DETAILED ACTION

This non-final office action is in response to claim 1-20 filed November 19, 2020 for examination. Claims 1-20 are being examined and are pending. 
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement

The information disclosure statements filed 11/19/2020 has been placed in the application file and the information referred to therein has been considered as to the merits. 
Drawings

The drawings filed on 11/19/2020 have been accepted.
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim either is anticipated by, or would have been obvious over, the reference claim. See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claim 1-20 are rejected on the ground of non-statutory obviousness-type double patenting rejection as being unpatentable over claims 1-12 of US Patent # 10,846,389 B2 (S/N # 15/654,096). Although the conflicting claims are not identical, they are not patentably distinct from each other because the referenced patents and the instant application are claiming common subject matter, as follows:
Instant Application
(# 16/952,638)
US Patent # 10,846,389 B2
(15/654,096)
1. A method for providing an enhanced authentication process with risk-based decision making for accessing protected services, the method comprising: 
capturing attributes pertaining to a user and/or a user device; 

determining a risk of data security based on the attributes pertaining to the user and/or the user device; 










when the risk is unacceptable, requiring additional authentication for access to the protected services; and 

when the risk is acceptable, granting access to the protected services without requiring additional authentication, wherein the capturing the attributes pertaining to the user and/or the user device comprises: 


performing an authorization call to an application requesting access to the protected services; 

bundling the attributes and the request to access the protected services into an authentication request object.

capturing, by the authorization server, attributes pertaining to a user and/or a user device; 
determining, by the authorization server, a risk of data security based on the attributes pertaining to the user and/or the user device; granting, by the authorization server, access to the protected services when the risk of data 
when the refreshed risk determination is unacceptable, requiring, by the authorization server, additional authentication for continued access to the protected services; and 
when the refreshed risk determination is acceptable, continuing, by the authorization server, access to the protected services without requiring additional authentication, wherein the capturing, by the authorization server, the attributes pertaining to the user and/or the user device comprises: 
performing an authorization call to an application issuing a request to access the protected services; 

bundling the attributes and the request to access the protected services into an authentication request object.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.

Claims 1-3, 7-12, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0109509 A1 to Baghdasaryan et al. (“Baghdasarayan”) in view of US 2015/0106888 A1 to Cheng et al. (“Cheng”).
Regarding claim 1, Baghdasarayan disclosed a method for providing an enhanced authentication process with risk-based decision making for accessing protected services, the method comprising: 
capturing attributes pertaining to a user and/or a user device; (See ¶0053: current parameters 406 are collected from the client device 400; See further in ¶0048, ¶0051)
determining a risk of data security based on the attributes pertaining to the user and/or the user device; (Para.0052-0053. Determining risk level based on current parameters and historical parameters. The parameters collected and evaluated to determine the risk level 407 may include the identity of each user and a variety of data related to the authenticators 420- 421 registered at the authentication server including, for example, the authentication attestation IDs (AAIDs) which uniquely identify the types of authentication device(s) registered; the Key IDs associated with the keys exchanged during authenticator registration (and stored in secure storage 425 on the client and the authentication server); cryptographic key data used for validating cryptographic signatures generated with the keys; a signature counter indicating the number of times signatures have been generated with the keys; and the authenticator version indicating the version of each of the authenticators. In addition, the parameters used to determine the risk level may include metadata associated with each of the authenticators such as the AAID (mentioned above), the authenticator vendor, the authenticator type (e.g., indicating if the authenticator is internal or external to the client), the authentication factor (e.g., fingerprint, voiceprint, presence, etc), and the key protection method (e.g., Trusted Execution Environment, Secure Elements, etc).))
when the risk is unacceptable, requiring additional authentication for access to the protected services; (Para. 0054: In general, the greater the risk level 407 (e.g., the greater the distance from parameters indicating "normal" behavior), the more rigorous the authentication. For example, in one embodiment, if the risk level is above a specified threshold (i.e. risk is unacceptable), then the authentication server 450 may require authentication using one or more explicit user authentication devices 420-421.) and
when the risk is acceptable, granting access to the protected services without requiring additional authentication, (Para.0054. In contrast, for a risk level below a specified threshold (i.e. the risk is acceptable), then non-intrusive authentication techniques 405 may be sufficient. See ¶0051, ¶0112: If the parameters are within the selected thresholds, then at 506 the interaction is considered to be a normal activity and less rigorous (or no) authentication may be used (e.g., non-intrusive authentication such as described above).)
Baghdasarayan did not but the analogous art Cheng disclosed wherein the capturing the attributes pertaining to the user and/or the user device comprises: performing an authorization call to an application requesting access to the protected services; gathering the attributes while Cheng, ¶0025: Users of clients 110, 112, and 114 may utilize clients 110, 112, and 114 to request and gain access to protected resource 116, which is protected by server 104 and/or server 106. ¶0027: Clients 110, 112, and 114 may utilize biometric measuring devices 118, 120, and 122 to capture and record biometric data (i.e. gathering attributes) corresponding to users of clients 110, 112, and 114. Clients 110, 112, and 114 may send the captured biometric data to server 104 or server 106 for user authentication prior to server 104 or server 106 allowing access to protected resource 116. ¶0028: In addition, clients 110, 112, and 114 include context information 124, 126, and 128, respectively. Context information 124, 126, and 128 may be, for example, unique device identifiers and geographic location data (i.e. attributes) regarding clients 110, 112, and 114. Clients 110, 112, and 114 may send context information 124, 126, and 128 to server 104 or server 106 for determining a context of an access request to protected resource 116 prior to allowing access to protected resource 116. ¶0029: Protected resource 116 represents a set of one or more different protected resources A protected resource may be, for example, a network, a document, a software application, or a hardware device in network data processing system 100 that has restricted access to only authorized users. ¶0048: the context information included in a particular access request may include an identification of the client device requesting access to a particular protected resource and a geographic location of the client device at the time of the access request.)
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Baghdasaryan by including the idea of capturing the attributes pertaining to the user and/or the user device comprises: performing an authorization call to an application requesting access to the protected services; gathering the 
Claims 9 and 16 recite similar limitations to claim 1, mutatis mutandis, the subject matter of claims 9 and 16, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 2, The method of claim 1, further comprising: when the risk of data security is acceptable, refreshing access to protected services without requiring additional authentication (Para.0056. If the authentication is successful, then the current parameters may be added as historical parameters associated with successful authentications (thereby decreasing the “riskiness” associated with these parameters) as refreshing access to protected services).
Claims 11 and 17 recite similar limitations to claim 2, mutatis mutandis, the subject matter of claims 11 and 17, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 3, Baghdasaryan further taught the method of claim 1, further comprising: when the risk of data security is unacceptable, requiring the user to provide one or more of a password and biometric data (Para.0048, 0112. Password and biometric).
Claims 12 and 18 recite similar limitations to claim 3, mutatis mutandis, the subject matter of claims 12 and 18, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 7, Baghdasaryan further taught the method of claim 1, further comprising: storing the attributes pertaining to the user and/or user device at an authorization database configured to store unique attributes for a plurality of users and/or user devices (Para. 0034, 0048, 0051).
Claim 10 recites similar limitations to claim 7, mutatis mutandis, the subject matter of claim 7, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 8, Baghdasaryan further taught the method of claim 1, wherein the attributes pertaining to the user and/or user device comprise one or more of: a cryptographic key, geographic location, time of day, day of week, device hygiene, a user usage pattern, a swipe pattern for touch sensitive displays, malware detection, jailbreak/root detection, debugger mode detection, location reading, accelerometer readings, gyroscope readings, compass readings, user device navigation patterns, application tamper detection, a user device identifier, user device hardware details, user device certificate, user device software details, an International Mobile Station Equipment Identifier (IMEI), a Personal Identification Number (PIN), a password, user biometric data, a device token, a Service Set Identifier (SSID), network proxy detection, device power state, and Virtual Private Network (VPN) detection. (Baghdasaryan, Para. 0025).
Claims 4-6, 13-15, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Baghdasaryan in view of Cheng and further in view of US 2014/0230020 to Mogaki et al. (“Mogaki”).
Regarding claim 4, Baghdasaryan -Cheng combination taught the method of claim 1, the combination did not but the analogous art Mogaki taught further comprising: providing an access token to the user device upon the granting access to the protected services ([0104] If the authorization code is registered in the authorization code table 800, the access management service system 104 judges that the user permits use of the form service system 105, and the process advances to step S1016 to continue processing. [0105] In step S1016, the access management service system 104 generates an access token.), wherein the access token expires after a predetermined period of time ([0105] The access management service system 104 sets a valid period of the access token in the access token valid date and time 903. See 0005, 0084).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention combined of Baghdasaryan and Cheng by including the idea of providing an access token to the user device upon the granting access to the protected services, wherein the access token expires after a predetermined period of time as taught by Mogaki so that even when authentication information of a client and update authorization information have leaked, authentication information can be prevented from being illicitly re-issued (Mogaki, ¶0013).
Claim 13 recites similar limitations to claim 4, mutatis mutandis, the subject matter of claim 13, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 5, Baghdasaryan -Cheng-Mogaki combination further taught the method of claim 4, further comprising determining an updated risk of data security after a time expiration of the access token. (Mogaki, ([0122] If the access token is registered but it falls outside the valid period, the access management service system 104 returns an access token invalid message as a response. [0128] In step S1209, upon reception of the access token invalid message, the external service system 103 requests the access management service system 104 to execute refresh processing.))
Claim 14 recites similar limitations to claim 5, mutatis mutandis, the subject matter of claim 14, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 6, Baghdasaryan -Cheng-Mogaki combination further taught the method of claim 4, further comprising determining an updated risk of data security prior to a time expiration of the access token (Mogaki, Para.0122 determining the validity of token as an updated risk prior to expiry of the token’s valid period.).
Claim 15 recites similar limitations to claim 6, mutatis mutandis, the subject matter of claim 15, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 19, Baghdasaryan -Cheng-Mogaki combination further taught the non-transitory computer readable storage device of claim 16, further comprising computer executable instructions for: providing an access token to the user device upon the granting access to the protected services (Mogaki, [0104] If the authorization code is registered in the authorization code table 800, the access management service system 104 judges that the user permits use of the form service system 105, and the process advances to step S1016 to continue processing. [0105] In step S1016, the access management service system 104 generates an access token.), wherein the access token expires after a predetermined period of time (Mogaki, [0105] The access management service system 104 sets a valid period of the access token in the access token valid date and time 903. See 0005, 0084); and determining an updated risk of data security after a time expiration of the access token (Mogaki, ([0122] If the access token is registered but it falls outside the valid period, the access management service system 104 returns an access token invalid message as a response. [0128] In step S1209, upon reception of the access token invalid message, the external service system 103 requests the access management service system 104 to execute refresh processing.).
Regarding claim 20, Baghdasaryan -Cheng-Mogaki combination further taught the non-transitory computer readable storage device of claim 16, further comprising computer executable instructions for: providing an access token to the user device upon the granting access to the protected services ( Mogaki, [0104] If the authorization code is registered in the authorization code table 800, the access management service system 104 judges that the user permits use of the form service system 105, and the process advances to step S1016 to continue processing. [0105] In step S1016, the access management service system 104 generates an access token.), wherein the access token expires after a predetermined period of time (Mogaki, [0105] The access management service system 104 sets a valid period of the access token in the access token valid date and time 903. See 0005, 0084); and determining an updated risk of data security prior to a time expiration of the access token (Mogaki, Para.0122 determining the validity of token as an updated risk prior to expiry of the token’s valid period.).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2016/0307196 A1 (Achhra er al.) [0027] The access token (43) can be configured to provide limited access to the mobile data (47) without the mobile credential (45). For example, the access token (43) can be configured to expire within a predetermined period of time, and/or a predetermined number of uses. For example, the access token (43) can be configured to allow access to a predetermined subset of the mobile data (47). For example, the access token (43) can 
US 10,614,452 B2 (Tomasofsky et al.) Each column of the table represents a particular aspect or characteristic associated with the transaction, the privileged cardholder, or the payment card account (referred to herein as a “transaction aspects”). Each cell within the table may be configured with a threshold level, and each cell may also be associated with a corresponding transaction risk level (e.g., transaction risk level 850). Based on the determined transaction risk level 850, if one or more of the threshold levels is exceeded, RBD module 750 will recommend an additional authentication of the suspect consumer (e.g., 3DS step-up authentication). 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAWNCHOY RAHMAN whose telephone number is (571)270-7471. The examiner can normally be reached Monday - Friday 8:30A-5P ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Shawnchoy Rahman/Primary Examiner, Art Unit 2438