein at least one authentication challenge of the subset of authentication challenges includes prompting, via a user interface of the second client device, a response to describe the motion of the client device at the geolocation at the particular point in time (recording speed and start/end time between different locations [Bentley, ¶0046; Fig. 5]; questions, such as “How fast were you driving” or “What was your maximum speed during your commute this morning” [Bentley, ¶0012, 0015]).

As per claim 12: Bentley in view of Albayram disclose all limitations of claim 1. Furthermore, Bentley in view of Albayram disclose: wherein the first client device is associated with a telecommunications service account, and wherein the authentication request to access service features corresponds to access to the telecommunications service account (the geo-service account”), and an account number [Bentley, ¶0086; Fig. 11]).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Bentley in view of Albayram in view of US 9,633,322 to Burger (hereinafter, “Burger”).
As per claim 4: Bentley in view of Albayram disclose all limitations of claim 1. Bentley and Albayram do not disclose the features of claim 4. However, Burger discloses: further comprising: analyzing the authentication request to determine an authentication level associated with the set of service features, the authentication level indicating a degree of proprietary data accessible via the set of service features (calculating a risk score of a consumer or the consumer’s device, wherein the risk score is used in consumers’ requests for  authentication [Burger, col. 5, lines 9-28, 44-46]); determining a complexity of individual authentication challenges within the set of authentication challenges; and selecting the subset of authentication challenges from the one or more authentication challenges, based at least in part on the complexity of authentication challenges (generate and present various quantities and/or difficulties of questions to consumers based on the risk score [Burger, col. 5, lines 29-46]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to improve the manner of presenting challenges to users in Bentley by using questions of varying difficulties to users based on each user’s risk level. This .

Claims 5-6 and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bentley in view of Albayram and Burger and in further view of US 2017/0048230 to Johansson et al. (hereinafter, “Johansson”).
As per claim 5: Bentley in view of Albayram and Burger disclose all limitations of claim 4. However, Johansson discloses: further comprising: generating a predetermined assurance threshold that indicates whether the user identity is verified for access to the set of service features, based at least in part on the authentication level (determining a minimum confidence threshold based on at least in part on an account type associated with the account, the secured resources to be accessed by the account, client characteristics, and/or other factors [Johansson, ¶0065]); assigning, individual authentication challenges of the subset of authentication challenges, individual assurance scores that corresponds to a correct response, based at least in part on the complexity of the individual authentication challenges (generating a set of authentication challenges, wherein each challenge is associated with differing authentication point values [Johansson, ¶0066]; point values are variable based on difficulty and correct/incorrect answers [Johansson, ¶0035]); and determining a number of authentication challenges to include within the subset of authentication challenges, based at least in part on the individual assurance scores and the predetermined assurance threshold, and wherein, selecting the subset of authentication challenges from the one or more authentication challenges is further based at least in part on the number of authentication challenges (presenting one or more challenges based on the confidence score and the determined confidence threshold [Johansson, ¶0069]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to enhance the flexibility of authenticating a user by presenting authentication questions with different values that accumulate to a required minimum threshold. This would have enabled a legitimate user to miss some questions while answering enough to get authenticated.
	
As per claim 6: Bentley in view of Albayram, Burger, and Johansson disclose all limitations of claim 5. Furthermore, the same motivation for incorporating Johansson with Bentley, Albayram, and Burger is also applicable for claim 6. Therefore, Bentley in view of Albayram, Burger, and Johansson disclose: further comprising: in response to receiving authentication responses that correspond to the subset of authentication challenges, determining an aggregate of the individual assurance scores for correct responses to the subset of authentication challenges, and wherein, verifying the user identity is based at least in part on the aggregate of the individual assurance scores being greater than or equal to the predetermined assurance threshold (adding the point values corresponding to correct responses to a confidence score and determining if the confidence score is above the minimum threshold to authenticate the user [Johansson, ¶0067-0069]).

As per claim 13: Claim 13 is different in overall scope from claims 1 and 5 but recites substantially similar subject matter as claims 1 and 5. Claim 13 is directed to a system with 

As per claim 14: Claim 14 incorporates all limitations of claim 13 and is a system with functions corresponding to the computer-implemented method of claim 6. Therefore, the arguments set forth above with respect to claims 6 and 13 are equally applicable to claim 14 and rejected for the same reasons.

As per claims 15 and 16: Claims 15 and 16 incorporate all limitations of claim 13 and is a system with functions corresponding to the computer-implemented method of claims 4 and 5. Therefore, the arguments set forth above with respect to claims 4 and 5 are equally applicable to claims 15 and 16 and rejected for the same reasons.

As per claim 17: Claim 17 is different in overall scope from claims 1 and 5 but recites substantially similar subject matter as claims 1 and 5. Claim 17 is directed to a non-transitory computer-readable media storing instructions corresponding to the computer-implemented method of claims 1 and 5. Thus, the response provided above for claim 1 is equally applicable to claim 17.

As per claim 18: Claim 18 incorporates all limitations of claim 17 and is a non-transitory computer-readable media storing instructions corresponding to the computer-implemented 

As per claim 19: Claim 19 incorporates all limitations of claim 18 and is a non-transitory computer-readable media storing instructions corresponding to the computer-implemented method of claim 4. Therefore, the arguments set forth above with respect to claims 4 and 18 are equally applicable to claim 19 and rejected for the same reasons.

As per claim 20: Claim 20 incorporates all limitations of claim 17 and is a non-transitory computer-readable media storing instructions corresponding to the computer-implemented method of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 17 are equally applicable to claim 20 and rejected for the same reasons.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Bentley in view of Albayram in view of US 9,888,337 to McCorkendale et al. (hereinafter, “McCorkendale”).
As per claim 11: Bentley in view of Albayram disclose all limitations of claim 1. Bentley and Albayram do not disclose the features of claim 11. However, McCorkendale is directed to analogous art of generating knowledge-based authentication (KBA) questions for a user from monitored activity that occurred on the user’s mobile device [McCorkendale, Abstract]. McCorkendale discloses: wherein the location-based telemetry data corresponds to a transaction for goods or services conducted a geolocation at a particular point in time (a mobile device agent monitors the activity that occurs on the mobile computing device over , and wherein at least one authentication challenge of the subset of authentication challenges includes prompting, via a user interface of the second client device, a response to describe the transaction for goods or services (from the monitored data, personalized KBA questions, such as: “What were the last two movies you paid to stream?”; “How much did you pay at the Thinking Cup on Hannover Street last Friday?”; or “How much did you pay for the tickets to the last concert that you attended?” [McCorkendale, col. 9, lines 1-14]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to implement any reasonable form of challenge questions to test the knowledge of a user. Personalized KBA questions that are dynamically generated provide advantages over conventional methods of using passwords, physical possession, and static KBA questions as discussed in the BACKGROUND section of McCorkendale.

Allowable Subject Matter
Claims 3 and 8 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter: 
The claimed invention is directed to using monitored location information of a user’s device to verify or authenticate the user through authentication challenges. The general scope 
US 10,572,653: Discloses generating knowledge-based questions, based on account data and/or previous interactions, to authenticate customers prior to performing high risk activities. Each challenge questions are assigned an authentication score. See col. 5, lines 27-42; col. 7, lines 42-65; Figs 2A-2B, 3. 
US 2018/0084423: Discloses authenticating a user by collecting geolocation data during a period and social media interaction and generating authentication questions based on the collected data and interactions. See Abstract.
US 2017/0053280: Discloses receiving a request for authentication of a user with respect to a desired transaction and prompting the user to answer one or more questions. The questions are based on a log of user location history, user’s associates’ location histories, and aspects of the desired transaction. See [0051]; Fig. 2.
US 2014/0189829: Discloses a question generating engine configured to derive questions based on the location history of a device. A quality engine is used to analyze question and answer metrics to filter out difficult or poor questions that may be used to authenticate users. A user is granted or denied by scoring a 
US 2014/0137219: Discloses utilizing user history data to generate challenge questions personalized to a specific user in addition to utilizing collected location data corresponding to movements of a client device of the user. See [0030]; Fig. 3.
US 2014/0082713: Discloses enrolling a user’s device from which access to a service is authorized. During authentication, questions about the location of the enrolled device are asked to verify a user. See Abstract.
US 2013/0007864: Discloses using social content and geolocation information to generate challenge questions to authenticate users. See [0033]-[0035]. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        2-23-2022