DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 6/15/2022.
In instant Amendment, claims 1, 8 and 15 have been amended; claims 6, 13 and 20 have been canceled; claims 1, 8 and 15 are independent claims. Claims 1-5, 7-12 and 14-19 have been examined and are pending. This Action is made Final.

Response to Arguments
The objection to the Claims 1-20 is withdrawn as the Claims has been amended.
Applicants arguments with respect to the 35 U.S.C. 101 rejection have been fully considered but are not persuasive.
Applicant Argues: “Applicant respectfully submits that Applicant's claims as amended cannot be performed in the human mind but for the recitation of generic computer components. Applicant's claims are limited such that access is granted by an IoT resource control program, which is a specialized program that could not be considered a generic computer component, and which even under its broadest reasonable interpretation could not be said to reside within the human mind, for at least the reason that the human mind could not be reasonably said to comprise programs, much less IoT resource control programs. Furthermore, Applicant's claims are limited to the use of authorization devices, which are in turn limited to comprising accelerometers capable of gathering accelerometer data to determine that the authorization device is on the person of one or more approvers. Accelerometers are not generic computing devices: they are micro-location sensors tied to specific hardware which is not a component of a generic computing device. Even assuming, ad arguendo, that an accelerometer is a component of a generic computing device, which Applicant does not concede for at least the foregoing reasons, Applicant's accelerometer is being put to the use of determining whether the authorization device is on the person of a user, which is not a generic usage of an accelerometer. Furthermore, insofar as the human mind could be interpreted to be an authorization device, the human mind does not comprise accelerometers, and cannot produce accelerometer data. For at least these reasons, Applicant respectfully asserts that Applicant's claims cannot be performed in the human mind but for the recitation of generic computer components. Reconsideration and withdrawal of the rejection is, therefore, respectfully requested.”
Examiner’s Response:  The examiner respectfully disagrees.  The examiner notes the claims as drafted still fall under the enumerated grouping of Mental Processes, i.e., with respect to Step 2A-Prong One.  The examiner respectfully notes that other than reciting “a processor” in the preamble and the use of a “IOT control program” for granting access to specific resource i.e.,  “web resource” nothing in the claim element precludes the step from practically being performed in the mind. For example in the context of this claim encompasses a user can manually verify two devices of individuals are located within proximity, and further based on a manual comparison of data (i.e., accelerometer data), and then grant access to a resource to one of the individuals based on such verification.  With respect to Step 2A-Prong Two, the examiner notes the use of a processor” in the preamble and the use of a “IOT control program” for granting access to specific resource i.e.,  “web resource” are recited at a high-level of generality (i.e., as a generic processor executing generate software for granting access to a generic web resource, via use of authentication) such that it amounts no more than mere instructions to apply the exception using a generic computer component.  Further, with respect to Step 2B, the examiner notes the additional elements of using (i.e., using a processor, a “IoT control Program” granting access to a web resource) amounts to no more than mere instructions to apply the exception using a generic computer component (i.e., processor and software). Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
Applicants arguments with respect to the 35 U.S.C. 102/103 rejection have been considered but are moot in view of the new ground(s) of rejection
















Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-5, 7-12 and 14-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites granting access to a resource based on one or more access requirements being met, more specifically:
Claims 1, 8, and 15 similarly recite – 
A 
 granting, 
identifying a location of one or more authorization devices corresponding with one or more approvers as within a threshold distance of a computing device of the requestor; and
 determining the one or more authorization devices to be on a person of the one or more approvers based on accelerometer data from the authorization devices.
The examiner notes the limitation above grants access to a resource based on the requirement of two or more devices being in a threshold distance and based on a determination regarding accelerometer data.  The examiner respectfully notes, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting “a processor” in the preamble and the use of a “IOT control program” for granting access to specific resource i.e.,  “web resource” nothing in the claim element precludes the step from practically being performed in the mind. For example in the context of this claim encompasses a user can manually verify two devices of individuals are located within proximity, and further based on a manual comparison of data (i.e., accelerometer data), and then grant access to a resource to one of the individuals based on such verification. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. 
This judicial exception is not integrated into a practical application. In particular, the claim only recites one elements – using a processor, a “IoT control Program” granting access to a web resource. The processor and accessing a web resource are recited at a high-level of generality (i.e., as a generic processor executing generate software for granting access to a generic web resource, via use of authentication) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of using (i.e., using a processor, a “IoT control Program” granting access to a web resource) amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. 
Further, the examiner cites to Jacobs (US 2018/0041518 A1) as Jacob’s Background  states in [0003]-[0004] the use of user/name and password which are used to access sensitive information and performance of sensitive transactions on websites.  The claim is not patent eligible.  

Regarding claims 2-5, 7, 9-12, 14 and 16-19; claims 2-5, 7, 9-12, 14 and 16-19 contain similar abstract ideas as those noted with respect to Claims 1, 8, and 15 and thus are rejected under similar rationale as per Claim 1, 8, and 15.
















Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 8, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Copsey (US 2014/0259129 A1) view of Srivastava et al. (US 2017/0105171 A1) and Philips et al. (US 10,269,017 B1).

Regarding Claim 1;
Copsey discloses a processor-implemented method for managing access to one or more protected web resources based on the location of an approver (Abstract and [0035] - For example, while embodiments may be usefully applied to a user at a mobile device accessing a content provider...), the method comprising: 
	granting, by a .... control program (FIG. 5 and [0110] - one or more computing devices executing a collaborative authentication application to provide a collaborative authentication server (CAS) 520), a requester access to protected web resource based on a plurality of access requirements being met ([0035] and [0059] – response to a challenge and [0065]-[0066] – verify the co-location)  wherein the plurality of access requirements comprises: 
	identifying a location of one or more authorization devices corresponding with the one or more approvers as within a threshold distance of a computer device of the requestor ([0065]-[0066] - Security module 128 may also be configured to verify the co-location of the user and the collaborative authenticator to ensure that they are within some distance of one another as the authentication process is being performed... Co-location verification may be performed using a communication technique such as near field communication technique or Bluetooth, or the like, on the collaborative authenticator's computing device 110, the user's computing device 110 or both, to determine that the user's computing device 110 and the collaborative authenticator's computing device 110 are within some distance of one another (e.g., 5 feet, 20 feet, 100 feet, in the same building, etc. and [0067]);
	determining that one or more authorization devices to be on a person of the one or more approvers based on... data from the authorization device ([0067] - In yet even another embodiment, the assigned rights may also be location specific. In so doing, the GUI 300 can show the proximity of the IoT device trying to gain access to the IoT device having the specific functionality, e.g., smart lock on front door. For example, if the worker is accessing the functionality of the IoT device via user equipment A (see box 320) from a location that is greater than a predetermined distance, e.g., 25 feet, the smart lock will not open. Hence, the smart lock requires the user equipment of the Worker (with restricted privileges) to be in close proximity to the smart lock door (IoT device) in the network).
	Copsey fails to explicitly disclose 
	granting, by an IoT resource control program, a requestor access...
	...
	determining that one or more authorization devices to be on a person of the one or more approvers based on accelerometer data from the authorization device.
	However, in an analogous art, Srivastava teaches concepts of: granting, by an IoT resource control program, a requestor access... (Srivastava, [0015] – accept commands from web based service executing on a remote server... [0032] - In some embodiments, the multilayer access control layer itself may be realized as a software mechanism on the hub and [0044] - As illustrated in FIG. 2, the multilayer access control layer 210 may include one or more access maps 230 that define the access rights of a variety of users, remote host devices, applications, commands, queries, web services, and/or network domains with respect to specific IoT devices).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Srivastava to the control program of Jacobs to include concepts of: granting, by an IoT resource control program, a requestor access.
One would have been motivated to combine the teachings of Srivastava to Copsey to do so as it provides/allows an  electronic device security and, more particularly, to controlling accesses to connected devices (Srivastava, [0002]).
Further, in an analogous art, Phillips teaches determining that one or more authorization devices to be on a person of the one or more approvers based on accelerometer data from the authorization device (Phillips, col. 2, lines 44-58 - As an example method of authenticating users, the transaction server may perform gait analysis on sensor data provided by one or both of the user devices to confirm that the user(s) involved in the transaction are who they claim to be and col. 3, lines 38-55 - For example, authentication data may include gait authentication data, or a gait signature, that indicates the manner in which a user travels (e.g., using GPS data, accelerometer data, gyroscope data, and/or the like), a facial recognition signature that indicates features of a user's face, a biometric signature that indicates features of one or more fingers of a user, a retina signature that indicates features of a user's retina, voice signature that indicates features of a user's voice, and/or the like. The authentication data may be obtained from the authentication data storage device, for example, using data identifying a user's account included in the transaction data and col. 3, lines 56-col. 4, lines 9 - For example, the transaction server may determine whether gait data included in the sensor data from matches a gait signature of the corresponding user. Based on the confirmation and/or authentication determinations, the transaction server may perform a variety of actions, including notifying one or more users regarding the results, logging the transaction, authorizing the transaction, and/or the like. Thus, the transaction server may use sensor data provided by user devices during a transaction to confirm and/or authenticate the transaction and col. 13, lines 8-10 – walking pattern).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Phillips to the determining based on... data from the authorization device of Copsey and Srivastava to include determining that one or more authorization devices to be on a person of the one or more approvers based on accelerometer data from the authorization device
One would have been motivated to combine the teachings of Phillips to Copsey and Srivastava to do so as it provides/allows to confirm whether a peer-to-peer transaction has taken place and, if it has, whether the transaction was authentic, e.g., whether the users involved in the transaction are who they purport to be during the transaction (Phillips, col. 2, lines 30-43).

Regarding Claim 8; Claim 8 is directed to a system associated with the method claimed in Claim 1. Claim 8 is similar in scope to Claim 1, and are therefore rejected under similar rationale.

Regarding Claim 15; Claim 15 is directed to a program product associated with the method claimed in Claim 1. Claim 15 is similar in scope to Claim 1, and are therefore rejected under similar rationale.

Claims 2-4, 9-11, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Copsey (US 2014/0259129 A1) view of Srivastava et al. (US 2017/0105171 A1) and Philips et al. (US 10,269,017 B1) and further in view of Jacobs et al. (US 2018/0041518 A1).

Regarding Claim 2;
Copsey in view of Srivastava and Phillips disclose the method to Claim 1.
Copsey in view of and Srivastava and Phillips fail to explicitly disclose wherein the one or more approves are stratified into at least two groups according to authorization priority, wherein a first group has higher authorization priority than a second group
	However, in an analogous art, Jacobs further teaches wherein the one or more approves are stratified into at least two groups according to authorization priority, wherein a first group has higher authorization priority than a second group (Jacobs, FIG. 1 and [0079] - In step 430, an exemplary computing system may determine a physical location of a known associate 140a-c for comparison with the physical location of user 131. The physical location of a known associate 140a-c may be determined according to any manner described above with respect to step 420. In some embodiments physical location information of any number of known associates 140a-c may be determined for comparison with the location of user 131. In some embodiments, a particular known associate may be identified based on any number of relevant factors, such as a context of the request received in step 410 or the location of the user 131. In some embodiments, location information of a “primary” associate 140a, such as a partner or other family member, may be determined as a default rule as part of an authorization determination).
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Jacobs to the one or more approves of Copsey in view of Srivastava and Phillips and Srivastava to include wherein the one or more approves are stratified into at least two groups according to authorization priority, wherein a first group has higher authorization priority than a second group
One would have been motivated to combine the teachings of Jacobs to Copsey in view of Srivastava and Phillips to do so as it provides/allows to remotely verifying a user identity, more particularly, systems and methods for verifying a user's identity based on a determined proximity of the user to another “trusted” or associated user (Jacobs, [0002]).

Regarding Claim 3;
Copsey in view of Srivastava and Phillips and Jacobs disclose the method to Claim 2.
	Jacobs further teaches further comprising: responsive to determining that no authorization devices corresponding with one or more approvers within a group of higher authorization of the at least two groups are within the threshold distance of the computing device of the requestor, granting the requestor access to the protected web resource based on a location of one or more authorization devices corresponding with one or more approvers within a group of lower authorization of the at least two groups being within the threshold distance of the computing device of the requestor (Jacobs, [0079] - In some embodiments physical location information of any number of known associates 140a-c may be determined for comparison with the location of user 131. ... In some embodiments, location information of a “primary” associate 140a, such as a partner or other family member, may be determined as a default rule as part of an authorization determination and [0080] - In other embodiments, a physical location proximity determination may be made with respect to any number of known associates until a proximity threshold is met and [0084] and [0098] - In other embodiments, a physical location proximity determination may be made with respect to any number of known associates until a proximity threshold is met.).  The examiner notes a rule may be defined to include any number of known associates will be used, this would include the primary “default” associate and any other associates until a threshold is met.  So, if the primary is not within the threshold distance it will continue using other “lower” grouped associates until a threshold is met, and if not authentication will be denied.  

Regarding Claim 4;
Copsey in view of and Srivastava and Phillips disclose the method to Claim 1. 
Copsey in view of and Srivastava and Phillips fail to explicitly disclose responsive to determining that no authorization devices corresponding with one or more approvers are within the threshold distance of the computing device of the requestor, performing one or more predetermined actions
	However, in an analogous art, Jacobs further teaches responsive to determining that no authorization devices corresponding with one or more approvers are within the threshold distance of the computing device of the requestor, performing one or more predetermined actions ([0037] - An authentication/authorization determination may be based on a physical location proximity result signal indicative of whether a proximity threshold is met.... The received authentication/authorization request may then be approved, denied, or flagged for further processing based on the determined physical location proximity result signal and [0084]). 
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Jacobs to the one or more approves of Copsey in view of Srivastava and Phillips and Srivastava to include responsive to determining that no authorization devices corresponding with one or more approvers are within the threshold distance of the computing device of the requestor, performing one or more predetermined actions.
One would have been motivated to combine the teachings of Jacobs to Copsey in view of Srivastava and Phillips to do so as it provides/allows to remotely verifying a user identity, more particularly, systems and methods for verifying a user's identity based on a determined proximity of the user to another “trusted” or associated user (Jacobs, [0002]).

Regarding Claims 9-11; Claims 9-11 are directed to a system associated with the method claimed in Claims 2-4. Claims 9-11 are similar in scope to Claims 2-4, and are therefore rejected under similar rationale.

Regarding Claims 16-18; Claims 16-18 are directed to a program product associated with the method claimed in Claims 2-4. Claims 16-18 are similar in scope to Claims 2-4, and are therefore rejected under similar rationale.



Claims 5, 7, 12, 14, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Copsey (US 2014/0259129 A1) view of Srivastava et al. (US 2017/0105171 A1) and Philips et al. (US 10,269,017 B1) and further in view of Tkachev (US 2014/0331278 A1).

Regarding Claim 5;
Copsey in view of Srivastava and Phillips disclose the method to Claim 1.
	Copsey in view of Srivastava and Phillips fails to explicitly disclose wherein a device is not an authorization device if it corresponds with an approver who is sleeping. 
	However, in an analogous art, Tkachev teaches wherein a device is not an authorization device if it corresponds with an approver who is sleeping (Tkachev, [0134] - As an example, the system would rather avoid reaching out to verification agents who are in a time zone where it is the middle of the night, and would rather reach out to verification agents who are awake and likely to be more effective in decision-making).
Therefore, it would have been obvious to try, by one of ordinary skill in the art before the effective filing date of the claimed invention, to apply the concepts of Tkachev i.e. avoiding reaching out to agents are in a time zone where it is in the middle of the night (i.e., not awake) and thus incorporate it into the method of Copsey in view of Srivastava and Phillips since there are a finite number of identified, predictable potential solutions (i.e. awake, not awake, or force wake) to the recognized need (i.e., authenticating with trustworthiness) and one of ordinary skill in the art could have pursued the known potential solutions with a reasonable expectation of success (i.e., choose to use not awake and thus would not use as an authenticating source). 

Regarding Claim 7;
Copsey in view of Srivastava and Phillips discloses the method to Claim 1.
	Copsey in view of Srivastava and Phillips fails to explicitly wherein the authorization requirements are based on factors pertaining to the requestor and an importance of the protected web resource.
	However, in an analogous art, Tkachev teaches wherein the authorization requirements are based on factors pertaining to the requestor and an importance of the protected web resource ([0075] - For example, depending on the purpose of authentication and associated security requirements, such as corporate, government, high security applications, additional functionality allows adding specific pre-defined members such as administrators, IT support, managers, supervisors, etc., to the list of identification agents to be contacted as required for access. In these instances, in addition to using one's traditional social circle the access at that specific authentication step for that particular application will only be provided once the user is authenticated by the specific member of a group (administrators, IT support, managers, supervisors, authorized external parties) in addition to the agents selected from members of the user's personal social circle and [0111]).  As constructed a lower-level employee needing management/supervisor level employee authentication as well as (family, friends, colleagues). 
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Tkachev to authorization requirements of Copsey in view of Srivastava and Phillips to include wherein the authorization requirements are based on factors pertaining to the requestor and an importance of the protected web resource.
One would have been motivated to combine the teachings of Tkachev to Copsey in view of Srivastava and Phillips to do so as it provides/allows an effective mechanism for dynamically providing identity verification and authentication of a user utilizing the user's social circle of established relationships as verification agents (Tkachev, [0052]).

Regarding Claims 12 and 14; Claims 12 and14 are directed to a system associated with the method claimed in Claims 5 and 7. Claims 12 and 14 are similar in scope to Claims 5 and 7, and are therefore rejected under similar rationale.

Regarding Claims 19; Claims 19 are directed to a program product associated with the method claimed in Claims 5. Claims 19 are similar in scope to Claims 5, and are therefore rejected under similar rationale.









Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439