Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-3, 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Andrews (US 2017/0346815) in view of Kaidi (US 2021/0326432) in view of Hamel (US 2019/0319939)


Regarding Claim 1,

Andrews (US 2017/0346815) teaches a computer-implemented method comprising: 
receiving, at a computing device, an authentication request from an external device for authenticating an application on the external device (Paragraph [0044] teaches receiving an authentication request from a client device (i.e. external device) for authenticating an application (i.e. authentication for banking app 203/authentication application SDK)); 
receiving, at the computing device, a plurality of information items from a plurality of different externally residing information sources, wherein the plurality of information items comprises device fingerprinting information for the external device information for the external device (Paragraph [0044, 0046] teaches sending “device fingerprint”) and access restriction circumvention (Paragraph [0045] teaches secondary authentication requirements) ; 
evaluating the authentication request, at the computing device, including evaluating each of the plurality of information items, to determine an authentication status of the application (Paragraph [0050, 0052] teaches after collecting one or more of these attributes….determine whether there is a match); 
issue an authentication token to the external device, wherein the authentication token includes token information reflecting authentication status(Paragraph [0067] teaches granting access based on authentication notification); 
receive login information for a user of the external device, issue a login token to the external device in response to the receiving the login information (Paragraph [0029] teaches username/password authentication); 
receive a request for access to private information and a confirmation of the authentication token and the login token; and selectively permit access to the private information by the external device through the application, based on the confirmation of the authentication token and the login token (Paragraph [0027] teaches access granted if the credentials and attributes are authenticated).

Andrews does not explicitly teach wherein a plurality of information items comprises malware detection information for the external device
Kaidi (US 2021/0326432) teaches a plurality of information items comprises malware detection information for the external device (Paragraph [0019] teaches risk analysis may include detected malware to determine whether the device is trustworth)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the plurality of information items as taught by Andrews to include malware detection information 
The motivation is to help determine risk analysis (Paragraph [0019] of Kaidi)

Andrews and Kaidi do not explicitly teach wherein receiving the login information is subsequent to issuing the authentication token and receiving login information from the external device

Hamel (US 2019/0319939) teaches wherein receiving the login information is subsequent to issuing the authentication token and receiving login information from the external device (Figure 3E, and associated text and in particular, receiving a login token step 3E20 is subsequent to step 3E14 “receive a proof response” (i.e. issuing the authentication token))(Figure 1C teaches the user device (i.e. external device) runs both the authentication application and the login application))

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the authentication and login method of Hamel

The motivation is to empower users to allow access by providing proof of identity (Paragraph [0099] of Hamel)

Regarding Claim 2,

Andrews and Kaidi teaches the computer-implemented method of claim 1. Andrews teaches wherein the application comprises a software development kit (SDK) (Paragraph [0044] Authentication application SDK))

Regarding Claim 3,

Andrews and Kaidi teaches the computer-implemented method of claim 1. Andrews teaches wherein and wherein the private information comprises financial information of a user of the external device (Paragraph [0028] teaches banking information).
Andrews does not explicitly teach wherein the computing device is an API server
The Examiner takes Official Notice that API servers are well known in the art and it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the device of Andrews to be an API server and the results would be predictable 

Regarding Claim 13,

Andrews and Kaidi teaches the computer-implemented method of claim 1. Andrews teaches wherein at least one of the externally residing information sources resides on the external device, such that at least one of the plurality of information items is received from the external device (Paragraph [0044, 0046] teaches sending “device fingerprint”).

Claim 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Andrews (US 2017/0346815) in view of Hamel (US 2019/0319939)


Regarding Claim 15,

Andrews teaches a computer system comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the system to: receive an authentication request from an external device for authenticating an application on the external device (Paragraph [0044] teaches receiving an authentication request from a client device (i.e. external device) for authenticating an application (i.e. authentication for banking app 203/authentication application SDK)); 
evaluate the authentication request based on a plurality of information items from a plurality of different externally residing information sources, the plurality of information items including at least one characteristic of the external device (Paragraph [0044, 0046] teaches sending “device fingerprint”) (Paragraph [0050, 0052] teaches after collecting one or more of these attributes….determine whether there is a match);
issue an authentication token to the external device based on the evaluating the authentication request (Paragraph [0067] teaches granting access based on authentication notification); 
receive login information for a user of the external device; issue a login token to the external device in response to the receiving the login information (Paragraph [0029] teaches username/password authentication); 
receive a request for access to private information and a confirmation of the authentication token and the login token; and selectively permit access to the private information by the external device through the application, based on the confirmation of the authentication token and the login token (Paragraph [0027] teaches access granted if the credentials and attributes are authenticated)
Andrews do not explicitly teach wherein receiving the login information is subsequent to issuing the authentication token and receiving login information from the external device

Hamel (US 2019/0319939) teaches wherein receiving the login information is subsequent to issuing the authentication token and receiving login information from the external device (Figure 3E, and associated text and in particular, receiving a login token step 3E20 is subsequent to step 3E14 “receive a proof response” (i.e. issuing the authentication token))(Figure 1C teaches the user device (i.e. external device) runs both the authentication application and the login application))

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and with the authentication and login method of Hamel

The motivation is to empower users to allow access by providing proof of identity (Paragraph [0099] of Hamel)


Regarding Claim 16,

Andrews and Hamel teaches the computer system of claim 15, wherein the at least one characteristic of the external device comprises device fingerprinting information for the external device, malware detection information for the external device, and access restriction circumvention information for the external device (Paragraph [0044, 0046] teaches sending “device fingerprint”).

Claims 4-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Andrews (US 2017/0346815) in view of Kaidi (US 2021/0326432) in view of Hamel in view of Bahdasaryan (US 2017/0109509)

Regarding Claim 4,

Andrews, Kaidi and Hamel teaches the computer-implemented method of claim 1 but does not explicitly teach the computer-implemented method of claim 1, wherein the plurality of information items are evaluated using a scoring system to determine an authentication status of the application, 
Bahdasaryan (US 2017/0109509) teaches wherein the plurality of information items are evaluated using a scoring system to determine an authentication status of the application, and the method further comprises issuing an authentication token to the external device, wherein the authentication token includes token information reflecting the authentication status (Paragraph [0062-0068] teaches risk score to determine authentication status)(Paragraph [0037] teaches an authentication token reflecting authentication response)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the authentication scoring of Bahdasaryan
The motivation is to perform authentication using data analytics (Paragraph [0002] of Bahdasaryan)

Regarding Claim 5,

Andrews, Kaidi and Hamel  and Baydasayran teaches the computer-implemented method of claim 4. Baydasaryan teaches further comprising receiving historical information regarding past authentication requests and modifying the scoring system based on the historical information (Paragraph [0053-0054] teaches modifying the scoring system based on historical parameters).

Regarding Claim 6,

Andrews, Kaidi and Hamel  and Baydasayran teaches the computer-implemented method of claim 4. Andrews teaches wherein the scoring system is configured such that the authentication status is determined to be authorized based on the device fingerprinting information and the malware detection information indicating that the application and the external device is not compromised, and the external device is permitted access to the private information based on the authorized authentication status (Paragraph [0027] teaches access granted if the credentials and attributes are authenticated).

Claims 7-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Andrews (US 2017/0346815) in view of Kaidi (US 2021/0326432) and Hamel in view of Wong (US 2011/0055913)

Regarding Claim 7,

Andrews,  Kaidi and Hamel teaches the computer-implemented method of claim 1, but does not explicitly teach wherein the external device is permitted access to the private information prior to evaluation of all of the plurality of information items, and wherein the method further comprises modifying the authentication status after the external device is permitted access to the private information.
Wong (US 2011/0055913) teaches wherein the external device is permitted access to the private information prior to evaluation of all of the plurality of information items, and wherein the method further comprises modifying the authentication status after the external device is permitted access to the private information (Paragraph [0058] teaches granting partial access prior to receipt of secondary authentication)(Paragraph [0060] teaches modifying authentication status after device is permitted access)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the permitting access prior to evaluation of all information items and the results would be predictable (i.e. partial access is granted before evaluation of all information items)

Regarding Claim 8,

Andrews,  Kaidi, Hamel and Wong teaches the computer-implemented method of claim 7. Wong teaches wherein the method further comprises modifying a degree of the access to the private information by the external device based on modifying the authentication status (Paragraph [0060] teaches granting more access after second authentication).

Regarding Claim 9,

Andrews,  Kaidi, Hamel teaches the computer-implemented method of claim 1, but does not explicitly teach wherein a first item of the plurality of information items is received from a first externally residing information source, and a second item of the plurality of information items is received after the first item from a second externally residing information source, wherein the external device is permitted access to the private information after evaluation of the first item and before evaluation of the second item.
Wong teaches wherein a first item of the plurality of information items is received from a first externally residing information source, and a second item of the plurality of information items is received after the first item from a second externally residing information source, wherein the external device is permitted access to the private information after evaluation of the first item and before evaluation of the second item (Paragraph [0058] teaches granting partial access prior to receipt of secondary authentication)(Paragraph [0060] teaches modifying authentication status after device is permitted access)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the permitting access prior to evaluation of all information items and the results would be predictable (i.e. partial access is granted before evaluation of all information items)


Regarding Claim 10,

Andrews, Kaidi, Hamel and Wong teaches the computer-implemented method of claim 9. Wong teaches  further comprising modifying the authentication status after the external device is permitted access to the private information and after evaluation of the second item and modifying a degree of the access to the private information by the external device based on modifying the authentication status (Paragraph [0060] teaches granting more access after second authentication).

Regarding Claim 11,

Andrews, Kaidi, Hamel and Wong teaches the computer-implemented method of claim 9, wherein access to a first portion of the private information is permitted without evaluation of the second item, and access to a second portion of the private information is only permitted after evaluation of the second item (Paragraph [0058-0060])

Regarding Claim 12,

Andrews, Kaidi teaches the computer-implemented method of claim 1, but does not explicitly teach further comprising selecting, by the computing device, a degree of access to the private information based on the authentication status, wherein the external device is permitted to have the selected degree of access to the private information.
Wong teaches selecting, by the computing device, a degree of access to the private information based on the authentication status, wherein the external device is permitted to have the selected degree of access to the private information.
(Paragraph [0058] teaches granting partial access prior to receipt of secondary authentication)(Paragraph [0060] teaches modifying authentication status after device is permitted access)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the permitting a degree of access and the results would be predictable (i.e. partial access is granted)

Claims 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Andrews (US 2017/0346815) in view of Kaidi (US 2021/0326432) in view of Hamel in view of Innes (US 2015/0381621)

Regarding Claim 14,

Andrews, Kaidi, Hamel teaches the computer-implemented method of claim 1, but does not explicitly teach further comprising receiving, at the computing device, from a third party associated with the application, instructions determining a degree of access to selectively provide to the external device when the access restriction circumvention information indicates that access restriction for the external device has been circumvented.
Innes (US 2015/0381621) teaches receiving, at the computing device, from a third party associated with the application, instructions determining a degree of access to selectively provide to the external device when the access restriction circumvention information indicates that access restriction for the external device has been circumvented (Paragraph [0124] teaches determining if a context for access is too high based on jailbreak status, to deny access or require more authentication)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the method of Innes
The motivation is to determine there is no attempt to circumvent security mechanisms (Paragraph [0022])

Claims 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Andrews (US 2017/0346815) and Hamel in view of Innes (US 2015/0381621)


Regarding Claim 19,

Andrews teaches a non-transitory machine-readable medium storing instructions that, when executed by one or more processors, cause the one or more processors to perform steps comprising: 
receiving an authentication request from an external device for authenticating an application on the external device (Paragraph [0044] teaches receiving an authentication request from a client device (i.e. external device) for authenticating an application (i.e. authentication for banking app 203/authentication application SDK)); 
receiving a plurality of information items from a plurality of different externally residing information sources, the plurality of information items including at least one characteristic of the external device evaluating the authentication request, including evaluating each of the plurality of information items using a scoring system, to determine an authentication status of the application (Paragraph [0044, 0046] teaches sending “device fingerprint”) (Paragraph [0050, 0052] teaches after collecting one or more of these attributes….determine whether there is a match); 
receiving login information for a user of the external device,; issuing a login token to the external device in response to the receiving the login information  (Paragraph [0029] teaches username/password authentication);; 
receiving a request for access to private information and a confirmation of the authentication token and the login token; and providing a selected degree of access to the private information by the external device through the application, based on the authentication status and the degree of certainty that the application or the external device is compromised (Paragraph [0027] teaches access granted if the credentials and attributes are authenticated)

Andrews does not explicitly teach wherein receiving the login information is subsequent to issuing the authentication token and receiving login information from the external device

Hamel (US 2019/0319939) teaches wherein receiving the login information is subsequent to issuing the authentication token and receiving login information from the external device (Figure 3E, and associated text and in particular, receiving a login token step 3E20 is subsequent to step 3E14 “receive a proof response” (i.e. issuing the authentication token))(Figure 1C teaches the user device (i.e. external device) runs both the authentication application and the login application))

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the authentication and login method of Hamel

The motivation is to empower users to allow access by providing proof of identity (Paragraph [0099] of Hamel)

Andrews does not explicitly teach issuing an authentication token to the external device, the authentication token including token information reflecting the authentication status and indicating a degree of certainty that the application or the external device is compromised based on the evaluating each of the plurality of information items; 


Innes (US 2015/0381621) teaches issuing an authentication token to the external device, the authentication token including token information reflecting the authentication status and indicating a degree of certainty that the application or the external device is compromised based on the evaluating each of the plurality of information items; (Paragraph [0124] teaches determining if a context for access is too high based on jailbreak status, to deny access or require more authentication)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the method of Innes
The motivation is to determine there is no attempt to circumvent security mechanisms (Paragraph [0022])


Regarding Claim 20,

Andrews teaches the non-transitory machine-readable medium of claim 19, wherein the instructions, when executed by one or more processors, cause the one or more processors to perform evaluating each of the plurality of information items including access restriction circumvention information, and receiving, from a third party associated with the application, instructions determining the selected degree of access to provide to the external device when the access restriction circumvention information indicates that access restriction for the external device has been circumvented (Paragraph [0124] teaches determining if a context for access is too high based on jailbreak status, to deny access or require more authentication).


Claims 17-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Andrews (US 2017/0346815) and Hamel in view of Bahdasaryan (US 2017/0109509)


Regarding Claim 17,

Andrews and Hamel teaches the computer system of claim 15, wherein the instructions, when executed by the one or more processors, cause the system to evaluate the authentication request by causing the system to evaluate the plurality of information items using a scoring system to determine an authentication status of the application, and wherein the authentication token includes token information reflecting the authentication status
Andrews does not explicitly teach but does not explicitly teach evaluate the authentication request by causing the system to evaluate the plurality of information items using a scoring system to determine an authentication status of the application, and wherein the authentication token includes token information reflecting the authentication status
Bahdasaryan (US 2017/0109509) teaches evaluate the authentication request by causing the system to evaluate the plurality of information items using a scoring system to determine an authentication status of the application, and wherein the authentication token includes token information reflecting the authentication status (Paragraph [0062-0068] teaches risk score to determine authentication status)(Paragraph [0037] teaches an authentication token reflecting authentication response)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the authentication scoring of Bahdasaryan
The motivation is to perform authentication using data analytics (Paragraph [0002] of Bahdasaryan)

Regarding Claim 18,

Andrews and Hamel teaches the computer system of claim 15, but does not explicitly teach wherein the instructions, when executed by the one or more processors, cause the system to evaluate the plurality of information items using a scoring system to determine an authentication status of the application, and further cause the system to receive historical information regarding past authentication requests and to modify the scoring system based on the historical information
Baydasaryan teaches evaluate the plurality of information items using a scoring system to determine an authentication status of the application (Paragraph [0062-0068] teaches risk score to determine authentication status)(Paragraph [0037] teaches an authentication token reflecting authentication response), and further cause the system to receive historical information regarding past authentication requests and to modify the scoring system based on the historical information (Paragraph [0053-0054] teaches modifying the scoring system based on historical parameters).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Andrews and Kaidi with the authentication scoring of Bahdasaryan
The motivation is to perform authentication using data analytics (Paragraph [0002] of Bahdasaryan)

	



Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRIS C WANG whose telephone number is (571)270-1462. The examiner can normally be reached M-F 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HARRIS C WANG/Primary Examiner, Art Unit 2439