DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Office Action Summary
Instant application was filed 9/20/2019 with priority to 3/24/2017.
Claims 1-20 are pending in the instant application.
Claims 1-20 are rejected under 35 USC § 103.
Applicant’s amendments/arguments filed 7/22/2022 have been considered but are not persuasive. (see rejection below as well as “Applicant’s Arguments and Examiner’s Response” section below)

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on [ 1 ] has been entered.
 
Applicant’s Arguments and Examiner’s Response
Applicant’s amendments/arguments filed 7/22/2022 have been considered but are not persuasive.  Applicant argues that the cited prior art does not teach “reauthenticating, at a later time, the user by generating a reauthentication token using the image location data and matching the reauthentication token to the first token.” However examiner disagrees as applicant stated in the remarks section “Martin, however, only teaches that these fields may be matched against similar fields in other tokens. For example, Martin teaches that a token may be trusted to enable a user authentication only if the location field of the token matches the location of the verifier device. (Id, paragraph [0044]). Here, Martin teaches that the location field in one token is matched to the location field in another token.”, by comparing the fields within the token examiner is equating that to comparing the tokens which reads on the emphasized claim limitation applicant is arguing. Also examiner would like to point that the limitation states “reauthenticating” without teaching authenticating earlier in the claim and therefore is interpreting reauthenticating as authenticating.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-9 and 11 rejected under 35 U.S.C. 103 as being unpatentable over Hagen et al. (US Pre-Grant Publication No: 2016/0162729 A1) (art furnished in IDS dated 9/20/2019) hereinafter referred to as Hagen in view of Gordon et al. (US Pre-Grant Publication No: 2016/0241402 A1) (art furnished in IDS dated 9/20/2019) hereinafter referred to as Gordon.

As per claims 1 and 11, Hagen teaches A method for creating a token, comprising: (Hagen, [0029], teaches a method for identity verification using biometric data, abstract; FIG. 1 illustrates an environment 100 within which the systems and methods for identity verification using biometric data can be implemented)
collecting images of identification documents from a user via a mobile device; (Hagen, [0029], teaches a user 118, whose identity needs verification, may send an image associated an ID document (ID image 110) to a system 300 for identity verification using biometric data via a network 106 (e.g., the Internet); [0037]teaches In some embodiments, the system 300 may give instructions 132 to the user 118 on capturing the ID image 110; [0038] teaches according to the instructions 132, the user 118 may take a photograph of his ID document; [0031] teaches The ID image 110 may include a picture or a scan of the ID document. Furthermore, a user video 112 including the face of the user 118 may be taken by a camera associated with the user 118. The camera may be associated with a client device 116)
collecting still or video images of the user via said mobile device; (Hagen, [0031] teaches a user video 112 including the face of the user 118 may be taken by a camera associated with the user 118. The camera may be associated with a client device 116 (for example, a smart phone, a notebook, a PC, and so forth). The user video 112 and the ID image 110 may be received by the system 300 for identity verification using biometric data. The user video 112 may be processed by the system 300 to extract one or more frames. Alternatively, the one or more frames can be extracted before the user video 112 is received by the system 300. The system 300 may determine whether the user video 112 shows a live person by analyzing the one or more frames of the user video 112)
searching one or more databases using search parameters generated from the identification documents and the images; (Hagen, [0024] and [0025], teach data present on the ID document (for example, name of the holder, issue date, and so forth) may be extracted from the ID image (for example, by optical character recognition) and provided to the requestor in a textual form, [0048] [searching database using search parameters based OCR, see applicant spec); [0055] teaches the authenticity of the ID document may be checked as shown in FIG. 6. For this purpose, the type of the ID document associated with an ID image 602 may be determined. For example, the ID document may be classified as a US driver's license. Accordingly, authenticity characteristics inherent to this type of document may be retrieved using a network from third party sources or from the database associated with the system 300 for identity verification using biometric data)
verifying said identification documents and said images based upon information collected from the one or more databases; (Hagen, [0055], teaches the authenticity of the ID document may be checked as shown in FIG. 6. For this purpose, the type of the ID document associated with an ID image 602 may be determined. For example, the ID document may be classified as a US driver's license. Accordingly, authenticity characteristics inherent to this type of document may be retrieved using a network from third party sources or from the database associated with the system 300 for identity verification using biometric data; [0044] teaches to confirm the authenticity of the claimed identity, the face in the video may be compared to the image associated with the ID document at operation 210. To perform this comparison, ... Based on the comparison, results of the identity verification may be generated and provided to a requester and/or user at operation 212; and [0045] teaches additionally, the image associated with the ID document may be analyzed for authenticity characteristics typically associated with ID documents. Such inherent authenticity characteristics of ID documents may be checked to confirm that the ID document is not forged)
reauthenticating, at a later time, the user by generating a reauthentication token using the image location data and matching the reauthentication token to the first token. (Martin, teaches that these fields may be matched against similar fields in other tokens. For example, Martin teaches that a token may be trusted to enable a user authentication only if the location field of the token matches the location of the verifier device. (Id, paragraph [0044]). Here, Martin teaches that the location field in one token is matched to the location field in another token.”, by comparing the fields within the token examiner is equating that to comparing the tokens which reads on the emphasized claim limitation, Also examiner would like to point that the limitation states “reauthenticating” without teaching authenticating earlier in the claim and therefore is interpreting reauthenticating as authenticating.)
However, Hagen does not explicitly teach the still or video images comprising image location data; wherein verifying the information comprises comparing the image location data of the still or video image with the current location of the mobile device; prompting the user to provide biometric data; and encrypting the biometric data with an identifier for the mobile device to create a token.
However, Gordon teaches the still or video images comprising image location data; wherein verifying the information comprises comparing the image location data of the still or video image with the current location of the mobile device; (Gordon is in the field of secure cryptogram for user authentication (abstract) and teaches figure 2 and [0053] and [0057], teach an image transmitted for authentication where image contains location information)
prompting the user to provide biometric data; and encrypting the biometric data with an identifier for the mobile device to create a token. (Gordon is in the field of secure cryptogram for user authentication (abstract) and teaches a method for creating a token (Upon receiving a positive identification and verification response from the user, the mobile device may generate a cryptogram using a user identification (ID) associated with the user, a timestamp, a device ID associated with the mobile device, a service provider application ID associated with the service provider application, and a service provider device ID., abstract); prompting the user to provide biometric data (The mobile device 100 may then prompt the user for biometric ID& V. The user may provide a fingerprint scan, iris scan, voice sample, or any other form of biometric or even nonbiometric data to authenticate with the system, [0053]); and encrypting the biometric data with an identifier for the mobile device to create a token (At block 240, the service provider application 150A on the mobile device 100 may send a request to the SE/TEE 170 to generate a cryptogram. The generated cryptogram can be created from at least the following information or any subset thereof: the user ID, timestamp of the positive ID&V, result of the ID&V, SE/TEE unique device ID (e.g., manufacturer ID), service provider application ID (could be one or multiple), and service provider device ID .. The algorithm may utilize DES, triple DES, AES.or any other suitable encryption algorithm, [0054]; the mobile device 100 may have received a valid ID&V response along with a timestamp of the biometric ID&V and a user ID. This step may occur at the time of the transaction, [0053] (cryptogram contains biometric data and mobile device ID]).
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify Hagen with the teaching of Gordon for the purpose of creating a unique cryptogram to make it an extremely difficult for a fraudster to obtain these data elements from multiple sources in order to attempt to perform fraudulent transaction with the service provider computer or service, via the service provider application (Gordon, [0015]).

As per claim 2, Hagen in view of Gordon teaches The method of claim 1, wherein the identification documents are selected from one or more of still images, videos, printed text, electronic text, forms, papers, identification cards, passports, photographs, invoices, statements, and biometric data. (Hagen, [0055], teaches For example, the ID document may be classified as a US driver's license. Accordingly, authenticity characteristics inherent to this type of document may be retrieved using a network from third party sources or from the database associated with the system 300 for identity verification using biometric data)

As per claim 3, Hagen in view of Gordon teaches The method of claim 1, wherein the search parameters are generated using character recognition processing on said identification documents. (Hagen, [0048], teaches data present on the ID document (for example, name of the holder, issue date, and so forth) may be extracted from the ID image (for example, by optical character recognition) and provided to the requester in a textual form, (searching database using search parameters based OCR, see applicant spec: [0024], [0025]; [0055], teaches the authenticity of the ID document may be checked as shown in FIG. 6. For this purpose, the type of the ID document associated with an ID image 602 may be determined. For example, the ID document may be classified as a US driver's license. Accordingly, authenticity characteristics inherent to this type of document may be retrieved using a network from third party sources or from the database associated with the system 300 for identity verification using biometric data).

As per claim 4, Hagen in view of Gordon teaches The method of claim 1, wherein the search parameters are generated using facial recognition processing of images of the user. (The photograph may be analyzed to determine whether an image of a human face shown on the ID document can be extracted, [0003]; The extracted face may be displayed on a screen of the client device 116 as partially transparent. The face may be enclosed by a region border of a specific shape (for example, an ellipse), [0039]).

As per claim 5, Hagen in view of Gordon teaches The method of claim 1, wherein the databases comprise one or more of a government database, a commercial database, and a social media database. (the authenticity of the ID document may be checked as shown in FIG. 6. For this purpose, the type of the ID document associated with an ID image 602 may be determined. For example, the ID document may be classified as a US driver's license. Accordingly, authenticity characteristics inherent to this type of document may be retrieved using a network from third party sources or from the database associated with the system 300 for identity verification using biometric data, [0055]; Additionally, the system 300 may utilize data input associated with the user 118 in social networks and other online resources as additional factors for identity verification. For this purpose, the user 118 may provide social network data 114 related to accounts of the user 118 in social networks 120 or other on line resources, [0033], see fig. 1 )

As per claim 6, Hagen in view of Gordon teaches The method of claim 1, wherein the search parameters comprise one or more of a name, a date of birth, a driver's license number, a registration number, an address, an account number, and biometric parameters. (data present on the ID document (for example, name of the holder, issue date, and so forth) may be extracted from the ID image (for example, by optical character recognition) and provided to the requester in a textual form, [0018]), a registration number, an address, an account number, and biometric parameters.

As per claim 7, Hagen in view of Gordon teaches The method of claim 1, wherein the information collected from the one or more databases comprises financial record data, utility record data, social media data, and government record data. (Additionally, the system 300 may utilize data input associated with the user 118 in social networks and other online resources as additional factors for identity verification. For this purpose, the user 118 may provide social network data 114 related to accounts of the user 118 in social networks 120 or other online resources, [0033], see fig. 1), and government record data (The ID document may include a government issued ID, a student ID, an employment ID, a driver's license, a passport, a travel document, and so forth, [0041])

As per claim 8, Hagen in view of Gordon teaches The method of claim 1, wherein the biometric data comprises one or more of an iris pattern, facial features, fingerprint, heartbeat, and voice signals. (Hagen, [0039], teaches facial features as the photograph may be analyzed to determine whether an image of a human face shown on the ID document can be extracted, [0003]; The extracted face may be displayed on a screen of the client device 116 as partially transparent. The face may be enclosed by a region border of a specific shape (for example, an ellipse))

As per claim 9, Hagen Hagen in view of Gordon teaches The method of claim 1, wherein the identifier for the mobile device comprises one or more of an International Mobile Station Identity (IMSI), an International Mobile Equipment Identity (IMEI), a Mobile Station International Subscriber Directory Number (MSISDN), a unique mobile device identifier, and a network identifier. 
Gordon teaches wherein the identifier for the mobile device comprises a unique mobile device identifier (A "device ID" may refer to any data that may identify the particular mobile device. The device ID may be assigned to the device by the manufacturer of the device at the time of manufacturing. The device ID may be hardcoded onto a chip residing within the mobile device. In some embodiments, the device ID may be coded in software. The device ID may be unique to the mobile device. For example, the device ID may be an ID associated with a secure element or trusted execution environment chip, [0036]). 
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify Hagen with the teaching of Gordon for the purpose of creating a unique cryptogram to make it an extremely difficult for a fraudster to obtain these data elements from multiple sources in order to attempt to perform fraudulent transaction with the service provider computer or service, via the service provider application (Gordon, [0015]).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Hagen in view of Gordon and further in view of Martin et al. (US Pre-Grant Publication No: 2016/0306955 A1) (art furnished in IDS dated 9/20/2019) hereinafter referred to as Martin.

As per claim 10, Hagen in view of Gordon teaches The method of claim 1, 
But does not teach further comprising: apply a value to each verified identification document, wherein the value corresponds to a level of confidence that the identification document has confirmed the identity of the user; combining the values to create a confidence score; and associating the confidence score with said token.
Although, Hagen teaches applying a value for matching and verifying the identification document and the facial image and has confirmed the identity of the user (Parameters of the user face 502 in the frame 510 may be determined and compared to the measurements of a face 506 shown in the ID image 520. For example, the following parameters may be compared: distance between eyes, nose, mouth, jaw edges, and so forth. Based on the comparison, a similarity score representing the faces 502 and 506 matching may be calculated. According to the score, the faces 502 and 506 may be considered matching or non-matching. For example, a match can may be determined if the score exceeds a predefined value (for example, 80%), [0053]).
Further, Martin teaches a confidence value and associating the confidence value with a token (an on-person authentication factor, among other examples. An authentication confidence field 31 O may store an indicator describing a given level of multiple levels of authentication confidence, [0038]; rather than a particular geographic location (as determined, e.g., via a GPS sensor) the location field may indicate a trust level associated with the location at which the token was generated. In Such instances, a higher level of confidence may be associated with a known, private location (such as a home or office), while a lower level of confidence may be associated with an unknown, public location Such as an airport, shopping mall or so forth, [0040]; one or more of these fields may be used in determining whether to authenticate a user (and/or perform a re-authentication) based on values within the fields of one or more tokens and a particular security policy, [0042]).
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify Hagen with the teaching of Martin for the purpose of determining whether to authenticate a used based on a particular security policy and level of authentication confidence (Martin, [0042]).

Claims 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Martin in view of Gordon.

As per claims 12 and 20, Martin teaches A method for reauthenticating a user, comprising: (Still with reference to FIG. 2, next it is determined whether a user authentication request is received (diamond 240). If so, control passes to block 250. Note that this user authentication request may be responsive to the user seeking to later access the same computing device or another device associated with the user, or responsive to a re-authentication time period elapsing, [0033], abstract)
(this issuer field may provide an identity of device type (e.g., wearable, computer, or a cloud source). As an example, the issuer field may indicate whether the token was created by a wearable device or by an identity service itself and placed on the wearable device for later use. For example, a personal computer (PC) could use facial recognition to authenticate the user, generate a face recognition token [biometric data on a mobile device), and place it into a wearable device for later use by the PC to authenticate the user again without re-verifying the face, [0037]);

encrypting the biometric data with the mobile device identifier to create a reauthentication token; (generate a face recognition token [biometric data on a mobile device), and place it into a wearable device for later use by the PC to authenticate the user again without re-verifying the face, [0037]; the tokens may be encrypted or otherwise protected in another manner Such that the storage and accessing can occur outside of a trusted execution environment, [0032]; user puts on or otherwise adapts the wearable device. Next, control passes to block 220 where a second token is generated including a second timestamp. This second token 91meratlon may be responsive to a user authentication to a computing device, e.g., separate from the wearable device. This second timestamp may be associated with a time at which the user authentication occurs. For example, assume that the computing device is a Smartphone, tablet computer, laptop computer, desktop computer or other computing platform that the user seeks to access. For purposes of discussion, assume that this second device is the user's work computer. Note that this token may be associated with a particular factor of authentication, [0031]; whether a user authentication request is received (diamond 240). If so, control passes to block 250. Note that this user authentication request may be responsive to the user seeking to later access the same computing device or another device associated with the user, or responsive to a re-authentication time period elapsing, [0033] (token for re-authentication]);
sending the reauthentication token to a vetting process; and (Responsive to this request, which may be received by the wearable device at block 250, the first and second tokens can be communicated to an authenticator or verifier [vetting]. In the case where this user authentication request is for the user to access the computing device described above, the authenticator may be the computing device itself, [0033])
receiving an indication from said vetting process whether or not the user is reauthenticated, (However for purposes of illustration in FIG. 2, if it is determined that the first timestamp is not older than the second timestamp, control passes to block 280 where an authentication failure may be reported. As such, the user may be prevented from access to the computing device or at least be prevented from access to secure information, Such as preventing the user from entering into a secure session with the computing device. Otherwise if it is determined that the first timestamp is older than the second timestamp, control passes to block 270 where the user is authenticated and thus may access protected portions, [0035]; determining whether to authenticate a user (and/or perform a re-authentication) based on values within the fields of one or more tokens and a particular security policy, [0042])
wherein the user is reauthenticated if the reauthentication token matches a stored token. (where an issuer is also the authenticator (Such in the context of a computer that generates an initial authentication token and later seeks to re-authenticate the user), the token may be keyed to a private key of the system, [0045]; The user wearing the wearable device may then automatically be authenticated into the other protected devices, including computing platforms of all types and services, that detect the token on the wearable device within a threshold proximity, compare it to each copy in the list of token copies transmitted by primary protected device(s), and find a match that verifies the tokens validity, [0028]).
Martin fails to explicitly disclose obtaining an identifier for the mobile device; encrypting the biometric data with the mobile device identifier to create a token.
However, Martin teaches a token including a field for identity for device type (this issuer field may provide an identity of device type (e.g., wearable, computer, or a cloud source). As an example, the issuer field may indicate whether the token was created by a wearable device or by an identity service itself and placed on the wearable device for later use. For example, a personal computer (PC) could use facial recognition to authenticate the user, generate a face recognition token, and place it into a wearable device for later use by the PC to authenticate the user again without re-verifying the face, [0037])
Gordon is in the field of  secure cryptogram for user authentication (abstract) and teaches prompting the user to provide biometric data on a mobile device (The mobile device 100 may then prompt the user for biometric ID& V. The user may provide a fingerprint scan, iris scan, voice sample, or any other form of biometric or even nonbiometric data to authenticate with the system, [0053]) and encrypting the biometric data with the mobile device identifier to create a token (At block 240, the service provider application 150A on the mobile device 100 may send a request to the SE/TEE 170 to generate a cryptogram. The generated cryptogram can be created from at least the following information or any subset thereof: the user ID, timestamp of the positive ID&V, result of the ID&V, SE/TEE unique device ID
(eg., manufacturer ID). Service provider application ID (could be one of multiple), and service provider device ID. The algorithm may utilize DES, triple DES, AES or any other suitable encryption algorithm, [0054]; the mobile device 100 may have received a valid ID&V response along with a timestamp of the biometric ID&V and a user ID. This step may occur at the time of the transaction [0053] (cryptogram contains biometric data and mobile device ID]).
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify Martin with the teaching of Gordon for the purpose of creating a unique cryptogram to make it an extremely difficult for a fraudster to obtain these data elements from multiple sources in order to attempt to perform fraudulent transaction with the service provider computer or service, via the service provider application (Gordon, [0015]).

As per claim 13, Martin in view of Gordon teaches The method of claim 12, further comprising: sending current user data to the vetting process with the reauthentication token; and receiving a positive reauthentication indication from the vetting process only if the current user data matches an expected value or range of values. (Martin, a location field 31 may store a location indicator that describes or represents a location where an original authentication represented by the token occurred. Different levels of granularity of such location can be used. In some examples, rather than a particular geographic location (as determined, e.g., via a GPS sensor) the location field may indicate a trust level associated with the location at which the token was generated, [0040]; a timestamp field 310 may store a value describing or representing a time stamp when the token was created by the issuer, [0039]; information of a location field may be considered by some security policies. As one Such example, a token may be trusted to enable a user authentication only if the location field of the token matches the location of the verifier device. Another example of a location-based security policy enforcement may be to prevent user authentication when a token was generated in an unknown location Such as a public environment or so forth, [0042]; re-authentication, [0044]).

As per claim 14, Martin in view of Gordon teaches The method of claim 13, wherein the current user data is a current mobile device location, a time that the biometric data was captured by the mobile device, or a location where the biometric data was captured. (Martin, a location field 310 may store a location indicator that describes or represents a location where an original authentication represented by the token occurred. Different levels of granularity of such location can be used. In some examples, rather than a particular geographic location (as determined, e.g., via a GPS sensor) the location field may indicate a trust level associated with the location at which the token was generated, [0040]; a timestamp field 310 may store a value describing or representing a time stamp when the token was created by the issuer, [0039]; information of a location field may be considered by some security policies. As one Such example, a token may be trusted to enFible a user authentication only if the location field of the token matches the location of the verifier device. Another example of a location-based security policy enforcement may be to prevent user authentication when a token was generated in an unknown location Such as a public environment or so forth, [0042]; re-authentication, [0044])

As per claim 15, Martin in view of Gordon teaches The method of claim 12, wherein the biometric data comprises one or more of an iris pattern, facial features, fingerprint, heartbeat, and voice signals. (Martin, teaches facial features as his issuer field may provide an identity of device type (e.g., wearable, computer, or a cloud source). As an example, the issuer field may indicate whether the token was created by a wearable device or by an identity service itself and placed on the wearable device for later use. For example, a personal computer (PC) could use facial recognition to authenticate the user, generate a face recognition token [biometric data on a mobile device), and place it into a wearable device for later use by the PC to authenticate the user again without re-verifying the face, [0037])

As per claim 16, Martin in view of Gordon teaches The method of claim 12, wherein the identifier for the mobile device comprises one or more of an International Mobile Station Identity (IMSI), an International Mobile Equipment Identity (IMEI), a Mobile Station International Subscriber Directory Number (MSISDN), a unique mobile device identifier, and a network identifier. (Gordon, (A "device ID" may refer to any data that may identify the particular mobile device. The device ID may be assigned to the device by the manufacturer of the device at the time of manufacturing. The device ID may be hardcoded onto a chip residing within the mobile device. In some embodiments, the device ID may be coded in software. The device ID may be unique to the mobile device. For example, the device ID may be an ID associated with a secure element or trusted execution environment chip, [0036]).
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention to modify Martin with the teaching of Gordon for the purpose of creating a unique cryptogram to make it an extremely difficult for a fraudster to obtain these data elements from multiple sources in order to attempt to perform fraudulent transaction with the service provider computer or service, via the service provider application (Gordon, [0015]). 

As per claim 17, Martin in view of Gordon teaches The method of claim 12, further comprising: allowing the user to perform a task only if a positive reauthentication indication is received from the vetting process. (Martin, (However for purposes of illustration in FIG. 2, if it is determined that the first timestamp is not older than the second timestamp, control passes to block 280 where an authentication failure may be reported. As such, the user may be prevented from access to the computing device or at least be prevented from access to secure information, Such as preventing the user from entering into a secure session with the computing device [content access is the task). Otherwise if it is determined that the first timestamp is older than the second timestamp, control passes to block 270 where the user is authenticated and thus may access protected portions [access content is allowing user to perform a task), [0035]; determining whether to authenticate a user (and/or perform a re-authentication) based on values within the fields of one or more tokens and a particular security policy, [0042])

As per claim 18, Martin in view of Gordon teaches The method of claim 17, wherein the task is selected from one or more of a financial transaction, a website login, an acknowledgement, access to a location or event, and access to content. (Martin, (However for purposes of illustration in FIG. 2, if it is determined that the first timestamp is not older than the second timestamp, control passes to block 280 where an authentication failure may be reported. As such, the user may be prevented from access to the computing device or at least be prevented from access to secure information, Such as preventing the user from entering into a secure session with the computing device [content access is the task). Otherwise if it is determined that the first timestamp is older than the second timestamp, control passes to block 270 user is authenticated and thus may access protected portions [access content is allowing user to perform a task], [0035]; determining whether to authenticate a user (and/or perform a re-authentication) based on values within the fields of one or more tokens and a particular security policy, [0042])

As per claim 19, Martin in view of Gordon teaches The method of claim 12, further comprising: allowing the user to perform a task only if a reauthentication indication is received from the vetting process with a confidence score exceeding a prescribed threshold. (Martin, (an on-person authentication factor, among other examples. An authentication confidence field 31 may store an indicator describing a given level of multiple levels of authentication confidence, [0038]; rather than a particular geographic location (as determined, e.g., via a GPS sensor) the location field may indicate a trust level associated with the location at which the token was generated. In Such instances, a higher level of confidence may be associated with a known, private location (such as a home or office), while a lower level of confidence may be associated with an unknown. public location Such as an airport, shopping mall or so forth, [0040]; one or more of these fields may be used in determining whether to authenticate a user (and/or perform a re-authentication) based on values within the fields of one or more tokens and a particular security policy, [0042])

Other Art Of Record
Delbane (2020/0294410) teaches “Further, one or more steps of the method disclosed herein may be initiated, maintained, controlled and/or terminated based on a control input received from one or more devices operated by one or more users such as, for example, but not limited to, an end user, an admin, a service provider, a service consumer, an agent, a broker and a representative thereof. Further, the user as defined herein may refer to a human, an animal or an artificially intelligent being in any state of existence, unless stated otherwise, elsewhere in the present disclosure. Further, in some embodiments, the one or more users may be required to successfully perform authentication in order for the control input to be effective. In general, a user of the one or more users may perform authentication based on the possession of a secret human readable secret data (e.g. username, password, passphrase, PIN, secret question, secret answer etc.) and/or possession of a machine readable secret data (e.g. encryption key, decryption key, bar codes, etc.) and/or or possession of one or more embodied characteristics unique to the user (e.g. biometric variables such as, but not limited to, fingerprint, palm-print, voice characteristics, behavioral characteristics, facial features, iris pattern, heart rate variability, evoked potentials, brain waves, and so on) and/or possession of a unique device (e.g. a device with a unique physical and/or chemical and/or biological characteristic, a hardware device with a unique serial number, a network device with a unique IP/MAC address, a telephone with a unique phone number, a smartcard with an authentication token stored thereupon, etc.). Accordingly, the one or more steps of the method may include communicating (e.g. transmitting and/or receiving) with one or more sensor devices and/or one or more actuators in order to perform authentication. For example, the one or more steps may include receiving, using the communication device, the secret human readable data from an input device such as, for example, a keyboard, a keypad, a touch-screen, a microphone, a camera and so on. Likewise, the one or more steps may include receiving, using the communication device, the one or more embodied characteristics from one or more biometric sensors.”.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMON P KANAAN whose telephone number is (571)270-3906.  The examiner can normally be reached on M-F (7AM-4PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SIMON P KANAAN/Primary Examiner, Art Unit 2492