Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
This communication is in response to the application filed on 10/29/2019 in which Claims 1-18 are presented for examination.
Drawings
The applicant’s drawings submitted on 10/29/2019 are acceptable for examination purposes. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Oberheide U.S. PG-pub. 20140245396 A1, in view Pattar U.S. PG-pub. 20190334921 A1.
As to claim 1, Oberheide teaches a method for implementing an application programming interface for multi- factor authentication service, the method comprising (Oberheide Pa. [0019]) [The two-factor authentication (TFA) service 110 of the preferred embodiment functions to provide remote coordination, management, and operation of additional factors of security for a device application on behalf of a requesting service provider.]: at a subscriber entity: receiving, from a requestor, an access request to one or more services or to one or more resources of the subscriber entity, wherein the subscriber entity relates to an entity having a subscriber account with a remote security service, wherein the subscriber account subscribes the subscriber entity to one or more security services of the remote security service (Oberheide Pa. [0028]) [As shown in FIGS. 6, 7 and 8, a method of a preferred embodiment preferably includes processing an enrollment request for a device application on behalf of a service provider S100 and executing a two-factor authentication request for an enrolled device application on behalf of the service provider S200. More specifically, the method of a preferred embodiment preferably includes receiving an enrollment request of an account Silo]; transmitting a user validation request via a validation application programming interface (API) of the remote security service based on the access request (Oberheide Pa. [0028]) [transmitting an activation code S120, pairing a device with the account through the activation code S130, …([0037 – (The requesting entity preferably initially authenticates the account or alternatively provides authentication credentials in the parameters of the enrollment request so that the enrollment request can be validated. The enrollment request is preferably an API call to an enrollment resource (e.g., "/enroll"). The enrollment request can include parameters such as a username of the account associated with user device, platform of the user device, the role of the user device (e.g., default TFA device, backup TFA device, authorization device, etc.), mode of TFA (e.g., passcode or pushing a login request), expiration as a TFA device application, or any suitable parameter to associate with a device application)]; at the validation API of the remote security service: identifying: (i) the subscriber account of the subscriber entity (Oberheide Pa. [0043]) [The TFA service preferably maintains a database associating account identifiers with the multi-authentication information. In one variation, the multi- authentication information is the device application communication addressing/communication information, which can be used to transmit authentication request information to the appropriate user device] [0031] [Different accounts of the same service provide] and (ii) an enrolled user device of a user enrolled with the subscriber account based on the user validation request (Oberheide Pa. [0038]) [The TFA service preferably generates a unique activation code and a device identifier (ID). The device ID is preferably generated for the account and associated with the unique activation code. Once the device is activated through the activation code, the TFA service can use the device ID to know which device should be used in performing TFA. In one preferred embodiment, the TFA service may only store a record of the device ID and necessary information to communicate with the related device. The TFA preferably transmits the activation code and the device ID]
It is noted that Oberheide does not appear explicitly disclose identifying an authentication scheme from a plurality of distinct authentication schemes based on the user validation request; transmitting to the enrolled user device an authentication request based on the authentication scheme; Page 25 of 33DUOS-P36-UScollecting from the enrolled user device a response to the authentication request and presenting a validation response to the authentication request to the subscriber entity based on the response; and granting or denying the access request of the requestor based on the validation response from the validation API of the remote security service.  
However, Pattar discloses identifying an authentication scheme from a plurality of distinct authentication schemes based on the user validation request (Pattar Pa. [0066]) [Access management system 140 can perform inline enrollment of a user in an access session based on multi-level and multi-factor authentication challenge methods or schemes]; transmitting to the enrolled user device an authentication request based on the authentication scheme (Pattar Pa. [0066]) [The multi-level and multi-factor authentication challenge method or scheme may dictate a required level of authentication for a requested resource];  Page 25 of 33DUOS-P36-UScollecting from the enrolled user device a response to the authentication request and presenting a validation response to the authentication request to the subscriber entity based on the response (Pattar Pa. [0013-0014]) [a response message to the user that indicates the authentication was successful based at least on authenticating the user for the first level and the second level, wherein the response message includes a success URL to redirect the user to access the resource… identifying, by the access management system, an authentication policy associated with the resource, where the authentication policy includes a multi-level and multi-factor challenge method to be used to authenticate a user for access to the resource; determining, by the access management system, a first level of the multi-level and multi-factor challenge method for authentication is completed, which generated an access session for the user]; and granting or denying the access request of the requestor based on the validation response from the validation API of the remote security service (Pattar Pa. [0050]) [provide many access management services including management of access (e.g., granting/denying access) to resources, automatic sign-on, application password change and reset, SSO management, session management, application credential provisioning, as well as authentication of a session].  
Thus, before the effective filing date, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by Pattar to the verification system of Oberheide would have yield predictable results and resulted in an improved system, namely, a system that would provide techniques for inline enrollment of multi-level and multi-factor authentication of a user on a restricted website, or on an enterprise network with single sign-on, or on various other service systems with security restrictions (Pattar Pa. [0002])
As to claim 2, the combination of Oberheide and Pattar teaches wherein transmitting the user validation request includes selecting by the subscriber entity the authentication scheme via the validation API, wherein the authentication scheme indicates one distinct authentication method selected from a plurality of distinct authentication methods for authenticating the requestor (Oberheide Pa. [0031]) [The authentication mode can be selected from a set of options that can include notification mode, passcode mode, SMS mode, and/or any other suitable mode of an additional factor of authentication. If a mode is not specified or selected, a default mode may be selected, or alternatively a mode can be automatically selected according to the account]

As to claim 3, the combination of Oberheide and Pattar teaches wherein: the enrolled user device of the user includes a security application of the remote security service installed locally on the enrolled user device of the user (Oberheide Pa. [0045]) [pre-configured user interface elements may be accessed through the TFA SDK. In an alternative mode, the TFA SDK tools are installed as a background service], and the authentication scheme includes pushing the authentication request, via the API, to the security application of the enrolled user device of the user (Oberheide Pa. [0018]) [web application can use the system so that a push notification or code is generated in a branded native application on a device. The push notification or codes are subsequently used to verify that the user has access to an enrolled device application. In another preferred embodiment, a web application can use the system so that a push notification or code is generated in a co-branded native application, wherein the co-branded native application may be shared for multi-factor authentication of multiple applications or services as shown in FIG. 2.]

As to claim 4, the combination of Oberheide and Pattar teaches wherein Page 26 of 33DUOS-P36-US the authentication scheme includes transmitting from the API the authentication request in a short message service message to the enrolled user device of the user (Oberheide Pa. [0031]) [authentication mode can be selected from a set of options that can include notification mode, passcode mode, SMS mode, and/or any other suitable mode of an additional factor of authentication]

As to claim 5, the combination of Oberheide and Pattar teaches wherein the authentication scheme includes (a) generating a one-time password (OTP) by the API and transmitting from the API the authentication request comprising the OTP to the enrolled user device of the user (Pattar Pa. [0073]) [the handlers may include a Short Message Service (SMS) handler 230, which may be used for gathering and validating single-sing on authentication credentials, a Time-based One-Time Password (TOTP) handler 235, which may be used for gathering and validating one time password credentials, push notification handler 240, which may be used for gathering and validating push notification credentials, a biometric handler 245, which may be used for gathering and validating biometric credentials such as fingerprints or voice recognition, username and password handler 250, which may be used for gathering and validating username and password credentials, and a SSO or federated handler 255, which may be used for gathering and validating SSO or federated credentials such as a certificate.]
Thus, before the effective filing date, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by Pattar to the verification system of Oberheide would have yield predictable results and resulted in an improved system, namely, a system that would provide techniques for inline enrollment of multi-level and multi-factor authentication of a user on a restricted website, or on an enterprise network with single sign-on, or on various other service systems with security restrictions (Pattar Pa. [0002])

As to claim 6, the combination of Oberheide and Pattar teaches wherein the authentication scheme includes (a) generating a universal second factor (U2F) token by the API and transmitting from the API the authentication request comprising the U2F token to the enrolled user device of the user (Oberheide Pa. [0040]) [registering the application for push notifications, subscriptions, or other messaging systems; configuring a passcode generation service; collecting any information such as a pin code, passcode generation tokens, biometric readings, or other information; and/or performing any suitable processes for the application to be used as an additional factor of security]

As to claim 7, the combination of Oberheide and Pattar teaches the validation API, wherein transmitting the user validation request via the validation API is based on the selection of the requestor (Oberheide Pa. [0041]) [delivering the authentication request to the application S230; validating an application response S240; and transmitting an assessment S250]

As to claim 8, the combination of Oberheide and Pattar teaches wherein: the authentication service maintains a list of users having one or more enrolled user devices with the subscriber account, and the list of users is exposed via the validation API based on an initiation of the user validation request by the subscriber entity (Pattar Pa. [0063]) [an interface can include a list of the applications user 102 commonly utilizes. User 102 can manage their credentials and policies associated with applications through the interface. When user 102 requests to access an application, e.g., application 108, through the interface, a request may be sent from device 104 to access management system 140 to determine a policy type for the application from one or more policies applicable to user 102. Access management system 140 may determine whether a valid session exists for the user and if so, then it can determine user's 102 credential information based on the policy type.]
 Thus, before the effective filing date, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by Pattar to the verification system of Oberheide would have yield predictable results and resulted in an improved system, namely, a system that would provide techniques for inline enrollment of multi-level and multi-factor authentication of a user on a restricted website, or on an enterprise network with single sign-on, or on various other service systems with security restrictions (Pattar Pa. [0002])
As to claim 9, the combination of Oberheide and Pattar teaches wherein: the authentication service maintains a list of users having one or more enrolled user devices with the subscriber account, and the list of users is exposed via the validation application programming interface based on the searching the requestor via the validation API (Pattar Pa. [0088]) [Each policy identifies the specific resources covered by the policy, which may be defined on the resources tab of the policy and in the resources container for the application domain. The identification may include the policy evaluator searching the policies and application domains for the policy that covers the resource being requested. Once the authentication policy is identified, the policy evaluator returns the authentication policy to the controller for processing in accordance with the rules and authentication scheme. In various embodiments, the identified the authentication policy includes a multi-level and multi-factor challenge method to be used to authenticate a user for access to the resource]
Thus, before the effective filing date, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by Pattar to the verification system of Oberheide would have yield predictable results and resulted in an improved system, namely, a system that would provide techniques for inline enrollment of multi-level and multi-factor authentication of a user on a restricted website, or on an enterprise network with single sign-on, or on various other service systems with security restrictions (Pattar Pa. [0002])

As to claim 10, the combination of Oberheide and Pattar teaches wherein presenting the validation response to the authentication request to the subscribing entity includes presenting the validation response via the validation API, Page 28 of 33DUOS-P36-US the validation response indicating a successful authentication or an unsuccessful authentication of the user (Oberheide Pa. [0048]) [transmitting an assessment, functions to transfer the result of the second factor of authentication to the service provider. If the user confirmed the authentication request in the device application, the TFA service preferably communicates a successful completion of the second factor of authentication. If the user denied or canceled the authentication request, the TFA service preferably]

As to claim 11, the combination of Oberheide and Pattar teaches wherein the requestor relates to an internal requestor that includes an agent of the subscriber entity (Pattar Pa. [0048]) [a single sign-on (SSO) gateway may implement one or more access agents, such as agent 106 (e.g., web gate agent), to balance and/or handle requests from clients and access management system 140. Device 104 may send/receive one or more communications 134 to/from agent 106 to facilitate access by device 104 to one or more resources. Access management system 140 may send/receive one or more communications 136 to/from agent 106 to facilitate access by device 104 to one or more resources]
Thus, before the effective filing date, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by Pattar to the verification system of Oberheide would have yield predictable results and resulted in an improved system, namely, a system that would provide techniques for inline enrollment of multi-level and multi-factor authentication of a user on a restricted website, or on an enterprise network with single sign-on, or on various other service systems with security restrictions (Pattar Pa. [0002])

As to claim 12, the combination of Oberheide and Pattar teaches wherein the requestor relates to an external requestor that includes a non-agent of the subscriber entity, and the external requestor enrolls a user device to the subscriber account at the remote security service based on scanning with the user device a computer-readable code that automatically enrolls the user device that scans the computer-readable code to the subscriber account (Oberheide Pa. [0035]) [As shown in FIG. 7, processing an enrollment request for a device application on behalf of a service provider S100 of a preferred embodiment can include receiving an enrollment request of an account S110; transmitting an activation code S120; and pairing a device with the account through the activation code S130. The method of processing an enrollment request functions to create an association, link, or mapping between an account and at least one device. Preferably, a mobile application is enrolled as the second factor of authentication, but any suitable device or application instance may be enrolled. Additionally, a plurality of devices may be enrolled and associated with an account. Additional device pairings may be used as backup devices or for alternative roles (e.g., device of account user for authentication and device of an administrator for authorization)]

As to claim 13, the combination of Oberheide and Pattar teaches further comprising: at the subscriber entity: implementing a web-based interface that exposes the validation API of the remote security service (Oberheide Pa. [0048]) [The web application will preferably use the assessment in enforcing the user request occurring within the web application. For example, if the user was attempting to login to the web application, the transmitted assessment is used in allowing or denying the login request. The service provider may use the TFA response for any suitable alternative purpose.]

As to claim 14, the combination of Oberheide and Pattar teaches wherein the remote security service is implemented by a distributed network of computers including the validation API (Oberheide Pa. [0020]) [The authentication application programming interface (API) 120 of the preferred embodiment functions to provide a programmatic interface for outside applications. The authentication API 120 is preferably used by at least the service provider that is using the system to create a TFA implementation. The authentication API 120 accepts API calls/requests from various services]
As to claim 14, the combination of Oberheide and Pattar teaches wherein the validation response comprises an indication computed by the remote security service indicating that a validation of the requestor is successful based on the response to the authentication request (Oberheide Pa. [0048]) [transmitting an assessment, functions to transfer the result of the second factor of authentication to the service provider. If the user confirmed the authentication request in the device application, the TFA service preferably communicates a successful completion of the second factor of authentication. If the user denied or canceled the authentication request, the TFA service preferably]

As to claim 16, the combination of Oberheide and Pattar teaches wherein the validation response comprises an indication computed by the remote security service indicating that a validation of the requestor is unsuccessful based on the response to the authentication request (Oberheide Pa. [0048]) [transmitting an assessment, functions to transfer the result of the second factor of authentication to the service provider. If the user confirmed the authentication request in the device    the second factor of authentication. If the user denied or canceled the authentication request, the TFA service preferably]

As to claims 17-18, claims 17-18 recite the claimed that contain respectively similar limitations as claims 1, 7; therefore, they are rejected under the same rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Thursday 7:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B. Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/EVANS DESROSIERS/Primary Examiner, Art Unit 2491