DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/11/2020 and 01/13/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C 103 as being unpatentable over Hsiao et al. (US 2003/0200202), hereon referred to as Hsiao, in view of Saxman et al. (US 2014/0026193), and hereon referred to as Saxman. 
	In regards to claims 1, 12 & 20 Hsiao discloses receiving an initial request to access the system system (Receiving a request from a client user for an object stored in the system; Claim 1); verifying that the authentication information is valid (Querying  the  client  user  for  username  and  password; Claim 4); generating an access token associated with the authentication information based on the verifying (Generating a non-transferable access token coded with information unique  to  the  client  user; Claim 1);  identifying a system access pattern based on one or more circumstances of receiving the initial request; receiving the access token and a subsequent request to access the system.  
However, Hsiao does not disclose determining whether the subsequent request complies with the identified system access pattern based on one or more circumstances of receiving the subsequent request; receiving authentication information associated with the initial request ; in response to determining that the subsequent request does not comply with the system access pattern, refraining from at least one of accepting the access token or extending a lifetime of the access token;  and in response to determining that the subsequent request does comply with the system access pattern, at least one of accepting the access token or extending the lifetime of the access token. In an analogous art Saxman discloses determining whether the subsequent request complies with the identified system access pattern based on one or more circumstances of receiving the subsequent request A user database includes a log of user activity; and access can be denied when the specific personal information sought is outside the scope of privileges associated with the access token; Paragraphs 0049; 0103; Fig. 1, 3 & 5); receiving authentication information associated with the initial request (The access extension criteria may include receiving renewed access authentication information from the user, and the user may be required to re-enter a user name and password; Paragraph 0032; Fig. 1-2); in response to determining that the subsequent request does not comply with the system access pattern, refraining from at least one of accepting the access token or extending a lifetime of the access token;  and in response to determining that the subsequent request does comply with the system access pattern, at least one of accepting the access token or extending the lifetime of the access token (Temporary access tokens are  similar  to  "permanent"  tokens,  but  inherently  have  a  limited  lifetime  (which  m  some  instances  1s  extendable); The  temporary  access  token has  an  expiration  date/time,  which may be specified explicitly by a user  providing  credentials,  or  may  be  assigned  a  default value (e.g.,  1  hour  or  30  minutes  after  creation);  and the limited period of time is extended based on predefined  extension  criteria; Paragraphs 0050; 0060; 0094 Figs. 1-3).
At the time before the effective filing date of the invention, it would have been obvious to an ordinary skill in the art to combine the teachings disclosed by Hsiao, with the teachings disclosed by Saxman  regarding determining whether the subsequent request complies with the identified system access pattern based on one or more circumstances of receiving the subsequent request; receiving authentication information associated with the initial request; in response to determining that the subsequent request does not comply with the system access pattern, refraining from at least one of accepting the access token or extending a lifetime of the access token;  and in response to determining that the subsequent request does comply with the system access pattern, at least one of accepting the access token or extending the lifetime of the access token. The suggestion/motivation of the combination would have been to provide security of personal user information, and more specifically to methods and systems for allowing limited access to personal information on a shared device (Saxman; Paragraph 0001). 
In regards to claims 2 & 13, Saxman discloses in response to determining that the subsequent request does not comply with the system access pattern, requesting the authentication information (The access extension criteria may include receiving renewed access authentication information from the user, and the user may be required to re-enter a user name and password; Paragraph 0032; Fig. 1-2).

In regards to claims 3 & 14, Hsiao discloses wherein determining that the subsequent request does comply with the system access pattern includes verifying that an IP address associated with the subsequent request matches an IP address associated with the initial request (Since the client IP address is stored as part of the cookie on the client, a stolen cookie that is submitted to the  resource manager from a different client machine by a different user will not pass the resource manager's  authentication process; Paragraph 0019; Fig.2).
In regards to claims 4 & 15, Hsiao discloses wherein determining that the subsequent request does comply with the system access pattern includes verifying that a computing device identifier associated with the subsequent request matches a computing device identifier associated with the initial request, wherein the computing device identifier includes at least one of a MAC address, a machine identification number, a soft identifier, an operating system, or a machine configuration (Unique  object  identifier contains  address  information  relating  to  the  location  of  the  requested  information in resource manager so  that  the  information  can  be  later  located  on  request  by  client; Paragraph 0015; Fig.2).
In regards to claims 5 & 16, Saxman discloses in response to determining that the subsequent request does not comply with the system access pattern, denying the subsequent request (A user database includes a log of user activity; and access can be denied when the specific personal information sought is outside the scope of privileges associated with the access token; Paragraphs 0049; 0103; Fig. 1, 3 & 5).
In regards to claims 6 & 17, the combination of Hsiao and Saxman discloses in response to determining that the subsequent request does comply with the system access pattern, granting the subsequent request (The elements presented in the claim(s) do not contain any additional features do not present any inventive step or novelty not addressed/presented in the citations of the combination of Hsiao and Saxman. Examiner takes official notice, that these elements are common known, minor design details that are derivable from the prior art and are well known, and obvious to an ordinary skill in the art).
In regards to claims 7 & 18, Hsiao discloses wherein the authentication information includes at least one of a user name, a password, an answer to a security question, an identification number, a one-time pin via email or text message, a retinal scan, a fingerprint scan, a thumbprint scan, or a facial scan (Querying the client user for  username  and password; Claim 4).
In regards to claims 8 & 19, Hsiao discloses wherein the access token is stored in one or more of a cookie, a system database, or a memory (Part of username/password authentication, an encrypted  ID or cookie including the client IP  address, username, and password is generated by resource manage and stored in client; Paragraph 0019).
In regards to claim 9, the combination of Hsiao and Saxman discloses wherein verifying the authentication information is based on a system access policy (The elements presented in the claim(s) do not contain any additional features do not present any inventive step or novelty not addressed/presented in the citations of the combination of Hsiao and Saxman. Examiner takes official notice, that these elements are common known, minor design details that are derivable from the prior art and are well known, and obvious to an ordinary skill in the art).
In regards to claim 10, Saxman discloses wherein the one or more circumstances of receiving the initial request include at least one of a time of receiving the initial request, a day of receiving the initial request, or a location from which the initial request is received (The  temporary  access  token has an expiration  date/time,  which  may  be  specified  explicitly  by  the  user  providing the credentials, or may be assigned a default value (e.g., 1 hour or  30  minutes  after  creation); Paragraph 0060; Figs. 1 & 3).
In regards to claim 11, Saxman discloses wherein the one or more circumstances of receiving the subsequent request include at least one of a time of receiving the subsequent request, a day of receiving the subsequent request, or a location from which the subsequent request is received (The  temporary  access  token has an expiration  date/time,  which  may  be  specified  explicitly  by  the  user  providing the credentials, or may be assigned a default value (e.g., 1 hour or  30  minutes  after  creation); Paragraph 0060; Figs. 1 & 3).
Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARIF E ULLAH whose telephone number is (571)272-5453. The examiner can normally be reached Mon-Fri 7:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHARIF E ULLAH/Primary Examiner, Art Unit 2495