Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
The instant application having Application No. 17/159,121 is presented for examination by the examiner.  Claims 1-20 have been canceled.  Claims 21-38 are pending.

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.


Specification
The specification is objected to because of the following informalities:  
(0036) misspelled word: “aillustrative”
(0038) typo: “the a”
(0038) misspelled word: “enrollement”
(0075) typo: “the a”
(0100) missing period after “410”.
Claim Objections
	As per claims 23, 29, and 35 the phrase “a REST API applications” is grammatically incorrect.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 21-38 are rejected under 35 U.S.C. 103 as being unpatentable over USP Application Publication 2014/0313007 to Harding in view of USP 11,228,573 to Rangasamy et al., Rangasamy.

As per claims 21, 27, and 33 Harding teaches responsive to receiving the selection by the user for accessing the resource (0044), 
identifying, by the computer system, an authentication challenge method for authenticating the user (step 304; 0047), the authentication challenge method comprising a plurality of levels corresponding to a plurality of authentication factors [0047]; 
based upon the identified authentication challenge method, identifying, by the computer system, that the user is not enrolled for a first factor corresponding to a first level from the plurality of levels [0047; requested to enroll biometrics for the selected modality]; 
upon determining that the user is not enrolled for the first factor, initiating by the computer system, a first enrollment process for obtaining the first factor from the user and enrolling the user for the first factor [0056]; 
Harding does not explicitly teach after enrollment of the user for the first factor, based upon the identified authentication challenge method, identifying, by the computer system, that the user is not enrolled for a second factor corresponding to a second level from the plurality of levels; and upon determining that the user is not enrolled for the second factor, initiating by the computer system, a second enrollment process for obtaining the second factor from the user and enrolling the user for the second factor.  However, the inclusion of a second enrollment is clearly obvious from the teaching of Harding.  
First Harding teaches more than one type of biometric modality and explicitly teaches each one represents levels of access (0047).  Second, Harding explicitly teaches that a second biometric factor can be requested of the user after the first is supplied based on the request (0045).  Therefore, all of the steps necessary to enroll a second factor, after a first factor, are taught by Harding.  Given the logical flow and based solely on the teachings of Harding, one of ordinary skill in the art before the effective filing date could have arranged the steps of Harding and arrived at the claimed invention.  The steps taught by Harding accommodates the situation presented in the claims without departing from the teachings of Harding and without yielding any unpredictable result.  With the claim as a backdrop and in light of the system of Harding, a user without factors enrolled, requests a resource.  Paragraph 0047 teaches he/she must first enroll.  Fig. 5 outlines the enrollment process.  After enrollment is performed the authentication process would return to step 308/310 in Fig. 4.  Once the next step (318) is reached, if the policies dictate that another biometric is required, then obviously the system is back at step 308. At which time, the user not having the second factor already enrolled repeats the enrollment according to Fig. 5 for the second factor.  Finally once the process is back at step 318, the system has all of the factors it needs to make a determination. 
Harding is silent in explicitly teaching receiving, by a computer system, a selection of a URL by a user for accessing a resource.  Harding teaches APPS that form connection and send requests and authentication factors but does not explicitly teach the user selecting a URL.  On the other hand, Rangasamy teaches receiving, by a computer system, a selection of a URL by a user for accessing a resource (col. 11, lines 25-38).  Harding already teaches the system can be distributed (0043 and 0051).  Rangasamy teaches a known way through the Internet that resource providers are identified.  Using the URL of a does not produce any unpredictable results.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  

As per claims 22, 28, and 34 Harding does not explicitly teach the first factor and the second factor are obtained from the user via an application programming interface (API).  Following up in detail of how the client locates the server, Rangasamy teaches the first factor and the second factor [credentials] are obtained from the user via an application programming interface (API) (col. 9, lines 15-25).  API’s were known before the effective filing date to provide applications with layer of communication including transmitting credential.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  
As per claims 23, 29, and 35 the combination of Harding and Rangasamy teaches the resource is a REST API applications [Rangasamy: col. 9, line 60-col. 10, line 2].
As per claims 24, 30, and 36 Harding teaches the resource is a sensitive application (0051).
As per claims 25, 31, and 37 Harding teaches the resource comprises a single-factor authentication application and a multi-factor authentication application (0046).
As per claims 26, 32, and 38 Harding teaches the resource comprises a single-factor authentication application, a multi-factor authentication application (0046), and a session management application (0041).  Harding does not explicitly teach a user name and password application.  Rangasamy teaches, a user name and password application (col. 9, lines 15-16 and col. 19, lines 35-38).  Password are merely another type of credential usually viewed as a lower level of authentication than biometric.  Harding’s system could have been modified to accept a low-level credential such as username/password for low-level applications or used the password in combination with one of more biometric factors to increase the security of the challenge.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.   Harding already teaches using a plurality of authentication factors for one resource (0048).  

Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431