DETAILED ACTION
This action is response to communication:  response to amendments/arguments filed on 07/05/2022.
Claims 1-20 are currently pending in this application.  
The IDS filed on 06/17/2022 has been accepted.  
	
Response to Arguments
The prior 112 rejections have been withdrawn in response to applicant’s amendments and arguments.
In regards to the 103 rejection, Applicant’s arguments with respect to claim(s) have been fully considered but are moot in view of new grounds of rejection.  See amended rejection below. 

Claim Rejections - 35 USC § 112
The prior 112 rejections have been withdrawn in response to applicant’s amendments and arguments.  	

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention


Claim(s) 1-9 and 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over Aronowitz et al. US Patent Application Publication 2018/0034859 (Aronowitz), in view of Sheller et al. US Patent Application Publication 2014/0366111 (Sheller)

As per claim 1, Aronowitz teaches a method comprising: receiving, at a computing device, a request for verification of access to a secured electronic resource by a user device (paragraph 73 with receiving request to access a resource); determining an authentication challenge level for the user device for access  to the secured electronic resource, the authentication challenge level indicating an evaluation of a user identity corresponding to the user device, wherein determining the authentication challenge level includes applying a passive-dimension decision model to one or more of the user device or the request (paragraph 74 and 75 with client device and server device selection factors; see paragraph 33 wherein challenge section manager takes into consideration classification, risk, and cost levels associated with resource; see paragraph 35 wherein challenge selection takes into account plurality of factors including user, environment, environmental, network, user history, etc.), wherein the passive-dimension decision model comprises analyzing one or more of: identity characteristics associated with the user device or the request, and device characteristics associated with the user device or the request (paragarph 35 and 36 with user and device; characteristics can include ip address, type of device, etc); and communicating an access decision to the user device, wherein the access decision is based on the authentication challenge level (paragraph 39 with sending challenge to user; see Fig. 5A and paragraphs 77-78 with sending appropriate challenge to user device; see Fig. 5B with sending authentication decision; see also paragraphs 80 and 81 with sending decision to device; see also paragraph 42 with sending authentication decision to client device ); and wherein the access decision includes one or more of: responsive to the authentication challenge level indicating a first evaluation of the user identity, authorizing access to the secured electronic resource by the user device without supplemental authentication, responsive to the authentication challenge level indicating a second evaluation of the user identity, denying access to the secured electronic resource by the user device; or responsive to the authetnicaiton challenge level indiacting a third evaluation of the user identity, presenting a supplemental authentication challenge to the user device (paragraphs 41-42; see Figures 5A and 5B; also see paragraphs 81-82, wherein authentication decision may be to authorize access; deny access, or providing supplemental authentication challenge if confidence level does not meet threshold).
Although Aronowitz teaches different challenges based on evaluations of user identity and other factors, Aronowitz does not explicitly teach that a user device is already authenticated via an authentication challenge prior to the subsequent authentication challenges.  However, this would have been obvious.  Having a user pre-authenticated before performing additional authentication challenges is notoriously well known in the art.  FOr example, see Sheller (paragarph 87 with initial authentication of a user; see also Figure 2; further, see Figure 4 and throughout reference wherein additional authentication may or may not be required based on confidence score).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Aronowitz with Sheller.  One of ordinary skill in the art would have been motivated to perform such an addition to provide more security (paragraph 4 of Sheller).

As per claim 2, as best understood by the Examiner, Aronowitz teaches wherein the request for verification of access tot eh secured electronic resource corresponds to a query requesting whether to challenge the user device with supplemental authentication prior to granting access to the secured electronic resource (see Figure 5A with request to access resource, and see the flow chart leading to Figure 5B with determining whether to send any further challenges).
As per claim 3, it would have been obvious over the Aronowitz combination wherein the request is received after the user device obtains primary credentials authorizing access to the secured electronic resource (Sheller paragraph 87 wherein initial authentication occurs first before further authentication determinations).
As  per claim 4, Aronowitz teaches wherein applying the passive-deimnsiond ecision model comprises analyzing one or both of the identity cahracterstics and device characteristics without receiving input from the user device during determining the authentication challenge level (see Figure 5 and paragraphs 72-80 with server making decisions based on factors that do not require user input)
As per claim 5, Aronowitz teaches wherein applying the passive-dimension decision model comprises one or more of obtaining input session data associated with the request from the user device and comparing the input session data with previously obtained reference data; determining an identity of a user and searching an identity database using the identity; determining an identifier associated with the user and searching a historical usage database using the identifier; determining a device identifier associated with the user device and searching a device database using the device identifier; determining a location profile associated with the user or the user device and searching a location database using the location profile; or determining a user interaction profile associated with the request for access to the secured electronic resource and comparing the user interaction profile with previously obtained user interaction profile data (paragraph 34 with user identity; paragraph 36 with device identifiers; paragraph 36 with location profile; paragraph 54 and 56 with historical factors/interaction profile; also see paragraph 37 with different challenges such as identities and identifiers).
As per claim 6, Aronowitz teaches wherein the input session data corresponds to data input responsive to one or more information queries presented by the user device (paragarph 33 with request from client device; see paragraph 36 of other information from user device from request such as ip address, type of device, date and time when request is made, etc; also see paragraph 37).
As per claim 7, Aronowitz teaches wherein determining the authentication challenge level includes using a result of comparing the input session data with previously obtained reference data by determining aspects of the input session data that match the previously obtained reference data, and determining additional aspects of the input session data that differ from the previously obtained reference data (paragarph 35 with user history factors, contextual factors, etc and comparing them with stored records; similarities and differences will be determined from comparison of historical records; see also paragraphs 54 and 56 with historical factors).
As per claim 8, Aronowitz teaches wherein determining the authentication challenge level includes one or more of: verifying whether the identity associated with the user appears in a historical usage database in association with the user and other users, verifying whether the device identifier appears in the device database in association with the user or with other users, verifying whether aspects of the location profile match entries in the locaiotn database associated with the user or the user device, or verifying whether aspects of the user interaction profile match or differ from the previously obtained user interaction profile data (paragarph 35, 54, and 56 with comparing user history /interaction profiles; see also paragraph 37 with context including geographic location or day).
As per claim 9, Aronowitz teaches wherein determining the location profile includes one or more of: receiving a geographical coordinate obtained by a position sensor of user device, determining a geographical coordinate associated with the user device by querying a geolocation database with a device identifier associated with the user device, or determining a historical usage pattern of geographical coordinates associated with the user device (paragraph 36 with geographical coordinates obtained by GPS of client device).
As per claim 11, Aronowitz teaches wherein analyzing the identity characteristics includes one or more of: obtaining input session data associated with the request from the user device and comparing the input session data with previously obtained reference data; determining an identity of a user and searching an identity database using the identity; or determining an identifier associated witht eh user and searching a historical usage database using the identifier (paragraph 37 chllanges including username, password, biometrics corresponding to user; )
As per claim 12, Aronowitz teaches wherein presenting the supplemental authentication challenge to the user device includes one or more of: presenting a multi-factor authentication query at the user device or presenting a knowledge-based authentication query at the user device (see Figure 5A and 5B for additional challenges; see paragraph 37 wherein challenge may be multifactor such as a set of biometric, or also a knowledge based such as username/password).
Claim 13 is rejected using the same basis of arguments used to reject claim 1 above.
Claim 14 is rejected using the same basis of arguments used to reject claim 2 above. 
Claim 15 is rejected using the same basis of arguments used to reject claim 3 above.
Claim 16 is rejected using the same basis of arguments used to reject claim 5 above.
Claim 17 is rejected using the same basis of arguments used to reject claim 7 above. 
Claim 18 is rejected using the same basis of arguments used to reject claim 8 above.
Claim 19 is rejected using the same basis of argument used to reject claim 11 above.
Claim 20 is rejected using the same basis of arguments used to reject claim 12 above. 
was made.



Claims 10 is rejected under 35 U.S.C. 103 as being obvious over the Aronowitz combination as applied above, in view of Turgeman US Patent Application Publication 2017/0085587 (Turgeman).
As per claim 10, the Aronowitz combination does not explicitly teach wherein determining the user action profile includes one or more of tracking keystrokes input by a user or tracking mouse movements input by a user.  This would have been obvious over though, as Aronowitz teaches utilizing biometric samples (paragraph 36).  However, for a more explicit teaching on biometrics including key strokes and mouse movements, see Turgeman (paragraphs 37-41 with utilizing key strokes and mouse movements for authentication). 
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Aronowitz combination with Turgeman.  One of ordinary skill in the art would have been motivated to perform such an addition to increase seucirty and decrease the likelihood that security can be breached (paragraph 3 of Turgeman).  
  

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431.  The examiner can normally be reached on Monday-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/JASON K GEE/Primary Examiner, Art Unit 2495