DETAILED ACTION
	Claims 1-20 are presented on 11/03/2020 for examination on merits.  Claims 1 and 14 are independent base claims.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-4, 6-8, 10-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Amin (US 11240255 B1) in view of Roundy (US 9652597 B2), and further in view of Farmer, III (US 10609070 B1; hereinafter “Farmer”),

As per claim 1, Amin teaches a computer-implemented method performed by an authentication system and comprising: 
associating, by the authentication system during a device enrollment process, authentication credentials and first device metadata with a first client device for authenticating access requests (Amin, col. 5, lines 20-26 and lines 66-67: generate a browser fingerprint for a browser application (e.g., a web browser) on the client device …for a user in a pre-authenticated state, which is an enrollment process; receiving a request to access a first online financial application from a client device; col. 1, lines 50-56); 
responsive to an access request associated with a second client device impersonating the first client device, obtaining an authentication token generated using the authentication credentials and second device metadata describing one or more infrequently changing characteristics of the second client device (Amin, col. 1, lines 51-54: a request to access; par. 0052-0060: a request to access … a second online financial application to the user; note here that the browser fingerprint for a browser application on the second client is metadata describing the characteristics of the second financial application on client device. In Amin, the login credential is an authentication token; col. 1, lines 62-67 and col. 2, lines 20-23); 
However, Amin does not explicitly disclose comparing the first fingerprint/device metadata to the second fingerprint/device metadata in order to detect device metadata anomalies.  This aspect of the claim is identified as a difference.
In a related art, Roundy teaches:
comparing the first device metadata to the second device metadata in order to detect device metadata anomalies (Roundy, col. 10, lines 39-52 and col. 18, lines 40-47: the machine learning classifier identifies the message metadata field; comparing based on the likelihood); 
determining a risk level for the second client device based on the comparison, the risk level indicating a likelihood that the second client device is not the first client device (Roundy, col. 10, lines 35-48: threat identification module 114 may include a machine-learning-based or rule-based classification that identifies information leakage threats based on a number of factors in addition to the information leakage threat rating; providing the message metadata as input to the machine learning classifier; col 10, lines 44-52); and 
denying the access request based on the risk level (Roundy, col. 11, lines 9-16: take action to prevent; col. 11, lines 6-8: initiate one or more security actions based on the degree and type of threat identified).
Amin and Roundy are analogous art, because they are in a similar field of endeavor in improving user authentication.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Roundy to modify Amin’s system to store and compare metadata or browser fingerprints to assess the level of risk. For this combination, the motivation would have been to improve the level of security with improved risk assessing techniques.
However, Amin’s association is associating authentication credentials with the application metadata that runs on the client device.  Farmer clarifies that:
associating authentication credentials and first device metadata with a first client device for authenticating access requests (Farmer, col. 2, lines 60-67: associating login credentials with a specific end-point. By doing so, valid user login credentials are not recognized when not used on a device authorized to use those credentials. By creating that association in a secure manner, the protection of confidential information becomes more complete and the leakage or theft of data such as usernames and passwords becomes less critical. Additionally, creating this hard association makes hacking tools such as password crackers and rainbow tables significantly less effective since the possession of a valid username/password is no longer sufficient for bad actors to access assets using this two-factor authentication model).
Farmer is analogous art in a similar field of endeavor in improving user authentication.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Amin-Roundy system with hard association between user authentication credentials and device metadata. For this combination, the motivation would have been to improve the level of security by making hacking tools such as password crackers and rainbow tables significantly less effective.

As per claim 2, the references as combined above teach the computer-implemented method of claim 1, further comprising: 
responsive to an additional access request associated with the first client device, obtaining an additional authentication token generated using the authentication credentials and third device metadata describing the one or more infrequently changing characteristics of the first client device (Amin, col. 3, lines 20-28: when the same user requests access … retrieve details about the user from the user's profile); 
comparing the first device metadata to the third device metadata in order to detect device metadata anomalies (Amin, col. 7, line 65 – col. 8, line 15: comparing If the unauthenticated user (411) has previously requested access to the online tax application… generated a browser fingerprint (FP) for the browser on the user's client device, e.g., using a browser fingerprinting algorithm.); 
determining a risk level for the first client device based on the comparison, the risk level indicating a likelihood that the first client device is the first client device (Amin, col. 3, lines 14-21: requests access to the online financial application through a browser (e.g., a web browser) on a client device (e.g., a smartphone, tablet, laptop, desktop, etc.); col. 7, line 65 – col. 8, line 15: If the user (411) has previously requested access to the online tax application); and 
authorizing the additional access request based on the risk level (Amin, col. 8, lines 30-39: gains access to the online tax application (402). Note that given the FP generated previously, there is no risk to allow the access).

As per claim 3, the references as combined above teach the computer-implemented method of claim 1, wherein determining the risk level comprises: 
identifying, based on the comparison, one or more device metadata anomalies corresponding to a discrepancy between a device metadata value in the first device metadata and a device metadata value in the second device metadata (Roundy, col. 10, lines 35-44: rule-based classification that identifies information leakage threats based on a number of factors in addition to the information leakage threat rating and/or discrepancy); and 
determining the risk level using the one or more device metadata anomalies (Roundy, col. 9, lines 56-61: A risk score … may be assigned by a data loss prevention system).

As per claim 4, the references as combined above teach the computer-implemented method of claim 3, wherein determining the risk level further comprises: 
determining the risk level using a set of rules, the set of rules indicating a contribution to the risk level for each of the one or more identified device metadata anomalies (Roundy, col. 10, lines 35-44: rule-based classification that identifies information leakage threats based on a number of factors).

As per claim 6, the references as combined above teach the computer-implemented method of claim 1, wherein the first or second device metadata include one or more device metadata values selected from the group comprising: 
an operating system (OS) version, screen size, processor count, model, manufacturer, serial number, international mobile equipment identity (IMEI), cellular radio type, subscriber identity module (SIM) card identifier, disk capacity, physical memory capacity, or user interface type (Farmer, col. 6, lines 8-19: the authorization client 103 collects one or more unique physical attributes from a device or a set of random seeds previously provisioned by the central authority, such as Model Number, Motherboard Serial Number, Media Access Control (MAC) Address, Video Card Serial Number, 48-bit or 64-bit Extended Unit Identifier (EUI-48/EUI-64), Wi-Fi Media Access Control (MAC), International Mobile Equipment Identity (IMEI), or Mobile Equipment Identifier (MEID)).

As per claim 7, the references as combined above teach the computer-implemented method of claim 1, wherein the authentication token includes the second device metadata, and the second client device generates the authentication token at least in part by signing the second device metadata using an authentication key included in the authentication credentials (Farmer, col. 7, lines 19-40: Request Additional Device Pairing is an action by the user to initiate the pairing 503; Generate One-time Key is an action by the provisioning system … to provision the devices … [by entering] the single-use key 505; the service validates the one-time use key 507).

As per claim 8, the references as combined above teach the computer-implemented method of claim 1, wherein the authentication token is a multi-factor authentication (MFA) token provided as an MFA factor to the authentication system (Farmer, col. 5, lines 3-24: two-factor authentication; password; see also col. 2, lines 62-67 for user login credentials … using this two-factor authentication model).

As per claim 10, the references as combined above teach the computer-implemented method of claim 1, wherein the second client device is a malicious client device that obtained a cloned copy of the authentication credentials (Farmer, col. 2, lines 60-67: password crackers, which obviously allows a malicious client device to obtain a cloned copy of the authentication credentials, such as a password copy).

As per claim 11, the references as combined above teach the computer-implemented method of claim 1, further comprising: 
responsive to an additional access request associated with the first client device, obtaining an additional authentication token generated using the authentication credentials and additional device metadata describing one or more infrequently changing characteristics of the first client device (Amin, col. 2, lines 5-28: the login credentials and the additional internal user data); 
responsive to successfully authenticating the additional access request based on the additional authentication token, authorizing the additional access request (Amin, col. 7, lines 40-46: the personalized view (301) might be presented to an unauthenticated user, e.g., in operation 204 in FIG. 2A, in operation 224 in FIG. 2C, or in operation 234 in FIG. 2D. Additionally or alternatively, the personalized view (301) might be presented to an authenticated user, e.g., in operation 216 in FIG. 2B.); and 
updating, by the authentication system, the first device metadata associated with the first client device during enrollment (Amin, col. 7, lines 55-58: tell the user that “the October 17 deadline to file has passed” and ask the user if he/she would like to complete “a 2015 return”).

As per claim 12, the references as combined above teach the computer-implemented method of claim 1, wherein the risk level is determined by a machine-learned risk level model that receives as input the first and second device metadata (Farmer, col. 7, lines 37-60: a record for this entry with appropriate metadata 413).

As per claim 13, the references as combined above teach the computer-implemented method of claim 1, wherein the first and second device metadata is determined by a system call to a respective operating system of the first and second client devices (Farmer, col. 7, lines 14-48: generates a record for this entry with appropriate metadata 413…including a one-time key or a single-use code).

As per claim 14, Amin teaches a non-transitory computer-readable storage medium comprising executable instructions that when executed by a computer processor perform actions comprising: 
associating, by the authentication system during a device enrollment process, authentication credentials and first device metadata with a first client device for authenticating access requests (Amin, col. 5, lines 20-26 and lines 66-67: generate a browser fingerprint for a browser application (e.g., a web browser), which runs on the client device …for a user in a pre-authenticated state. The pre-authenticated state means the device is in an enrollment process; receiving a request to access a first online financial application from a client device; col. 1, lines 50-56); 
responsive to an access request associated with a second client device impersonating the first client device, obtaining an authentication token generated using the authentication credentials and second device metadata describing one or more infrequently changing characteristics of the second client device (Amin, col. 1, lines 51-54: a request to access; par. 0052-0060: a request to access … a second online financial application to the user; note here that the browser fingerprint for a browser application on the second client is metadata describing the characteristics of the second financial application on client device. In Amin, the login credential is an authentication token; col. 1, lines 62-67 and col. 2, lines 20-23); 
However, Amin does not explicitly disclose comparing the first fingerprint/device metadata to the second fingerprint/device metadata in order to detect device metadata anomalies.  This aspect of the claim is identified as a difference.
In a related art, Roundy teaches:
 comparing the first device metadata to the second device metadata in order to detect device metadata anomalies (Roundy, col. 10, lines 39-52 and col. 18, lines 40-47: comparing the message metadata fields.  In Roundy, the machine learning classifier identifies the message metadata field; Roundy’s comparing is based on the likelihood for detecting an information leakage threat; col. 5, lines 12-33); 
determining a risk level for the second client device based on the comparison, the risk level indicating a likelihood that the second client device is not the first client device (Roundy, col. 10, lines 35-48: threat identification module 114 may include a machine-learning-based or rule-based classification that identifies information leakage threats based on a number of factors in addition to the information leakage threat rating; providing the message metadata as input to the machine learning classifier; col 10, lines 44-52); and 
denying the access request based on the risk level (Roundy, col. 11, lines 9-16: take action to prevent; col. 11, lines 6-8: initiate one or more security actions based on the degree and type of threat identified).
Amin and Roundy are analogous art, because they are in a similar field of endeavor in improving user authentication.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Roundy to modify Amin’s system to store and compare metadata or browser fingerprints to assess the level of risk. For this combination, the motivation would have been to improve the level of security with improved risk assessing techniques.
However, Amin’s association is associating authentication credentials with the application metadata that runs on the client device.  Farmer clarifies that:
associating authentication credentials and first device metadata with a first client device for authenticating access requests (Farmer, col. 2, lines 60-67: associating login credentials with a specific end-point. By doing so, valid user login credentials are not recognized when not used on a device authorized to use those credentials).
Farmer is analogous art in a similar field of endeavor in improving user authentication.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Amin-Roundy system with hard association between user authentication credentials and device metadata. For this combination, the motivation would have been to improve the level of security by making hacking tools such as password crackers and rainbow tables significantly less effective.

As per claim 15, the references as combined above teach the computer-readable storage medium of claim 14, wherein the executable instructions when executed by the processer further cause the processor to perform actions comprising: 
responsive to an additional access request associated with the first client device, obtaining an additional authentication token generated using the authentication credentials and third device metadata describing the one or more infrequently changing characteristics of the first client device (Amin, col. 3, lines 20-28: when the same user requests access … retrieve details about the user from the user's profile); 
comparing the first device metadata to the third device metadata in order to detect device metadata anomalies (Amin, col. 7, line 65 – col. 8, line 15: comparing If the unauthenticated user (411) has previously requested access to the online tax application… generated a browser fingerprint (FP) for the browser on the user's client device, e.g., using a browser fingerprinting algorithm.); 
determining a risk level for the first client device based on the comparison, the risk level indicating a likelihood that the first client device is the first client device (Amin, col. 3, lines 14-21: requests access to the online financial application through a browser (e.g., a web browser) on a client device (e.g., a smartphone, tablet, laptop, desktop, etc.); col. 7, line 65 – col. 8, line 15: If the user (411) has previously requested access to the online tax application); and 
authorizing the additional access request based on the risk level (Amin, col. 8, lines 30-39: gains access to the online tax application (402). Note that given the FP generated previously, there is no risk to allow the access).

As per claim 16, the references as combined above teach the computer-readable storage medium of claim 14, wherein determining the risk level comprises: 
identifying, based on the comparison, one or more device metadata anomalies corresponding to a discrepancy between a device metadata value in the first device metadata and a device metadata value in the second device metadata (Roundy, col. 10, lines 35-44: rule-based classification that identifies information leakage threats based on a number of factors in addition to the information leakage threat rating and/or discrepancy); and 
determining the risk level using the one or more device metadata anomalies (Roundy, col. 9, lines 56-61: A risk score … may be assigned by a data loss prevention system).

As per claim 17, the references as combined above teach the computer-readable storage medium of claim 16, wherein determining the risk level further comprises: determining the risk level using a set of rules, the set of rules indicating a contribution to the risk level for each of the one or more identified device metadata anomalies (Roundy, col. 10, lines 35-44: rule-based classification that identifies information leakage threats based on a number of factors).

As per claim 19, the references as combined above teach the computer-readable storage medium of claim 14, wherein the first or second device metadata include one or more device metadata values selected from the group comprising: an operating system (OS) version, screen size, processor count, model, manufacturer, serial number, international mobile equipment identity (IMEI), cellular radio type, subscriber identity module (SIM) card identifier, disk capacity, physical memory capacity, or user interface type (Farmer, col. 6, lines 8-19: the authorization client 103 collects one or more unique physical attributes from a device or a set of random seeds previously provisioned by the central authority, such as Model Number, Motherboard Serial Number, Media Access Control (MAC) Address, Video Card Serial Number, 48-bit or 64-bit Extended Unit Identifier (EUI-48/EUI-64), Wi-Fi Media Access Control (MAC), International Mobile Equipment Identity (IMEI), or Mobile Equipment Identifier (MEID)).

As per claim 20, the references as combined above teach the computer-readable storage medium of claim 14, wherein the authentication token includes the second device metadata, and the second client device generates the authentication token at least in part by signing the second device metadata using an authentication key included in the authentication credentials (Farmer, col. 7, lines 19-40: Request Additional Device Pairing is an action by the user to initiate the pairing 503; Generate One-time Key is an action by the provisioning system … to provision the devices … [by entering] the single-use key 505; the service validates the one-time use key 507).

Claims 5 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Amin and Roundy and Farmer, as applied to claims 1 and 14, and further in view of Todasco (US 10284567 B2; hereinafter “Toda”).

As per claim 5, the references of Amin and Roundy and Farmer as combined above teach the computer-implemented method of claim 4, but do not explicitly disclose the authentication policy configurable by the client system which corresponds to a set of rules defined by an authentication policy. This aspect of the claim is identified as a further difference.
In a related art, Toda teaches:
wherein the set of rules is defined at least in part by an authentication policy corresponding to the client system, the authentication policy configurable by the client system (Toda, col. 8, lines 50-55: authentication application 120 may include a dedicated application of service provider server 140 or other entity (e.g., a merchant, payment provider, etc.), which may be configured to provide service through the application, including authentication of a user identity and/or account access).
Toda is analogous art in a similar field of endeavor in improving user authentication with a record of device activity and metadata of user history.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to use Toda to modify the Amin-Roundy-Farmer system to include user information and activities to facilitate the authentication process. For this combination, the motivation would have been to improve the consistency for evaluating user’s credential and authenticity.

As per claim 18, the references of Amin and Roundy and Farmer as combined above teach the computer-readable storage medium of claim 17, but do not explicitly disclose the authentication policy configurable by the client system which corresponds to a set of rules defined by an authentication policy. This aspect of the claim is identified as a further difference.
In a related art, Toda teaches:
wherein the set of rules is defined at least in part by an authentication policy corresponding to the client system, the authentication policy configurable by the client system (Toda, col. 8, lines 50-55: authentication application 120 may include a dedicated application of service provider server 140 or other entity (e.g., a merchant, payment provider, etc.), which may be configured to provide service through the application, including authentication of a user identity and/or account access).
Toda is analogous art in a similar field of endeavor in improving user authentication with a record of device activity and metadata of user history.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to use Toda to modify the Amin-Roundy-Farmer system to include user information and activities to facilitate the authentication process. For this combination, the motivation would have been to improve the consistency for evaluating user’s credential and authenticity.

Allowable Subject Matter
Claim 9 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim 9 recites elements of “wherein the authentication key is a secret key shared between the first client device and the authentication system, and the authentication token is a one-time password generated by the second client device using the secret key”.  These elements, when in combination with the other limitations in claims 1 and 8, are not anticipated by, nor made obvious over the prior art of record

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.

/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        05/06/2022