Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.   Applicant's submission filed on 5/19/2022 has been entered.   Claims 21-40 are pending.
 Response to Arguments
Applicant’s arguments with respect to claims 21, 28 and 35 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21-25, 28-32 and 35-39 are rejected under 35 U.S.C. 103 as being unpatentable over Guccione et al. (US 2015/0319156 hereinafter Guccione) in view of Johansson et al. (US 9,485,237 hereinafter Johansson) and further in view of Brickell et al. (US 2003/0115142 hereinafter Brickell).
Regarding claim 21, Guccione discloses a computer-implemented method for online authentication of online attributes, the method including: 
receiving, at a server over an electronic network, an authentication request from a relying party, the authentication request including identity information to be authenticated and credential information to be authenticated (FIG 4 & 11, ¶ [0022]-[0024], [0052]-[0054], [0069]; i.e. receiving at the master Idp from the service provider an user authentication request including user identity and association key, 2-factor required, assurance level or user proof of presence); 
determining, by the server, whether a user account is associated with the received identity information by accessing an internal database storing the user account (FIG. 4 & 11, ¶ [0037], [0052]; i.e. mapping the user identity with the use identity known by other Idp server(s) and/or mapping user identity to other identities correspond to other identity providers); 
determining, by the server, a required assurance level associated with the authentication request based on the authentication request and the relying party (FIG. 2 & 11, ¶ [0030]-[0033, [0037]]; i.e. determining an assurance level required by the authority or service provider for different services); 
determining, by the server, an assurance level stored in the internal database [[and associated with a user]], the user associated with the user account stored in the internal database (FIG. 2 & 11, ¶ [0037]-[0039], [0044]-[0045]; i.e. determining the authentication information such as password provided by the user does not meet the required assurance level); 
comparing, by the server, the determined assurance level stored in the internal database [[associated with the user]] to the required assurance level associated with the authentication request (FIG. 2 & 11, ¶ [0037]-[0039], [0044]-[0045]; i.e. determining the authentication information such as password provided by the user does not meet the required assurance level); 
as a result of determining, based on the comparing, that the determined assurance level stored in the internal database [[and associated with the user]] falls below the required assurance level associated with the authentication request, transmitting, by the server over the electronic network to the user associated with the user account stored in the internal database, a request for authentication data (FIG. 2, 4 & 11, ¶ [0024], [0037]-[0039], [0053]-[0054]; i.e. as the result that the user authentication or assurance level does not meet the required assurance level, requesting or redirecting user for multi-factor authentication); 
receiving, at the server over the electronic network, authentication data associated with the user associated with the user account stored in the internal database (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. receiving user multi-factor authentication or login credentials); 
transmitting, by the server over the electronic network to a verification data source server, the received authentication data associated with the user associated with the user account stored in the internal database (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. requesting other identity providers perform designated user multi-factor authentication or login credentials); 
receiving, at the server over the electronic network, an authentication result from the verification data source server for the received authentication data associated with  the user associated with the user account stored in the internal database and based on the transmitted authentication data (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. receiving authentication assertions from the identity providers).
Guccione discloses comparing the required assurance level and the assurance level stored in the database (FIG. 2, ¶ [0037]) and does not explicitly disclose comparing the required assurance level with the assurance associated with the user; determining, by the server, an updated assurance level associated with the user associated with the user account stored in the internal database, at least based on the received authentication result; and storing, by the server in the internal database, the updated assurance level as the assurance level associated with the user associated with the user account stored in the internal database.
However, Johansson discloses comparing the required assurance level with the assurance associated with the user (col. 8, lines 35-55; i.e. the confidence score is compared to a minimum confidence threshold that varies according to the account type associated with the user account).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of claimed invention to incorporate Johansson’s teaching into Guccione in order to authenticate users using comparing a confidence score calculated from multiple authentication factors to a minimum confidence threshold to allow users to access secured resource in the case that the users lost his/her passwords (Johansson, col. 1, lines 55-67, col.2 lines 1-14).
Brickell discloses determining, by the server, an updated assurance level associated with the user associated with the user account stored in the internal database, at least based on the received authentication result (FIG. 10A-B, ¶ [0071]-[0072]; i.e. verifying the authentication information using the authentication verification stored in the user’s portfolio in the user database and computing a level of assurance in the authentication or the reduced level of assurance); and storing, by the server in the internal database, the updated assurance level as the assurance level associated with the user associated with the user account stored in the internal database (FIG. 10B, ¶ [0071]-[0072]; i.e. the authorization server caches the reduced level of assurance).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of claimed invention to incorporate Brickell’s teaching into Guccione in view of Johansson in order to provide a simple, quick, reliable and flexible authentication process to authenticate users in real time wherever they are and with whatever authentication devices are currently available to them (Brickell, ¶ [0002]-[0006], [0021]).
Regarding claim 22, Guccione in view of Johansson and Brickell discloses the method of claim 21, further comprising: storing, by the server, the authentication data in the user data of the user account associated with the user (Guccione, FIG. 12B, ¶ [0052]; Johansson, col. 3, lines 15-34;  Brickell, ¶ [0030]).
Regarding claim 23, Guccione in view of Johansson and Brickell discloses the method of claim 21, further comprising: encrypting, by the server, the authentication data in the user data of the user account associated with the user (Guccione, ¶ [0038]).
Regarding claim 24, Guccione in view of Johansson and Brickell discloses the method of claim 21, further comprising: determining, by the server, the required assurance level associated with the authentication request further based on one or more predetermined policies associated with the relying party (Guccione, FIG. 4, ¶ [0052]; Brickell, ¶ [0044]).
Regarding claim 25, Guccione in view of Johansson and Brickell discloses the method of claim 21, further comprising: determining, by the server, the required assurance level associated with the authentication request by cross referencing the received authentication request with one or more previous authentication requests from the relying party (Brickell, ¶ [0043]).
Regarding claim 28, Guccione discloses a system for online authentication of online attributes, the system including: 
a data storage device that stores instructions system for online authentication of online attributes (FIG. 12B); and 
a processor (FIG. 12B) configured to execute the instructions to perform a method including: 
receiving, over an electronic network, an authentication request from a relying party, the authentication request including identity information to be authenticated and credential information to be authenticated (FIG 4 & 11, ¶ [0022]-[0024], [0052]-[0054], [0069]; i.e. receiving at the master Idp from the service provider an user authentication request including user identity and association key, 2-factor required, assurance level or user proof of presence); 
determining whether a user account is associated with the received identity information by accessing an internal database storing the user account (FIG. 4 & 11, ¶ [0037], [0052]; i.e. mapping the user identity with the use identity known by other Idp server(s) and/or mapping user identity to other identities correspond to other identity providers); 
determining a required assurance level associated with the authentication request based on the authentication request and the relying party (FIG. 2 & 11, ¶ [0030]-[0033]; i.e. determining an assurance level required by the authority or service provider for different services); 
determining an assurance level stored in the internal database [[and associated with a user]], the user associated with the user account stored in the internal database (FIG. 2 & 11, ¶ [0037]-[0039], [0044]-[0045]; i.e. determining the authentication information such as password provided by the user does not meet the required assurance level); 
comparing the determined assurance level stored in the internal database  [[and associated with the user]] to the required assurance level associated with the authentication request (FIG. 2 & 11, ¶ [0037]-[0039], [0044]-[0045]; i.e. determining the authentication information such as password provided by the user does not meet the required assurance level); 
as a result of determining, based on the comparing, that the determined assurance level stored in the internal database [[and associated with the user]] falls below the required assurance level associated with the authentication request, transmitting, over the electronic network to the user associated with the user account stored in the internal database, a request for authentication data (FIG. 2, 4 & 11, ¶ [0024], [0037]-[0039], [0053]-[0054]; i.e. as the result that the user authentication or assurance level does not meet the required assurance level, requesting or redirecting user for multi-factor authentication); 
receiving, over the electronic network, authentication data associated with the user associated with the user account stored in the internal database (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. receiving user multi-factor authentication or login credentials); 
transmitting, over the electronic network to a verification data source server, the received authentication data associated with the user associated with the user account stored in the internal database (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. requesting other identity providers perform designated user multi-factor authentication or login credentials); 
receiving, over the electronic network, an authentication result from the verification data source server for the received authentication data associated with the user associated with the user account stored in the internal database and based on the transmitted authentication data; and (FIG. 2, 4-5 & 11, ¶ [0024], [0053]-[0054]; i.e. receiving authentication assertions from the identity providers).
Guccione discloses comparing the required assurance level and the assurance level stored in the database (FIG. 2, ¶ [0037]) and does not explicitly disclose comparing the required assurance level with the assurance associated with the user; determining, by the server, an updated assurance level associated with the user associated with the user account stored in the internal database, at least based on the received authentication result; and storing, in the internal database, the updated assurance level as the assurance level associated with the user associated with the user account stored in the internal database.
However, Johansson discloses comparing the required assurance level with the assurance associated with the user (col. 8, lines 35-55; i.e. the confidence score is compared to a minimum confidence threshold that varies according to the account type associated with the user account).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of claimed invention to incorporate Johansson’s teaching into Guccione in order to authenticate users using comparing a confidence score calculated from multiple authentication factors to a minimum confidence threshold to allow users to access secured resource in the case that the users lost his/her passwords (Johansson, col. 1, lines 55-67, col.2 lines 1-14).
Brickell discloses determining, by the server, an updated assurance level associated with the user associated with the user account stored in the internal database, at least based on the received authentication result (FIG. 10A-B, ¶ [0071]-[0072]; i.e. verifying the authentication information using the authentication verification stored in the user’s portfolio in the user database and computing a level of assurance in the authentication or the reduced level of assurance); and storing, in the internal database, the updated assurance level as the assurance level associated with the user associated with the user account stored in the internal database (FIG. 10B, ¶ [0071]-[0072];  i.e. the authorization server caches the reduced level of assurance).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of claimed invention to incorporate Brickell’s teaching into Guccione in view of Johansson in order to provide a simple, quick, reliable and flexible authentication process to authenticate users in real time wherever they are and with whatever authentication devices are currently available to them (Brickell, ¶ [0002]-[0006], [0021]).
Regarding claims 29 and 36, see claim 22 above for the same reasons of rejections.
Regarding claim 30 and 37, see claim 23 above for the same reasons of rejections.
Regarding claim 31 and 38, see claim 24 above for the same reasons of rejections.
Regarding claim 32 and 39, see claim 25 above for the same reasons of rejections.
Regarding claim 35, see claim 21 above for the same reasons of rejections.
Claims 26-27, 33-34 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Guccione in view of Johansson and Brickell and further in view of Balazs et al. (US 9,444,824 hereinafter Balazs).
Regarding claim 26, Guccione in view of Johansson and Brickell discloses the method of claim 21.
Guccione does not explicitly discloses wherein the request for authentication level comprises an assurance level request for a one-time-password ("OTP").
However, Balazs discloses wherein the request for authentication level comprises an assurance level request for a one-time-password ("OTP") (col. 19, line 60-col. 20, line 12).
Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of claimed invention to incorporate Balazs’s teaching into Guccione in view of Johansson and Brickell in order to raise the assurance level for subsequent requests to detect and prevent fraudulent transactions (Balazs, col. 10, lines 22-33).
Regarding claim 27, Guccione in view of Johansson, Brickell and Balazs discloses the method of claim 26, wherein the OTP request is conducted by at least one of an interactive voice response ("IVR") method and a short message service ("SMS") method (Balazs, col. 10, lines 22-33).
Regarding claim 33 and 40, see claim 26 above for the same reasons of rejections.
Regarding claim 34, see claim 27 above for the same reasons of rejections.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHI D NGUY whose telephone number is (571)270-7311. The examiner can normally be reached Monday-Friday 9-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on (571)272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-272-8311.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/C.D.N/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435