Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the original claims filed 49/04/2019.  Claims 1-27 are pending.  Claims 1 (a transitory CRM), 11 (a method), 20 (a software machine), and 24 (a means for) are independent.  Claims 1-11 and 20 have been amended.

Claim Objections
Claims 5 and 15 objected to under 37 CFR 1.75(c) as being in improper form because a multiple dependent claim must be in the alternative only.  See MPEP § 608.01(n).  

Response to Arguments
Applicant's arguments filed 12/14/2021 have been fully considered but they are not persuasive. 
As to the 112(b) rejection of claims 24-27, on page 7 of the remarks Applicant notes Figure 8 as the “structure” for the means for limitations in claim 24.  Figure 8 showing a generic computer. 
The “means for” of claim 24 are shown in Applicant’s figure 4, which is described in Applicant’s ¶ 72: “Fig. 4 is flow diagram of a second example method 160 suitable for use with the embodiments of Figs. 1-3. The second example method 160 facilitates 

    PNG
    media_image1.png
    586
    711
    media_image1.png
    Greyscale

Thus, the “means for” of claim 24 are shown in element 18 of Applicant’s figure 1, a software “Add-In” within a client side program.  Software does not have physical structure and a “means for” 112(f) interpretation requires physical structure.  Software cannot invoke 112(f); therefore, the “means for” of claim 24 improperly invoke 112(f) as they lack structure. 
That software may function within a generic computer is irrelevant as the “structure” must be particular to the function performed by the means.


With respect to the 102 rejection of claims 1, 11, 20, and 24, on page 8 Applicant remarks that “The service providers [of Shah] engag[e] in manual configuration by specifying policies regarding the different factors for authorization in order to increase, for example, the Samsung S5’s authentication to the same level as the iPhone 5S (see Shah 0030)”. 

Applicant’s argument is not persuasive because Applicant is ostensibly arguing that the claimed feature “obviating manual configuration of parameters governing an authentication method” applies to every component of an authentication system at all times.  In other words, that the claimed system figures out how to authenticate a user without ever receiving configurations or programming from a human.  Applicant’s specification does not support this interpretation and such a system would seem to lack enablement. 

Scope of claim 1: “obviating manual configuration of parameters governing an authentication method”.
This is discussed in Applicant’s ¶ 36. But, ¶ 36 is describing the benefit of the preceding ¶ 35:
In the present example embodiment, the add-in 18 interrogates the web service or API 26 to determine which type of authentication mechanism is in use and then adapts its behavior accordingly to allow authorized users to interact with 
Thus, the add-in 18, using authentication module 20, obtains authentication schemes from the web service/API 26 and selects therefrom.  An automated selection of authentication factors that avoids a manual selection. (see Applicant’s figure 1, reproduced above).
Further context is provided in Applicant’s ¶¶ 26 and 27.
“Conventionally, a user or developer manually provides configuration parameters (identifying the type of authentication to be employed when interacting with the web service, and so on) that govern the authentication method to be used by the client-side software.
Furthermore, the requisite authentication configuration settings (e.g., specifying which authentication method to use) for client-side software can change between the development phase and the production phase.” (Applicant’s ¶¶ 26-27)
Thus, the configuration settings obtained from the web service in ¶ 35 avoid the need for developers/programmers of the add-in 18 to pre-select the authentication mechanism.  

“the web service or API 26 of Fig. 1 responds to the interrogation, such as by providing authentication-method information describing or otherwise implying or indicating the type of authentication method employed by the web service or API 26 of Fig. 1.” (Applicant’s ¶ 40, the web services configured authentication types)
“…to determine the appropriate authentication method to use and that the authentication module 20 can successfully facilitate implementing the specified type of authentication, i.e., that the specified type of authentication corresponds to one of the subsequent sub-flows 122-126.” (Applicant’s ¶ 41, the add-in’s authentication types)
	Thus, the configuration settings of both the web service and the add-in are previously (manually) provided by developers.  However, the choice of which authentication to perform, during authentication, is performed automatically (obviating the necessity of developers to pre-select the method).

	In summary, when “obviating manual configuration of parameters governing an authentication method by automatically configuring the authentication method” is read in view of the specification, the limitation reads:
	“ … obviating manual selection of parameters on a client side program at development time, that governing an authentication method by automatically selecting the authentication method on a client side program during authentication …”

	This automatic selection is disclosed in, for example, Shah ¶¶ 43 and 48.  See also the discussion of automatic selection with respect to the interrogating/using steps:

interrogating the server-side software (“Using the S.sub.R interface 120, OpenID Functions (e.g., Discovery, Association, Assertion) may be invoked, an assurance level that is required by the RP 108 may be communicated from the RP 108 to the MFAS 102, and policies may be negotiated between the RP 108 and the MFAS 102.” Shah ¶ 48. “the MFAP 106 may negotiate a requirement with the MFAS 102 in accordance with local contextual conditions and/or locally maintained device capability information.” Shah ¶ 43) for authentication-method information associated with the authentication method; (“At 210, the MFAS 102 may obtain policies specified by the SP 108, from a service provider database 114 b for maintaining policy information related to a plurality of service providers. At 212, based on the obtained policies and user profile information, the MFAS 102 may provide an authentication factor or a list of authentication factors that can be executed to satisfy the required AL.” Shah ¶ 44)
using the authentication-method information to authenticate (“218, where the MFAS 102 selects the authentication factors that should be executed. In doing so, the MFAS 102 may obtain authentication capabilities from a device or user equipment (UE) database 114 c” Shah ¶ 44) the client-side program (Shah ¶ 49) for interaction with the server-side software; (Shah ¶ 44, the SP) and 

and used to authenticate the client-side program (the add-in 18), the authentication selection is done automatically, without selection (Applicant’s ¶ 35) by a programmer of the add-in 18 (Applicant’s ¶¶ 26 and 27).

Scope of claim 1 as compared to Shah
As previously cited, Shah discloses an automatic selection of authentication based on information obtained from a server:
interrogating the server-side software (“Using the S.sub.R interface 120, OpenID Functions (e.g., Discovery, Association, Assertion) may be invoked, an assurance level that is required by the RP 108 may be communicated from the RP 108 to the MFAS 102, and policies may be negotiated between the RP 108 and the MFAS 102.” Shah ¶ 48) for authentication-method information; (“At 210, the MFAS 102 may obtain policies specified by the SP 108, from a service provider database 114 b for maintaining policy information related to a plurality of service providers. At 212, based on the obtained policies and user profile information, the MFAS 102 may provide an authentication factor or a list of authentication factors that can be executed to satisfy the required AL.” Shah ¶ 44)
using the authentication-method information to authenticate (“218, where the MFAS 102 selects the authentication factors that should be executed. In doing so, the MFAS 102 may obtain authentication capabilities from a device or user equipment (UE) database 114 c” Shah ¶ 44) the client-side program (Shah ¶ 49) for interaction with the server-side software; (Shah ¶ 44, the SP).

Furthermore, none of the sections of Shah highlighted by Applicant (¶¶ 26, 3, 29, and 30) disclose “manual configuration”.  It is reasonable to assume that the service provider policies of Shah ¶¶ 29 and 30 are manually configured by a developer.  But the same assumption would apply in equal measure to Applicant’s analogous authentication method information. 

In summary, Applicant’s remarks are not persuasive because the amendment “obviating manual configuration of parameters governing an authentication method by automatically configuring the authentication method” is similar to the interrogation and using steps in the originally presented claim.  Also, Applicant’s particular arguments, that the policies of the service provider (or RP) are manually configured and incompatible with the amended claims is not persuasive as the argument is incompatible with Applicant’s disclosure.
Applicant’s remarks are not persuasive. 

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly 

Claims 1-23 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 

Applicant has amended independent claims 1, 11, and 20 to require: “obviating manual configuration of parameters governing an authentication method by automatically configuring the authentication method;”
Applicant’s specification does not support the scope of this limitation.

Applicant’s specification describes “manual configuration” as being the input of software developers (Applicant’s ¶¶ 26-27) and “automatically configuring” as being obtaining authentication-method information from a web-service or API during an authentication (Applicant’s ¶¶ 40-41).  But the claim scope is not limited to the disclosed (Applicant’s ¶¶ 26, 27, 40, 41) embodiment and instead covers ALL configuration of authentication parameters at ALL times.  For example, Applicant’s remarks (filed 12/14/2021) allege that Shah’s disclosure of a service provider policy governing authentication factors required by a service provider (Shah ¶ 30) is incompatible with the claimed amendment of 12/04/2021. 
of the client; however, Applicant’s claim covers all developers of all software in the system, both client and server.  This scope resulting in Applicant’s remarks directed to the sever of Shah. 
Applicant’s specification does not provide written description support for “obviating manual configuration of parameters (in the server policy of Shah ¶ 30) governing an authentication method by automatically configuring the authentication method;”.  In other words, Applicant’s specification does not provide written description support for the expansive negative limitation of obviating ALL forms of developer specification of authentication parameters at ALL systems (e.g. client, authentication system, and server.) 
Claims 2-10, 12-19, and 21-23 are rejected based on their dependency on claims 1, 11, and 20, respectively. 

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-27 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As to claims 1-23: 
Claims 1, 11, and 20 are ambiguous for multiple recitations of an “automatic configuration” limitation such that it appears that two automatic configurations are being performed.  Claims 1, 11, 20, and their respective dependents are indefinite for ambiguously describing the “automatic configuration”.

Independent claims 1, 11, and 20 require:
automatically configuring the authentication method
…
interrogating the server-side software for authentication-method information associated with the authentication method; 
using the authentication-method information to authenticate the client-side program for interaction with the server-side software;

Applicant’s specification ¶¶ 35 and 36 illustrate that the interrogating/using is the automatic configuration.  Thus, claims 1, 11, and 20 claim the same automatic configuration twice and in a manner that makes it appear that two automatic configurations are taking place.  
Claims 2-10, 12-19, and 21-23 are rejected based on their dependency on claims 1, 11, and 20, respectively. 

As to claims 24-27: Claim limitation “means for receiving”, “means for interrogating”, “means for using the authentication-method information”, and “means for enabling communications” invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Claims interpreted under 112(f) “means for” are interpreted to comprise, at least in part, physical elements.  However, the written description does not detail physical elements as the “means for”.  Rather, the specification in describing Figure 4, appears to describe these means as software means.  It is unclear what structure or material in the specification is used to perform the respective “means for” in claim 24.
 Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).

(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 11, 20 and 24 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Shah et al., US 2017/0374070 (filed 2016-01).
	(see below for unamended claim 24)	

A tangible processor-readable medium including instructions executable by one or more processors, and when executed operable for: (Shah ¶ 166)
obviating manual configuration of parameters governing an authentication method by automatically configuring the authentication method; (“Using the S.sub.R interface 120, OpenID Functions (e.g., Discovery, Association, Assertion) may be invoked, an assurance level that is required by the RP 108 may be communicated from the RP 108 to the MFAS 102, and policies may be negotiated between the RP 108 and the MFAS 102.” Shah ¶ 48. “the MFAP 106 may negotiate a requirement with the MFAS 102 in accordance with local contextual conditions and/or locally maintained device capability information.” Shah ¶ 43)
receiving a signal from a client-side program (“a browser 107 or applications 107 (which can collectively be referred to as browser/apps 107) of the user device 112 and the MFAP 106.” Shah ¶ 49) to communicate with server-side software; (“the user 110 requests to sign in to a service that is provided by the SP 108.” Shah ¶ 44)
interrogating the server-side software (“Using the S.sub.R interface 120, OpenID Functions (e.g., Discovery, Association, Assertion) may be invoked, an assurance level that is required by the RP 108 may be communicated from the RP 108 to the MFAS 102, and policies may be negotiated between the RP 108 and the MFAS 102.” Shah ¶ 48. “the MFAP 106 may negotiate a requirement with the MFAS 102 in accordance with local contextual conditions and/or locally maintained device capability information.” Shah ¶ 43) for authentication-method information associated with the authentication 
using the authentication-method information to authenticate (“218, where the MFAS 102 selects the authentication factors that should be executed. In doing so, the MFAS 102 may obtain authentication capabilities from a device or user equipment (UE) database 114 c” Shah ¶ 44) the client-side program (Shah ¶ 49) for interaction with the server-side software; (Shah ¶ 44, the SP) and 
enabling communications between the client-side program and the server-side software using an authentication method specified by the authentication-method information. (“At 228, in accordance with the illustrated example, the assurance level that is achieved by the authentications is sent to the SP 108 in an assertion.” Shah ¶ 46)

As to claim 24 Shah discloses a machine comprising:
Facilitating communications between a client-side program and a server-side software, the apparatus comprising: (Shah ¶ 166)
Means for receiving a signal from a client-side program (“a browser 107 or applications 107 (which can collectively be referred to as browser/apps 107) of the user device 112 and the MFAP 106.” Shah ¶ 49) to communicate with server-side software; 
Means for interrogating the server-side software (“Using the S.sub.R interface 120, OpenID Functions (e.g., Discovery, Association, Assertion) may be invoked, an assurance level that is required by the RP 108 may be communicated from the RP 108 to the MFAS 102, and policies may be negotiated between the RP 108 and the MFAS 102.” Shah ¶ 48. “the MFAP 106 may negotiate a requirement with the MFAS 102 in accordance with local contextual conditions and/or locally maintained device capability information.” Shah ¶ 43) for authentication-method information; (“At 210, the MFAS 102 may obtain policies specified by the SP 108, from a service provider database 114 b for maintaining policy information related to a plurality of service providers. At 212, based on the obtained policies and user profile information, the MFAS 102 may provide an authentication factor or a list of authentication factors that can be executed to satisfy the required AL.” Shah ¶ 44)
Means for using the authentication-method information to authenticate (“218, where the MFAS 102 selects the authentication factors that should be executed. In doing so, the MFAS 102 may obtain authentication capabilities from a device or user equipment (UE) database 114 c” Shah ¶ 44) the client-side program (Shah ¶ 49) for interaction with the server-side software; (Shah ¶ 44, the SP) and 
Means for enabling communications between the client-side program and the server-side software using an authentication method specified by the authentication-method information. (“At 228, in accordance with the illustrated example, the assurance 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-5 and 12-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shah et al., US 2017/0374070 (filed 2016-01), in view of Pinto et al., US 2014/0281909 (filed 2014-01).
As to claims 2, 12, Shah discloses the CRM/method of claims 1, 11 but does not disclose: wherein the server-side software includes a REpresentational State Transfer (REST) web service.

Pinto discloses:
wherein the server-side software includes a REpresentational State Transfer (REST) web service. (“The REST connector communicates with the REST server computer 36, which manages and stores the user preferences and other configuration information in a database 164.” Pinto ¶ 129.  “REST connectors enable web services data to be exposed in a collaboration. In response to receiving the above-noted information from the proxy connector participant, REST connectors generate and 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shah with Pinto by including REST services and connectors (as described in Pinto) in the service provider of Shah.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shah with Pinto in order to store user preference information and to enable collaboration among plural users (Pinto ¶¶ 129 and 209), thereby providing desired services to users of the system. 


As to claims 3, 13, Shah in view of Pinto discloses the CRM/method of claims 2, 12 but does not disclose: 
wherein the client-side program includes a spreadsheet program.

Pinto further discloses:
wherein the client-side program includes a spreadsheet program.
(“FIG. 26E shows a fourth software system 1036 d that includes MICROSOFT Excel 1020. An add-in is installed in MICROSOFT EXCEL. The add-in extends the functionality of Excel by defining a set of custom functions that permit share definitions and consume requests to be defined in cells of a spreadsheet. In addition, the custom 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Shah in view of Pinto with Pinto by including the Microsoft EXCEL application as the collaboration application.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine Shah in view of Pinto with Pinto in order to store user preference information and to enable collaboration among plural users (Pinto ¶¶ 129 and 209), thereby providing desired services to users of the system.

As to claims 4, 14, Shah in view of Pinto discloses the CRM/method of claims 3, 13 and further discloses: 
wherein the client-side program includes Microsoft Excel®. (“FIG. 26E shows a fourth software system 1036 d that includes MICROSOFT Excel 1020. An add-in is installed in MICROSOFT EXCEL. The add-in extends the functionality of Excel by defining a set of custom functions that permit share definitions and consume requests to be defined in cells of a spreadsheet. In addition, the custom functions enable a user to provide login credentials entered in the spreadsheet to the stateful data sharing service when the spreadsheet is opened.” Pinto ¶ 324)

As to claims 5, 15, Shah in view of Pinto discloses the CRM/method of claims 2, 11 but does not disclose: 


Pinto further discloses:
wherein steps of claim 1 are implemented using an add-in to the client-side program.
(“FIG. 26E shows a fourth software system 1036 d that includes MICROSOFT Excel 1020. An add-in is installed in MICROSOFT EXCEL. The add-in extends the functionality of Excel by defining a set of custom functions that permit share definitions and consume requests to be defined in cells of a spreadsheet. In addition, the custom functions enable a user to provide login credentials entered in the spreadsheet to the stateful data sharing service when the spreadsheet is opened.” Pinto ¶ 324)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Shah in view of Pinto with Pinto by including the Microsoft EXCEL application as the collaboration application.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine Shah in view of Pinto with Pinto in order to store user preference information and to enable collaboration among plural users (Pinto ¶¶ 324 and 209), thereby providing desired services to users of the system.


Claims 6, 8-10, 16, 18-19, 21-23, and 25-27 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shah et al., US 2017/0374070 (filed 2016-01), in view of Pinto et al., US 2014/0281909 (filed 2014-01), and Shah et al., US 2016/0087957 (filed 2014-04), hereafter referred to as Shah2.
As to claims 6, 16 Shah in view of Pinto discloses the CRM/method of claims 5, 15 but does not disclose: 
Wherein the authentication method includes use of a JSON Web Token (JWT).

Shah2 discloses:
Wherein the authentication method includes use of a JSON Web Token (JWT).
(“the OP entity is part of the MFAS system, also referred to as the OP Service function (OPSF)…. After the successful execution of a multi-factor authentication policy, the MFAS may hand control to the OPSF entity, which then uses the aforementioned shared key to sign an OpenID assertion. The assertion may have different formats, such as a string of characters or a JSON Web token for example, according to standard specifications.” Shah2 ¶ 126)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shah in view of Pinto with Shah2 by utilizing a JSON Web token to deliver assertions of entitlement following authentication.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shah in view of Pinto with Shah2 in order to deliver the results of the authentication to the client using a known data standard, thereby easing 

As to claims 8, 18, 21, 25, Shah in view of Pinto discloses the CRM/method/machine of claims 3, 13, 20, 24 but does not disclose: 
further including instructions executable by the one or more processors and when executed operable for selecting a User Interface (UI) display screen in accordance with the authentication method. 

Shah2 discloses:
further including instructions executable by the one or more processors and when executed operable for selecting a User Interface (UI) display screen in accordance with the authentication method. 
(different UIs for different user authentication factors: “At 2934, the MFAS 2916 may trigger the password authentication by sending an HTTP message to the user 2902 that prompts the user to enter a password.” Shah2 ¶ 243. “At 2964, the MFAS 2916 triggers the biometric authentication by sending an HTTPS message to the browser 2910. At 2966, the browser 2910 invokes the local bio-key client 2904 such that the client 2904 prompts the user 2902 to have her fingerprint scanned.” Shah2 ¶ 245)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shah in view of Pinto with Shah2 by providing authentication user interface prompts to obtain user authentication factors that are 

As to claims 9, 22, 26 Shah in view of Pinto and Shah2 discloses the CRM/machine/machine of claims 8, 21, 25 and further discloses: 
further including instructions executable by the one or more processors and when executed operable for using the UI display screen to collect one or more credentials from a user. (different UIs for different user authentication factors: “At 2934, the MFAS 2916 may trigger the password authentication by sending an HTTP message to the user 2902 that prompts the user to enter a password.” Shah2 ¶ 243. “At 2964, the MFAS 2916 triggers the biometric authentication by sending an HTTPS message to the browser 2910. At 2966, the browser 2910 invokes the local bio-key client 2904 such that the client 2904 prompts the user 2902 to have her fingerprint scanned.” Shah2 ¶ 245)

As to claims 10, 23, 27 Shah in view of Pinto and Shah2 discloses the CRM/machine/machine of claims 9, 22, 26 and further discloses: 
further including instructions executable by the one or more processors and when executed operable for employing the credentials to facilitate authenticating the user (authenticating a user: “224, where the local and/or network-based authentications are performed.” Shah ¶ 45. “MFAP 106 may perform a user password authentication without a separate user authentication application.” Shah ¶ 49) and client-side program 

As to claim 19, Shah in view of Pinto and Shah2 discloses the method of claim 18 and further discloses: 
using the UI display screen to collect one or more credentials from a user; (different UIs for different user authentication factors: “At 2934, the MFAS 2916 may trigger the password authentication by sending an HTTP message to the user 2902 that prompts the user to enter a password.” Shah2 ¶ 243. “At 2964, the MFAS 2916 triggers the biometric authentication by sending an HTTPS message to the browser 2910. At 2966, the browser 2910 invokes the local bio-key client 2904 such that the client 2904 prompts the user 2902 to have her fingerprint scanned.” Shah2 ¶ 245) and employing the credentials to facilitate authenticating the user (authenticating a user: “224, where the local and/or network-based authentications are performed.” Shah ¶ 45. “MFAP 106 may perform a user password authentication without a separate user authentication application.” Shah ¶ 49) and client-side program (Applicant’s specification ¶ 62 as filed: “Note that upon verification of valid authentication credentials 144, the user has   


Claims 7 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shah et al., US 2017/0374070 (filed 2016-01), in view of Pinto et al., US 2014/0281909 (filed 2014-01), and Platt et al., US 2009/0249440 (filed 2009-03).
As to claims 7, 17, Shah in view of Pinto discloses the CRM/method of claims 5, 15 but does not disclose: 
Wherein the authentication method includes basic access authentication (BASIC). 

Platt discloses:
Wherein the authentication method includes basic access authentication (BASIC). 
(“In the context of HTTP basic, authentication may be carried out by setting an authorization header in the Http requests sent to the server. The header may include the username and password in a base 64 encoded format. In many implementations, the same information is sent via the header each time, so it isn't necessary to reset this 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shah in view of Pinto with Platt by utilizing an HTTP Basic authentication mechanism to authenticate the user.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shah in view of Pinto with Platt in order to utilize a known password authentication mechanism, thereby easing interfacing between the components and allowing the re-use of proven software function which ease integration, maintenance, and programming burden. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Huang, US 11,206,253 discloses authentication passthrough in a hybrid cloud environment.
Stachura, US 2021/0397420, discloses a manual configuration of authentication parameters using a GUI.
Levy et al., US 2021/0326467, discloses a dynamic authentication system that adjust s required factors based on an assessed user’s risk. 
. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-





/MICHAEL W CHAO/Examiner, Art Unit 2492