DETAILED ACTION
	Claims 1-18 are presented on 07/18/2022 for examination on merits.  Claims 1 and 10 are independent base claims.  Claims 18-20 are cancelled by amendment on 07/18/2022.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Election/Restrictions
Election was made without traverse in the reply filed on 07/18/2022.  Applicant’s election without traverse of Group I (Claims 1-18) in the reply is acknowledged.

Claim Objections
Claims 1-2, 7, 10-11, and 16 are objected to because of the following informalities: 
Claim 1 recites a limitation of “the selected first subset of authentication techniques” in the transmitting step deficiently for formality reasons, because the limitation should be consistent with others of the same.  This limitation should be “the selected first subset of the plurality of authentication techniques.”
Claims 2 and 11 each recite the limitation of “the first subset” in the selecting step deficiently for formality reasons, because the limitation should be “the first subset of the plurality of authentication techniques” as defined in claims 1 and 10, respectively.
Claim 7 recites a limitation “responsive to a sum of the context scores of the plurality of authentication techniques having the indication of successful authentication and a context score the selected additional authentication technique exceeding the score threshold” deficiently, because the dangling clause “a context score the selected additional authentication technique exceeding the score threshold” is grammatically incorrect.  The Examiner suggests changing it to “a context score [of] the selected additional authentication technique exceeding the score threshold.”  It should be noted that the mirroring claim 16 is correct in this regard.
Claim 10 recites a limitation of “the selected first subset of authentication techniques” in the determining step deficiently for same reason as that of claim 1.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 2, 7, 11, and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 2 and 11 each recite a limitation of “the context score of the first authentication technique” lacking sufficient antecedent basis for this limitation in the respective claims. It should be noted that claims 1 and 10 each define “a score” in the selecting step but not “the context score of the first authentication technique.” 
It is also noted claims 8-9 and 17-18 each recite a limitation of “a context score of a first authentication technique” that may cause potential antecedent basis issues if the definition of the limitation is introduced in the independent claims 1 and 10 for resolve the above antecedent basis issue of claims 2 and 11.
Claims 2 and 11 each recite a limitation “select[ing] a second authentication technique to include in the first subset” unclearly because of the missing object after the word “include.” It is confusing and hard to determine what is to be included in the first subset.
Claims 7 and 16 each recite a limitation of “responsive to a sum of the context scores of the plurality of authentication techniques having the indication of successful authentication and a context score [of] the selected additional authentication technique exceeding the score threshold” deficiently, because the analysis of “a context score [of] the selected additional authentication technique” appears to take place before the additional authentication technique is selected.  It is unreasonable to analyze a score of an additional authentication technique before the additional authentication technique is selected.  Applicant is required to clarify this aspect of the claimed invention.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-6, 8-15, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Lester (US 11159505 B1) in view of Boodaei (US 20210168148 A1; hereinafter “Boo”).

As per claim 1, Lester teaches a method comprising: 
receiving, by a computing device, a request from the client device to access an item of content (Lester, col. 7, lines 27-28: a user may request to view an account (the activity).  Activities requested include: viewing an account, trading funds, purchasing insurance, submitting or processing a negotiable instrument; see col. 5, lines 50-53); 
selecting, by the computing device, responsive to receiving the request, a first subset of a plurality of authentication techniques associated with access to the item of content by the client device, the plurality of authentication techniques identifiable with a score (Lester, col. 5, lines 55-67: [responsive] to the user request for access, such as banking services and/or automobile insurance via the channels, sufficient verifying information [is] acquired.  For each activity request, the user is re-authenticated using the dynamic risk engine. The user may be re-authenticated to a certain level [with] a selected set of authentication techniques.  However, the system may lose trust in the user if the user behaves out of a normal pattern, thus requiring the user to provide additional authentication. Constant collection of passive or active authentication information … alters how much the system trusts that the user is who the user claims to be; col. 6, lines 35-37: Examples of active authentication information may include a password, PIN, code, and answer to a security question); 
determining, by the computing device, that a sum of the scores of the selected first subset of the plurality of authentication techniques exceeds a threshold (Lester, col. 7, lines 10-41: the identity trust score can be compared in a meaningful way … If the initial identifying information does not provide an identity trust score that meets or exceeds the activity trust threshold, the user may actively provide … additional identifying information to raise the identity trust score to meet or exceed the activity trust threshold, such as a correct username and password may provide an identity trust score of 65); 
providing, by the computing device responsive to successful authentication by the client device, access to the item of content to the client device (Lester, col. 7, lines 36-38: [at] an identity trust score of 65, the user will be permitted to view the account.).
However, Lester does not explicitly disclose a step of transmitting authentication requests utilizing the selected first subset of authentication techniques. This aspect of the claim is identified as a further difference.
In a related art, Boo teaches:
transmitting, by the computing device to the client device, responsive to the determination that the sum of the scores exceeds the threshold, one or more authentication requests utilizing the selected first subset of authentication techniques (Boo, par. 0009 and 0016-0023: Initiating a respective one of a plurality of authentication methods selected according to one or more of the contextual authentication attributes - a cumulative identity confidence score; see also par. 0025-0032). 
Lester and Boo are analogous art, because they are in a similar field of endeavor in improving user authentication.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Boo’s teaching to modify Lester’s system to include transmitting the authentication requests with the selected subset of authentication techniques as a response to the scores exceeding the threshold (which means that a cumulative identity confidence is high).  The rationale for this combination is to use known technique to improve similar system concerning a step-up user authentication such that the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with a context aware authentication method.

As per claim 2, the references as combined above teach the method of claim 1, wherein selecting the first subset of the plurality of authentication techniques further comprises: 
selecting a first authentication technique (Lester, col. 6, lines 15-16 and col. 7, lines 35-36: the first authentication technique is: username and password); 
determining that the context score of the first authentication technique is less than the score threshold (Lester, col. 7, lines 17-23: If the initial identifying information does not provide an identity trust score that meets or exceeds the activity trust threshold, the user may actively provide (e.g., a password)—or the system may acquire passively (e.g., a device fingerprint)—additional identifying information to raise the identity trust score; col. 7, lines 28-35: score 30 is less than threshold 50); and 
selecting a second authentication technique to include in the first subset, responsive to the determination that the context score of the first authentication technique is less than the score threshold (Lester, col. 7, lines 33-35: an identity trust score equal to 30. Thus, in this example, additional identifying information is necessary for the user to view the account).

As per claim 3, the references as combined above teach the method of claim 1, further comprising: 
receiving, from the client device, one or more responses to the one or more authentication requests comprising, for the plurality of authentication techniques, an indication of successful or unsuccessful authentication (Boo, par. 0087: aggregate confidence scores computed for the user using a plurality of authenticators; evaluate the overall confidence score); 
comparing, by the computing device, a sum of the context scores of the plurality of authentication techniques having an indication of successful authentication in the one or more responses to the score threshold (Boo, par. 0166: [comparing] to see if the cumulative identity score exceeds the threshold); and 
identifying, by the computing device, that the client device has successfully authenticated, responsive to the sum of the context scores of the plurality of authentication techniques having the indication of successful authentication exceeding the score threshold (Boo, par. 0166 and 0168-0169: In case the cumulative identity score exceeds the threshold, the process 100 branches to 122 of FIG. 1, which is a block showing successful authentication session). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 1.

As per claim 4, the references as combined above teach the method of claim 3, wherein the indication of successful authentication comprises a match between a received value and a stored value for at least one authentication technique (Lester, col. 20, lines 43-44: taking a device fingerprint and determining whether it matches with a device fingerprint in the user's profile).

As per claim 5, the references as combined above teach the method of claim 3, wherein at least one response comprises an indication of unsuccessful authentication, and wherein the sum of the plurality of authentication techniques having an indication of successful authentication in the one or more responses is less than the sum of the context scores of the selected first subset of the plurality of authentication techniques (Boo, par. 0136: in case of failures, the authentication manager 220 may ignore the failed authentication iteration and may branch to 120 in order to initiate another authentication iteration; see blocks 120 and 124 of FIG. 1 and par. 0166-0167). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 1.

As per claim 6, the references as combined above teach the method of claim 1, further comprising: 
receiving, from the client device, one or more responses to the one or more authentication requests comprising, for the plurality of authentication techniques, an indication of successful or unsuccessful authentication (Boo, par. 0168-0170: at 122, the authentication session was successful and the identity of the user 204 could be authenticated with a high level of confidence; at 124, the authentication session failed and the identity of the user 204 could not be authenticated with a sufficiently high level of confidence); 
comparing, by the computing device, a sum of the context scores of the plurality of authentication techniques having an indication of successful authentication in the one or more responses to the score threshold (Boo, par. 0168: Assuming the threshold predefined for the requested secure resource 206 is 150, the authentication manager 220 may determine that the adjusted cumulative identity confidence score (170) exceeds the predefined threshold (150) and may branch to 122); 
identifying, by the computing device, that the client device has not successfully authenticated, responsive to the sum of the context scores of each of the plurality of authentication techniques having the indication of successful authentication being less than the score threshold (Boo, par. 0168: the authentication manager 220 may determine that the adjusted cumulative identity confidence score (170) does not exceed the predefined threshold (200) and may initiate another iteration); and 
transmitting, by the computing device to the client device, an additional authentication request utilizing an additional authentication technique (Boo, par. 0009 and 0016-0023: Initiating a respective one of a plurality of authentication methods; a cumulative identity confidence score; see also par. 0025-0032). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 1.

As per claim 8, the references as combined above teach the method of claim 1, further comprising increasing a context score of a first authentication technique responsive to an historical rate of successful authentication with the client device using the first authentication technique exceeding a threshold (Boo, par. 0043-0044: one or more of the contextual authentication attributes relating to the user are derived from historical authentication information collected during one or more previous authentication sessions conducted for the user; par. 0064 and 0144: the authentication manager 220 may assign a relatively low risk score to the user 204 in case the user 204 and/or the associated client device 202 are identified in one of the typical geolocations during the current authentication session. For example, the user 204 accesses the secure resource at a certain geographical location, for example his office, his home and/or the like.). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 1.

As per claim 9, the references as combined above teach the method of claim 1, further comprising decreasing a context score of a first authentication technique responsive to an historical rate of successful authentication with the client device using the first authentication technique being less than a threshold (Boo, par. 0043-0044: one or more of the contextual authentication attributes relating to the user are derived from historical authentication information collected during one or more previous authentication sessions conducted for the user; par. 0064 and 0142-0143: the identity confidence score according to the contextual authentication attribute(s), such as user changing typical authenticator from biometrics to OTP or a change of typical window of time for access). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 1.

As per claim 10, Lester teaches a system comprising: 
a computing device comprising one or more processors and a network interface in communication with a client device (Lester, col. 28, lines 55-67: a remote computer; logical interactions within modern computer networks); 
wherein the one or more processors are configured to: 
receive a request from the client device to access an item of content (Lester, col. 7, lines 27-28: a user may request to view an account (the activity).  Activities requested include: viewing an account, trading funds, purchasing insurance, submitting or processing a negotiable instrument; see col. 5, lines 50-53), 
select, responsive to receiving the request, a first subset of a plurality of authentication techniques associated with access to the item of content by the client device, the plurality of authentication techniques identifiable with a score (Lester, col. 5, lines 55-67: [responsive] to the user request for access, such as banking services, [selecting/acquiring sufficient verifying information [for] user authentication.  For each activity request, the user is re-authenticated using the dynamic risk engine, the references as combined above teach the user may be re-authenticated to a certain level [with] a selected set of authentication techniques.  However, the system may lose trust in the user if the user behaves out of a normal pattern, thus requiring the user to provide additional authentication),
determine that a sum of the scores of the selected first subset of the plurality of authentication techniques exceeds a threshold (Lester, col. 7, lines 10-41: the identity trust score can be compared in a meaningful way … If the initial identifying information does not provide an identity trust score that meets or exceeds the activity trust threshold, the user may actively provide … additional identifying information to raise the identity trust score to meet or exceed the activity trust threshold, such as a correct username and password may provide an identity trust score of 65), and 
provide, responsive to successful authentication by the client device, access to the item of content to the client device (Lester, col. 7, lines 36-38: [at] an identity trust score of 65, the user will be permitted to view the account.).
However, Lester does not explicitly disclose a step of transmitting authentication requests utilizing the selected first subset of authentication techniques. This aspect of the claim is identified as a further difference.
In a related art, Boo teaches:
transmit, to the client device, responsive to the determination that the sum of the scores exceeds the threshold, one or more authentication requests utilizing the selected first subset of authentication techniques (Boo, par. 0009 and 0016-0023: Initiating a respective one of a plurality of authentication methods selected according to one or more of the contextual authentication attributes - a cumulative identity confidence score; see also par. 0025-0032). 
Lester and Boo are analogous art, because they are in a similar field of endeavor in improving user authentication.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Boo’s teaching to modify Lester’s system to include transmitting the authentication requests with the selected subset of authentication techniques as a response to the scores exceeding the threshold (which means that a cumulative identity confidence is high).  The rationale for this combination is to use known technique to improve similar system concerning a step-up user authentication such that the combination would have produced predictable results with reasonable expectation of success. For this combination, the motivation would have been to improve the level of security with a context aware authentication method. 

As per claim 11, the references as combined above teach the system of claim 10, wherein the one or more processors are further configured to: 
select a first authentication technique (Lester, col. 6, lines 15-16 and col. 7, lines 35-36: the first authentication technique is: username and password); 
determine that the context score of the first authentication technique is less than the score threshold (Lester, col. 7, lines 17-23: If the initial identifying information does not provide an identity trust score that meets or exceeds the activity trust threshold, the user may actively provide (e.g., a password)—or the system may acquire passively (e.g., a device fingerprint)—additional identifying information to raise the identity trust score; col. 7, lines 28-35: score 30 is less than threshold 50); and 
select a second authentication technique to include in the first subset, responsive to the determination that the context score of the first authentication technique is less than the score threshold (Lester, col. 7, lines 33-35: an identity trust score equal to 30. Thus, in this example, additional identifying information is necessary for the user to view the account).

As per claim 12, the references as combined above teach the system of claim 10, wherein the one or more processors are further configured to: 
receive, from the client device, one or more responses to the one or more authentication requests comprising, for the plurality of authentication techniques, an indication of successful or unsuccessful authentication (Boo, par. 0087: aggregate confidence scores computed for the user using a plurality of authenticators; evaluate the overall confidence score);  Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 10.
compare a sum of the context scores of the plurality of authentication techniques having an indication of successful authentication in the one or more responses to the score threshold (Boo, par. 0166: [comparing] to see if the cumulative identity score exceeds the threshold); and 
identify that the client device has successfully authenticated, responsive to the sum of the context scores of the plurality of authentication techniques having the indication of successful authentication exceeding the score threshold (Boo, par. 0166 and 0168-0169: In case the cumulative identity score exceeds the threshold, the process 100 branches to 122 of FIG. 1, which is a block showing successful authentication session). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 10.

As per claim 13, the references as combined above teach the system of claim 12, wherein the indication of successful authentication comprises a match between a received value and a stored value for at least one authentication technique (Lester, col. 20, lines 43-44: taking a device fingerprint and determining whether it matches with a device fingerprint in the user's profile).

As per claim 14, the references as combined above teach the system of claim 12, wherein at least one response comprises an indication of unsuccessful authentication, and wherein the sum of the plurality of authentication techniques having an indication of successful authentication in the one or more responses is less than the sum of the context scores of the selected first subset of the plurality of authentication techniques (Boo, par. 0136: in case of failures, the authentication manager 220 may ignore the failed authentication iteration and may branch to 120 in order to initiate another authentication iteration; see blocks 120 and 124 of FIG. 1 and par. 0166-0167). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 10.

As per claim 15, the references as combined above teach the system of claim 10, wherein the one or more processors are further configured to: 
receive, from the client device, one or more responses to the one or more authentication requests comprising, for the plurality of authentication techniques, an indication of successful or unsuccessful authentication (Boo, par. 0168-0170: at 122, the authentication session was successful and the identity of the user 204 could be authenticated with a high level of confidence; at 124, the authentication session failed and the identity of the user 204 could not be authenticated with a sufficiently high level of confidence); 
compare a sum of the context scores of the plurality of authentication techniques having an indication of successful authentication in the one or more responses to the score threshold (Boo, par. 0168: Assuming the threshold predefined for the requested secure resource 206 is 150, the authentication manager 220 may determine that the adjusted cumulative identity confidence score (170) exceeds the predefined threshold (150) and may branch to 122); 
identify that the client device has not successfully authenticated, responsive to the sum of the context scores of the plurality of authentication techniques having the indication of successful authentication being less than the score threshold (Boo, par. 0168: the authentication manager 220 may determine that the adjusted cumulative identity confidence score (170) does not exceed the predefined threshold (200) and may initiate another iteration); and 
transmit, to the client device, an additional authentication request utilizing an additional authentication technique (Boo, par. 0009 and 0016-0023: Initiating a respective one of a plurality of authentication methods; a cumulative identity confidence score; see also par. 0025-0032). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 10.

As per claim 17, the references as combined above teach the system of claim 10, wherein the one or more processors are further configured to increase a context score of a first authentication technique responsive to an historical rate of successful authentication with the client device using the first authentication technique exceeding a threshold (Boo, par. 0043-0044: one or more of the contextual authentication attributes relating to the user are derived from historical authentication information collected during one or more previous authentication sessions conducted for the user; par. 0064 and 0144: the authentication manager 220 may assign a relatively low risk score to the user 204 in case the user 204 and/or the associated client device 202 are identified in one of the typical geolocations during the current authentication session. For example, the user 204 accesses the secure resource at a certain geographical location, for example his office, his home and/or the like.). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 10.

As per claim 18, the references as combined above teach the system of claim 10, wherein the one or more processors are further configured to decrease a context score of a first authentication technique responsive to an historical rate of successful authentication with the client device using the first authentication technique being less than a threshold (Boo, par. 0043-0044: one or more of the contextual authentication attributes relating to the user are derived from historical authentication information collected during one or more previous authentication sessions conducted for the user; par. 0064 and 0142-0143: the identity confidence score according to the contextual authentication attribute(s), such as user changing typical authenticator from biometrics to OTP or a change of typical window of time for access). Boo is combined with Lester herein for the same obviousness reasons and/or rationale as indicated in claim 10.

Allowable Subject Matter
Claims 7 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The claims 7 and 16 each recite elements of “selecting the additional authentication technique, by the computing device, responsive to a sum of the context scores of the plurality of authentication techniques having the indication of successful authentication and a context score the selected additional authentication technique exceeding the score threshold”.  These elements and the associated features thereof, in combination with the other limitations in the base claims 1, 6, 10, and 15, respectively, are not anticipated by, nor made obvious over the prior art of record.  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        09/06/2022