DETAILED ACTION
This final office action is in response applicant’s claim arguments/amendments filed June 15, 2022. Claims 1-20 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	The electronic terminal disclaimer filed on June 15, 2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of any patent granted on US patent # 10,846,389 has/have been reviewed and accepted. The terminal disclaimer has been recorded. The examiner hereby withdraws the non-statutory double-patenting rejection presented in previous office action.
2.	Applicant's arguments regarding prior art rejection filed June 15, 2022 have been fully considered but they are not persuasive. 
Applicant argues, “Claim 1 requires bundling both the attributes and the request for access into an authentication object for providing access to protected resources. Cheng merely teaches a client device that collects biometric data and content information data from a user device and sending that data to a server to access protected resources… At no point does Cheng teach, disclose, or suggest bundling the information for accessing the protected resources into an object.”
Examiner has carefully reviewed the applicant’s arguments and respectfully disagrees. Applicant agrees that Cheng teaches a client device that collects biometric data and content information data from a user device and sending that data to a server to access protected resources but doesn’t agree that Cheng teaches bundling the information for accessing the protected resources into an object. For clear understanding of Chen’s teaching, examiner is reproducing fig. 3 from Cheng here:

    PNG
    media_image1.png
    751
    1035
    media_image1.png
    Greyscale

Chen teaches clients send biometric data, context information to the server for user authentication and allowing access to protected resources. Context information may be unique device identifier and geographic location data corresponds to claimed attributes. Para. 0025-0029. The context information included in a particular access request (emphasis added) may include an identification of the client device requesting access to a particular protected resource and geographic location of the client device at the time of the access request. Para. 0048. Resource access request 316 corresponds to claimed authentication request object includes user identification 328, resource identification 320, and context of resource access request 322. Para. 0070. Cheng’s resource access request is corresponding to claimed authentication request object that bundles both the attributes and request to access. 
Applicant presents no further arguments. For the above reasons, it is believed that the rejections should be sustained. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-3, 7-12, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0109509 A1 to Baghdasaryan et al. (“Baghdasarayan”) in view of US 2015/0106888 A1 to Cheng et al. (“Cheng”).
Regarding claim 1, Baghdasarayan disclosed a method for providing an enhanced authentication process with risk-based decision making for accessing protected services, the method comprising: 
capturing attributes pertaining to a user and/or a user device; (See ¶0053: current parameters 406 are collected from the client device 400; See further in ¶0048, ¶0051)
determining a risk of data security based on the attributes pertaining to the user and/or the user device; (Para.0052-0053. Determining risk level based on current parameters and historical parameters. The parameters collected and evaluated to determine the risk level 407 may include the identity of each user and a variety of data related to the authenticators 420- 421 registered at the authentication server including, for example, the authentication attestation IDs (AAIDs) which uniquely identify the types of authentication device(s) registered; the Key IDs associated with the keys exchanged during authenticator registration (and stored in secure storage 425 on the client and the authentication server); cryptographic key data used for validating cryptographic signatures generated with the keys; a signature counter indicating the number of times signatures have been generated with the keys; and the authenticator version indicating the version of each of the authenticators. In addition, the parameters used to determine the risk level may include metadata associated with each of the authenticators such as the AAID (mentioned above), the authenticator vendor, the authenticator type (e.g., indicating if the authenticator is internal or external to the client), the authentication factor (e.g., fingerprint, voiceprint, presence, etc), and the key protection method (e.g., Trusted Execution Environment, Secure Elements, etc).))
when the risk is unacceptable, requiring additional authentication for access to the protected services; (Para. 0054: In general, the greater the risk level 407 (e.g., the greater the distance from parameters indicating "normal" behavior), the more rigorous the authentication. For example, in one embodiment, if the risk level is above a specified threshold (i.e. risk is unacceptable), then the authentication server 450 may require authentication using one or more explicit user authentication devices 420-421.) and
when the risk is acceptable, granting access to the protected services without requiring additional authentication, (Para.0054. In contrast, for a risk level below a specified threshold (i.e. the risk is acceptable), then non-intrusive authentication techniques 405 may be sufficient. See ¶0051, ¶0112: If the parameters are within the selected thresholds, then at 506 the interaction is considered to be a normal activity and less rigorous (or no) authentication may be used (e.g., non-intrusive authentication such as described above).)
Baghdasarayan did not but the analogous art Cheng disclosed wherein the capturing the attributes pertaining to the user and/or the user device comprises: performing an authorization call to an application requesting access to the protected services; gathering the attributes while accessing the application; and bundling the attributes and the request to access the protected services into an authentication request object. (Cheng, ¶0025: Users of clients 110, 112, and 114 may utilize clients 110, 112, and 114 to request and gain access to protected resource 116, which is protected by server 104 and/or server 106. ¶0027: Clients 110, 112, and 114 may utilize biometric measuring devices 118, 120, and 122 to capture and record biometric data (i.e. gathering attributes) corresponding to users of clients 110, 112, and 114. Clients 110, 112, and 114 may send the captured biometric data to server 104 or server 106 for user authentication prior to server 104 or server 106 allowing access to protected resource 116. ¶0028: In addition, clients 110, 112, and 114 include context information 124, 126, and 128, respectively. Context information 124, 126, and 128 may be, for example, unique device identifiers and geographic location data (i.e. attributes) regarding clients 110, 112, and 114. Clients 110, 112, and 114 may send context information 124, 126, and 128 to server 104 or server 106 for determining a context of an access request to protected resource 116 prior to allowing access to protected resource 116. ¶0029: Protected resource 116 represents a set of one or more different protected resources A protected resource may be, for example, a network, a document, a software application, or a hardware device in network data processing system 100 that has restricted access to only authorized users. ¶0048: the context information included in a particular access request may include an identification of the client device requesting access to a particular protected resource and a geographic location of the client device at the time of the access request.)
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Baghdasaryan by including the idea of capturing the attributes pertaining to the user and/or the user device comprises: performing an authorization call to an application requesting access to the protected services; gathering the attributes while accessing the application; and bundling the attributes and the request to access the protected services into an authentication request object as taught by Cheng in order to provide a controlled flexibility in resource access control by taking calculated risks, which are prohibited by the traditional access control policies (Cheng, ¶0006).
Claims 9 and 16 recite similar limitations to claim 1, mutatis mutandis, the subject matter of claims 9 and 16, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 2, The method of claim 1, further comprising: when the risk of data security is acceptable, refreshing access to protected services without requiring additional authentication (Para.0056. If the authentication is successful, then the current parameters may be added as historical parameters associated with successful authentications (thereby decreasing the “riskiness” associated with these parameters) as refreshing access to protected services).
Claims 11 and 17 recite similar limitations to claim 2, mutatis mutandis, the subject matter of claims 11 and 17, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 3, Baghdasaryan further taught the method of claim 1, further comprising: when the risk of data security is unacceptable, requiring the user to provide one or more of a password and biometric data (Para.0048, 0112. Password and biometric).
Claims 12 and 18 recite similar limitations to claim 3, mutatis mutandis, the subject matter of claims 12 and 18, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 7, Baghdasaryan further taught the method of claim 1, further comprising: storing the attributes pertaining to the user and/or user device at an authorization database configured to store unique attributes for a plurality of users and/or user devices (Para. 0034, 0048, 0051).
Claim 10 recites similar limitations to claim 7, mutatis mutandis, the subject matter of claim 7, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 8, Baghdasaryan further taught the method of claim 1, wherein the attributes pertaining to the user and/or user device comprise one or more of: a cryptographic key, geographic location, time of day, day of week, device hygiene, a user usage pattern, a swipe pattern for touch sensitive displays, malware detection, jailbreak/root detection, debugger mode detection, location reading, accelerometer readings, gyroscope readings, compass readings, user device navigation patterns, application tamper detection, a user device identifier, user device hardware details, user device certificate, user device software details, an International Mobile Station Equipment Identifier (IMEI), a Personal Identification Number (PIN), a password, user biometric data, a device token, a Service Set Identifier (SSID), network proxy detection, device power state, and Virtual Private Network (VPN) detection. (Baghdasaryan, Para. 0025).
Claims 4-6, 13-15, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Baghdasaryan in view of Cheng and further in view of US 2014/0230020 to Mogaki et al. (“Mogaki”).
Regarding claim 4, Baghdasaryan -Cheng combination taught the method of claim 1, the combination did not but the analogous art Mogaki taught further comprising: providing an access token to the user device upon the granting access to the protected services ([0104] If the authorization code is registered in the authorization code table 800, the access management service system 104 judges that the user permits use of the form service system 105, and the process advances to step S1016 to continue processing. [0105] In step S1016, the access management service system 104 generates an access token.), wherein the access token expires after a predetermined period of time ([0105] The access management service system 104 sets a valid period of the access token in the access token valid date and time 903. See 0005, 0084).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention combined of Baghdasaryan and Cheng by including the idea of providing an access token to the user device upon the granting access to the protected services, wherein the access token expires after a predetermined period of time as taught by Mogaki so that even when authentication information of a client and update authorization information have leaked, authentication information can be prevented from being illicitly re-issued (Mogaki, ¶0013).
Claim 13 recites similar limitations to claim 4, mutatis mutandis, the subject matter of claim 13, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 5, Baghdasaryan -Cheng-Mogaki combination further taught the method of claim 4, further comprising determining an updated risk of data security after a time expiration of the access token. (Mogaki, ([0122] If the access token is registered but it falls outside the valid period, the access management service system 104 returns an access token invalid message as a response. [0128] In step S1209, upon reception of the access token invalid message, the external service system 103 requests the access management service system 104 to execute refresh processing.))
Claim 14 recites similar limitations to claim 5, mutatis mutandis, the subject matter of claim 14, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 6, Baghdasaryan -Cheng-Mogaki combination further taught the method of claim 4, further comprising determining an updated risk of data security prior to a time expiration of the access token (Mogaki, Para.0122 determining the validity of token as an updated risk prior to expiry of the token’s valid period.).
Claim 15 recites similar limitations to claim 6, mutatis mutandis, the subject matter of claim 15, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 19, Baghdasaryan -Cheng-Mogaki combination further taught the non-transitory computer readable storage device of claim 16, further comprising computer executable instructions for: providing an access token to the user device upon the granting access to the protected services (Mogaki, [0104] If the authorization code is registered in the authorization code table 800, the access management service system 104 judges that the user permits use of the form service system 105, and the process advances to step S1016 to continue processing. [0105] In step S1016, the access management service system 104 generates an access token.), wherein the access token expires after a predetermined period of time (Mogaki, [0105] The access management service system 104 sets a valid period of the access token in the access token valid date and time 903. See 0005, 0084); and determining an updated risk of data security after a time expiration of the access token (Mogaki, ([0122] If the access token is registered but it falls outside the valid period, the access management service system 104 returns an access token invalid message as a response. [0128] In step S1209, upon reception of the access token invalid message, the external service system 103 requests the access management service system 104 to execute refresh processing.).
Regarding claim 20, Baghdasaryan -Cheng-Mogaki combination further taught the non-transitory computer readable storage device of claim 16, further comprising computer executable instructions for: providing an access token to the user device upon the granting access to the protected services ( Mogaki, [0104] If the authorization code is registered in the authorization code table 800, the access management service system 104 judges that the user permits use of the form service system 105, and the process advances to step S1016 to continue processing. [0105] In step S1016, the access management service system 104 generates an access token.), wherein the access token expires after a predetermined period of time (Mogaki, [0105] The access management service system 104 sets a valid period of the access token in the access token valid date and time 903. See 0005, 0084); and determining an updated risk of data security prior to a time expiration of the access token (Mogaki, Para.0122 determining the validity of token as an updated risk prior to expiry of the token’s valid period.).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
WO 00/26750 (Gupta el al.): The system will obtain 112 an access request from a user for information about a data object. The access request preferably contains: 1) the subject class and ID; 2) the instance class and ID; 3) the attribute or a list of attributes that are being accessed; and 4) the function to be performed.
US 2018/0067820 A1 (Dhuse et al.): The access request includes at least one of a user ID, authentication credentials associated with a user, a security indicator and a priority indicator.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAWNCHOY RAHMAN whose telephone number is (571)270-7471. The examiner can normally be reached Monday - Friday 8:30A-5P ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 5712723787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Shawnchoy Rahman/Primary Examiner, Art Unit 2438