Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1 – 20 are cancelled. Claims 21 – 40 dated 05/24/2021 are presently pending in the application and have been examined below, of which claims 21, 30, and 35 are presented in independent form.

Information Disclosure Statement
The information disclosure statement (IDS) dated 08/30/2021 has been received and considered.

Drawings
	The drawings were received on 08/30/2021. These drawings are accepted.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 21 – 40 are rejected under 35 U.S.C. 103 as being unpatentable over Beigi (US 2015/0347734) (hereafter Beigi) and in view of Keith JR (US 2021/0297258) (hereafter Keith).

Regarding claim 21 Beigi teaches: A method comprising: receiving, by a server system, a login request, wherein the login request corresponds to a first factor in a multi-factor authentication procedure (Beigi, in Para. [0062] discloses “FIG. 24 shows sample data which is requested from the user at the time of enrollment.); requesting, by the server system and in response to the login request, (Beigi, in Para. [0061] discloses “the results of the multifactor authentication are received from the server.” Beigi, in Para. [0061] discloses “The device is also used to capture the data for the multifactor authentication and its specific identity (such as UUID, SIM, IP, etc.) is used as the first factor” Beigi, in Para. [0062] discloses “FIG. 24 shows sample data which is requested from the user at the time of enrollment.”),
a response from a mobile device corresponding to a second factor in a multi-factor authentication (MFA) procedure (Beigi, in Para. [0019] discloses “For the second factor (knowledge of a fact), as an example, a challenge in the form of a traditional passcode may be requested”);
Beigi fails to explicitly teach: receiving, by the server system, a response token from the mobile device, wherein the response token comprises: an MFA token generated by a machine learning module; and one or more context values of the mobile device; determining, by the server system, that the MFA token is valid and that at least one of the one or more context values complies with a login policy; and sending, by the server system, an approval response to the login request.
Keith from the analogous technical field teaches: receiving, by the server system, a response token from the mobile device (Keith, in Para. [0150] discloses “a response by a user to the challenge/Turing test is able to be acquired by a user device, but the acquired information is able to be analyzed on the server device.” Keith, in Para. [0185] discloses “The token is able to be a user's password, facial scan or other acquired data and/or used as a password or otherwise to gain access to a service (e.g., an online service such as Facebook or a bank account)”),
wherein the response token comprises: an MFA token generated by a machine learning module and one or more context values of the mobile device; (Keith, in Para. [0072] discloses “The computing device also includes machine learning implementations (processors/microchips).” Keith, in Para. [0122] discloses “In the step 1602, a multi-factor authentication (MFA) application is executed.” Keith, in Para. [0171] discloses “The authorization is able to be provided as a token, a certificate or any other authorization implementation.” Keith, in Para. [0186] discloses “mobile device is used to log in to an online service, and if the aggregated trust score is above a threshold, then the mobile device sends an authentication certificate or other information to access the online service ( e.g., social network login).”);
 determining, by the server system, that the MFA token is valid and that at least one of the one or more context values complies with a login policy (Keith, in Para. [0185] discloses “each time a user's identity is confirmed using the trust score analysis, a new token is generated); and sending, by the server system, an approval response to the login request (Keith, in Para. [0123] discloses “The MFA login or CypherEye login looks like a local login, but instead a hash (or other information) is sent to a backend mechanism.” Keith, in Para. [0185] discloses “each time a user's identity is confirmed using the trust score analysis, a new token is generated”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses MFA based authentication procedure comprising token generation in order to improve security of the login procedure (Keith, [0072, 0123, 0150, 0171, 0185, 0186])

Regarding claim 22 Beigi as modified teaches: The method of claim 21 where at least one of the context values is one of: type of device, proximity to another device, location of device, time of day, current weather, and signal strength (Beigi, in Para. [0092] discloses “physical location may be a home, an office, a country (passport), a bank vault, or any other location which imposes restrictions on entry based on a person's identity.”).

Regarding claim 23 Beigi fails to explicitly teach:  The method of claim 21 wherein the server login request comprises MFA data.
Keith from the analogous technical field teaches: The method of claim 21 wherein the server login request comprises MFA data (Keith, in Para. [0123] disclose “The MFA application and/or CypherEye application is used as a login authority. The MFA login or CypherEye login looks like a local login, but instead a hash (or other information) is sent to a backend mechanism.” Keith, in Para. [0125] disclose “the MFA application is used in conjunction with a login/password.”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses login procedure including MFA data in order to improve security of the login procedure (Keith, [0123, 0125]).

Regarding claim 24 Beigi fails to explicitly teach: The method of claim 23 wherein the MFA token generated by the machine learning module is generated based on the MFA data.
Keith from the analogous technical field teaches: The method of claim 23 wherein the MFA token generated by the machine learning module is generated based on the MFA data (Keith, in Para. [0072] discloses “The computing device also includes machine learning implementations (processors/microchips).” Keith, in Para. [0185] discloses “each time a user's identity is confirmed using the trust score analysis, a new token is generated”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses machine learning implementation for token generation including MFA data in order to improve security of the login procedure (Keith, [0072, 0185]).

Regarding claim 25 Beigi fails to explicitly teach: The method of claim 23 wherein the mobile device stores at least one value based on the MFA data.
Keith from the analogous technical field teaches: The method of claim 23 wherein the mobile device stores at least one value based on the MFA data (Examiner note: the results of analytics comprising MFA data are stored on a mobile device as depicted in Fig. 16 of Keith) (Keith, in Para. [0163] discloses “The mobile device 2000 is able to be a mobile/smart phone, a smart watch, and/or any other mobile device. Depending on the implementation, results of the analytics and challenges are able to be stored on the mobile device 2000 and/or the one or more dedicated cloud service devices 2004”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses data storage on a mobile device including MFA data in order to enhance capabilities of the Beigi method (Keith, [0163]).

Regarding claim 26 Beigi fails to explicitly teach: The method of claim 25 wherein the MFA token generated by the machine learning module is generated based on the at least one stored value.
Keith from the analogous technical field teaches: The method of claim 25 wherein the MFA token generated by the machine learning module is generated based on the at least one stored value.
(Keith, in Para. [0072] discloses “The computing device also includes machine learning implementations (processors/microchips).” Keith, in Para. [0185] discloses “each time a user's identity is confirmed using the trust score analysis, a new token is generated” Keith, in Para. [0122] discloses “In the step 1602, a multi-factor authentication (MFA) application is executed.” Keith, in Para. [0171] discloses “The authorization is able to be provided as a token, a certificate or any other authorization implementation.”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses token generation comprising MFA data and based on machine learning implementation in order to improve the authentication/login procedure in the system (Keith, [0072, 0122, 0171, 0185]).

Regarding claim 27 Beigi as modified by Keith teaches:  The method of claim 21, wherein the one or more context values include a frequency of login parameter that indicates how often a user of the mobile device logs into a set of one or more accounts (Examiner note: access control comprises record of logins number and frequency) (Beigi, in Para. [0059] discloses “81 is a button which provides an interface to the administration login page of the access control client application.” Beigi, in Para. [0161] discloses “The transaction may be any process requiring authentication such as a physical access control scenario such as a passport, an account access scenario using the Internet or a telephone network, etc.”).

Regarding claim 28 Beigi as modified by Keith teaches:  The method of claim 21, wherein the one or more context values include a wearable device parameter that indicates whether a wearable device is being worn by a user of the mobile device and whether the wearable device is unlocked (Beigi, in Para. [0248] discloses “There have been described and illustrated herein several embodiments of a method and system that performs electronic transactions with a mobile device using multifactor authentication.” Beigi, in Para. [0247] discloses “Only the user associated with the device is able to unlock the digital cash certificate using the multifactor authentication and data security described in this invention.”).

Regarding claim 29 Beigi as modified by Keith teaches:  The method of claim 21, wherein the one or more context values include one or more values that indicate personally identifiable information (PII) that is stored on the mobile device that is not shared with other devices (Beigi, in Para. [0068] discloses “FIG. 30 shows a screenshot of the interface that may be presented on a tablet, PDA, smartphone, computer screen, et cetera, for inputting a PIN (82) as a possible personal information.” Beigi, in Para. [0091] discloses “Identity information is treated as a separate factor, which will be described in Section 1.1 as an authentication factor of type 2 (personal information)” Beigi, in Para. [0183] discloses “multiple types of challenges are used to do the final multifactor authentication of the individual, the device, and transaction.”).

Regarding claim 30 Beigi teaches:  A non-transitory computer-readable medium having instructions stored thereon that are capable of causing a server computing system to implement operations comprising: receiving, a login request, wherein the login request corresponds to a first factor in a multi- factor authentication procedure (Beigi, in Para. [0061] discloses “the results of the multifactor authentication are received from the server.” Beigi, in Para. [0061] discloses “The device is also used to capture the data for the multifactor authentication and its specific identity (such as UUID, SIM, IP, etc.) is used as the first factor” Beigi, in Para. [0062] discloses “FIG. 24 shows sample data which is requested from the user at the time of enrollment.”);
evaluating data associated with the login request based on a login policy (Beigi: Para. [0061] discloses “Choosing this server as the authentication server, will send the captured authentication data to that server and the results of the multifactor authentication are received from the server. The decision is then made or displayed based on the returned results.”); requesting, in response to the login request, a response from a mobile device corresponding to a second factor in a multi-factor authentication procedure, (Beigi, in Para. [0019] discloses “For the second factor (knowledge of a fact), as an example, a challenge in the form of a traditional passcode may be requested”);
Beigi fails to explicitly teach: the requesting comprising sending security data from the server computing system to the mobile device indicating a required level of security based on the login policy; receiving a response token from the mobile device, wherein generating the response token by the mobile device is based on the security data; and sending an approval response based on the received response token.
Keith from the analogous technical field teaches: the requesting comprising sending security data from the server computing system to the mobile device indicating a required level of security based on the login policy (Keith, in Para. [0123] disclose “The MFA application and/or CypherEye application is used as a login authority. The MFA login or CypherEye login looks like a local login, but instead a hash (or other information) is sent to a backend mechanism.” Keith, in Para. [0163] discloses “The mobile device 2000 is able to be a mobile/smart phone, a smart watch, and/or any other mobile device. Depending on the implementation, results of the analytics and challenges are able to be stored on the mobile device 2000 and/or the one or more dedicated cloud service devices 2004”);
receiving a response token from the mobile device (Keith, in Para. [0185] discloses “The token is able to be a user's password, facial scan or other acquired data and/or used as a password or otherwise to gain access to a service (e.g., an online service such as Facebook or a bank account)”).
wherein generating the response token by the mobile device is based on the security data; and sending an approval response based on the received response token (Keith, in Para. [0185] discloses “each time a user's identity is confirmed using the trust score analysis, a new token is generated”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses MFA based authentication procedure comprising token generation in order to improve security of the login procedure (Keith, [0072, 0123, 0150, 0171, 0185, 0186]).

Regarding claim 31 Beigi fails to explicitly teach: The non-transitory computer-readable medium of claim 30, wherein the response token is one of: a null token comprising data which cannot be approved by the server computing system; Page 3 of 7an automated token comprising data generated using a machine learning module; and a user token comprising data based on further requested user input.
Keith from the analogous technical field teaches: The non-transitory computer-readable medium of claim 30, wherein the response token is one of: a null token comprising data which cannot be approved by the server computing system; Page 3 of 7an automated token comprising data generated using a machine learning module; and a user token comprising data based on further requested user input (Keith, in Para. [0072] discloses “The computing device also includes machine learning implementations (processors/microchips).” Keith, in Para. [0185] discloses “each time a user's identity is confirmed using the trust score analysis, a new token is generated”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses machine learning implementation for token generation in order to improve security of the login procedure (Keith, [0072, 0185]).

Regarding claim 32 Beigi fails to explicitly teach: The non-transitory computer-readable medium of claim 31, wherein the generating by the machine learning module is based on the security data.
Keith from the analogous technical field teaches: The non-transitory computer-readable medium of claim 31, wherein the generating by the machine learning module is based on the security data (Keith, in Para. [0072] discloses “The computing device is able to have a TPM or similar device/implementation for securing certificates. The TPM or similar implementation has break-in detection and other security measures. The computing device also includes machine learning implementations (processors/microchips).”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses machine learning implementation base on different security measures in order to improve security of the login procedure (Keith, [0072]).

Regarding claim 33 Beigi fails to explicitly teach: The non-transitory computer-readable medium of claim 31, wherein the security data comprises one or more context parameters to be used by the machine learning module, wherein a context parameter is associated with a context value for the mobile device.
Keith from the analogous technical field teaches: The non-transitory computer-readable medium of claim 31, wherein the security data comprises one or more context parameters to be used by the machine learning module, wherein a context parameter is associated with a context value for the mobile device (Keith, in Para. [0072] discloses “The computing device is able to have a TPM or similar device/implementation for securing certificates. The TPM or similar implementation has break-in detection and other security measures. The computing device also includes machine learning implementations (processors/microchips).” Keith, in Para. [0163] discloses “The mobile device 2000 is able to be a mobile/smart phone, a smart watch, and/or any other mobile device. Depending on the implementation, results of the analytics and challenges are able to be stored on the mobile device 2000 and/or the one or more dedicated cloud service devices 2004”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses machine learning implementation base on different security measures in order to improve security of the login procedure (Keith, [0072, 0163]).

Regarding claim 34, claim 34 dependent on claim 30 discloses a medium that is substantially equivalent to the medium of claim 22 dependent on claim 21. Therefore, the arguments set forth above with respect to claim 22 are equally applicable to claim 34 and rejected for the same reasons.

Regarding claim 35, claim 35 discloses a method that is substantially equivalent to the medium of claim 30. Therefore, the arguments set forth above with respect to claim 30 are equally applicable to claim 35 and rejected for the same reasons.

Regarding claim 36, claim 36 dependent on claim 35 discloses a method that is substantially equivalent to the medium of claim 31 dependent on claim 30. Therefore, the arguments set forth above with respect to claim 31 are equally applicable to claim 36 and rejected for the same reasons.

Regarding claim 37, claim 37 dependent on claim 36 discloses a method that is substantially equivalent to the medium of claim 32 dependent on claim 31. Therefore, the arguments set forth above with respect to claim 32 are equally applicable to claim 37 and rejected for the same reasons.

Regarding claim 38, claim 38 dependent on claim 37 discloses a method that is substantially equivalent to the medium of claim 33 dependent on claim 31. Therefore, the arguments set forth above with respect to claim 33 are equally applicable to claim 38 and rejected for the same reasons.

Regarding claim 39 Beigi fails to explicitly teach: The method of claim 36, wherein the security data comprises context value data to be used by the machine learning module.
Keith from the analogous technical field teaches: The method of claim 36, wherein the security data comprises context value data to be used by the machine learning module (Keith, in Para. [0072] discloses “The computing device is able to have a TPM or similar device/implementation for securing certificates. The TPM or similar implementation has break-in detection and other security measures. The computing device also includes machine learning implementations (processors/microchips).” Keith, in Para. [0163] discloses “The mobile device 2000 is able to be a mobile/smart phone, a smart watch, and/or any other mobile device. Depending on the implementation, results of the analytics and challenges are able to be stored on the mobile device 2000 and/or the one or more dedicated cloud service devices 2004”). 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses machine learning implementation base on different security measures in order to improve security of the login procedure (Keith, [0072, 0163]).

Regarding claim 40 Beigi fails to explicitly teach: The method of claim 36, wherein the mobile device stores at least one value based on the security data, and wherein the generating by the machine learning module is based on the at least one stored value.
Keith from the analogous technical field teaches: The method of claim 36, wherein the mobile device stores at least one value based on the security data, and wherein the generating by the machine learning module is based on the at least one stored value (Examiner note: the results of analytics comprising security data are stored on a mobile device as depicted in Fig. 16 of Keith) (Keith, in Para. [0163] discloses “The mobile device 2000 is able to be a mobile/smart phone, a smart watch, and/or any other mobile device. Depending on the implementation, results of the analytics and challenges are able to be stored on the mobile device 2000 and/or the one or more dedicated cloud service devices 2004”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Beigi, in view of the teaching of Keith which discloses data storage on a mobile device including MFA data in order to enhance capabilities of the Beigi method (Keith, [0163]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure Shuart (US 2020/0234605).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VLADIMIR IVANOVICH GAVRILENKO whose telephone number is (313)446-6530.  The examiner can normally be reached on Monday-Friday 7:30-4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/VLADIMIR I GAVRILENKO/Examiner, Art Unit 2431    

/TRANG T DOAN/Primary Examiner, Art Unit 2431