DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application discloses and claims only subject matter disclosed in the prior Application No. 17/022,570, filed September 16, 2020, currently U.S. Patent No. 11,360,830 B2, and names the inventor or at least one joint inventor named in the prior application.  Accordingly, this application constitutes a division.  The benefit of the filing date of the prior application is acknowledged, pursuant to 35 U.S.C. 120, 37 CFR 1.78, and MPEP § 211 et seq.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on May 11, 2022 was filed before the mailing of a first Office Action on the merits.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement has been considered by the Examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-5, 8-12, and 15-18 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Avetisov et al. (US 2020/0287901 A1, hereinafter referred to as Avetisov).
Examiner Note: In this office action, actual claim recitations are shown in italics surrounded by quotation marks to distinguish the claim recitations from comparisons to the prior art.
Regarding Claims 1, 8, and 15,
	Avetisov teaches:
“generating, by a computing system, at least first and second notifications to be sent to a client device operated by a user” (paragraphs [0006], [0007]).  [A process executed by a computing device supports a client-side role in out-of-band authentication based on a secure channel to a trusted execution environment on the computing device for a client-side authentication application ([0006]).  A process executed by a processor of a server that supports a client-side role in out-of-band authentication registers the first device having a trusted execution environment by establishing a user record associated with a user permitted to access the secure asset, the user record comprising a user identifier associated with the user; after receiving information that comprises the user identifier and device information for the second device corresponding to an attempt to access the secure asset from a second device, transmitting a notification to the first device based on the device identifier; after receiving from the first device, a response to the notification including data comprising a credential, verifying the credential received and transmitting based on the verifying, an authentication result to grant the access attempt ([0007]).]  (NOTE: The server is equivalent to the “computing system,” the user/client device to the “client device operated by a user,” the notification to the first device to the “first notification,” and the authentication result to grant access to the “second notification.”)
“the first and second notifications indicating, respectively, first and second events of first and second applications accessible by the user” (paragraphs [0007], [0022]).  [After receiving information that comprises the user identifier and device information for the second device, the server transmits a notification, and after receiving from the first device, a response to the notification including data comprising a credential, transmits an authentication result to grant access ([0007]).  The authentication process of an authentication session occurs when, in response to an event in which the user attempts to access a native application or a software asset, assets are granted conditionally upon authentication of the user ([0022]).]  (NOTE: The server transmitting a notification after receiving a user identifier is equivalent to the “first notification,” the server transmitting a notification of an authentication result to the “second notification,” the sending by the client of  user identifier and device information to the “first event,” and the authentication of the user to the “second event.”)
“receiving, by the computing system from the client device, first data indicative of a current context of the client device” (paragraph [0094]).  [In a business environment context, the client device is assigned to a particular employee by an administrator of the relying party, stores it under the UID Record of the employee, and registers the client device with specific permissions to access secure assets.]  (NOTE: The business environment context is equivalent to the “context of the client device,” and the specific permissions to access secure assets to the “first data indicative of a current context.”)
“sending, by the computing system and based at least in part on the first data, the first notification, but not the second notification, to the client device”  (paragraphs [0007], [0020]).  [After receiving information that comprises the user identifier and device information for the second device, the server transmits a notification, and after receiving from the first device, a response to the notification including data comprising a credential, transmits an authentication result to grant access ([0007]).  The authentication system verifies whether the user inputs valid credentials, if so, those credentials are authenticated; but conversely, if the user inputs invalid credentials, authentication fails  and the client computing device is restricted from access to online resources ([0020]).]  (NOTE: The notification of the user identifier being authenticated is equivalent to the “first notification based on the first data,” and failure to authenticate with no authentication message being sent to the “not the second notification to the client device.”)
“A system, comprising: at least one processor; and at least one computer-readable medium encoded with instructions which, when executed by the at least one processor” (paragraphs [0120], [0124]).
“At least one non-transitory computer-readable medium encoded with instructions which, when executed by at least one processor of a system” (paragraph [0124]).
Regarding Claims 2, 9, and 16,
	Avetisov teaches all the limitations of parent Claims 1, 8, and 15.
Avetisov teaches:
“causing the first and second notifications to include respective user interface elements enabling the user to take corresponding actions with respect to the first and second applications” (paragraphs [0006], [0020]).  [After receiving information that comprises the user identifier and device information for the second device corresponding to an attempt to access the secure asset from a second device, the server transmits a notification to the first device based on the device identifier; after receiving from the first device, a response to the notification including data comprising a credential, the server verifies the credential received and transmits based on the verifying, an authentication result to grant the access attempt ([0007]).  The client computing device is granted access to the online resources provided by the native application ([0020]).]  (NOTE: The server transmitting a notification after receiving a user identifier is equivalent to the “first notification,” the server transmitting a notification of an authentication result to the “second notification,” and both notifications are based on “enabling the user to take corresponding actions,” i.e., the identifiers and credentials, which are equivalent to “respective user interface elements.”)
Regarding Claims 3, 10, and 17,
	Avetisov teaches all the limitations of parent Claims 1, 8, and 15.
Avetisov teaches:
“wherein the first data comprises at least one of an identifier of the client device, a current time, a network to which the client device is connected, or a location of the client device” (paragraphs [0006], [0024]).  [The computing device (i.e. server) receives information that comprises the user identifier and device information for the second device corresponding to an attempt to access the secure asset ([0006]).  Network address identifiers can include one or more of an IMEI number, telephone number, MAC and IP address, and/or other identifiers suitable to uniquely reference a given computing device ([0024]).]  (NOTE: The user identifier and device information are equivalent to the “identifier of the client device”) and the network address identifiers to “a network to which the client device is connected, or a location of the client device.”)
Regarding Claims 4, 11, and 18,
	Avetisov teaches all the limitations of parent Claims 1, 8, and 15.
Avetisov teaches:
“prior to receiving the first data, receiving, by the computing system, second data indicative of one or more other notifications accessed by the user operating one or more client devices, and a context of the one or more client devices when the one or more other notifications were accessed by the user” (paragraphs 0007], [0024], [0094]).  [ [A process executed by a processor of a server that supports a client-side role in out-of-band authentication registers the first device having a trusted execution environment by establishing a user record associated with a user permitted to access the secure asset, the user record comprising a user identifier associated with the user ([0007]    
In some example embodiments, the monitored address identifier may be an address of a given computing device on a notification network or service, like a push notification network, to which the computing device has registered, e.g., without the sending party having access to an IP address or physical layer address of the recipient before causing the message to be sent ([0024]).  In a business environment context, the client device is assigned to a particular employee by an administrator of the relying party, stores it under the UID Record of the employee, and registers the client device with specific permissions to restrict access of secure assets to only registered devices ([0094]).]  (NOTE: The push notification is equivalent to the “second data indicative of one or more other notifications accessed by the user operating one or more client devices” and the business environment context to the “context of the one or more client devices.”)
“wherein sending the first notification, but not the second notification, to the client device is further based at least in part on the second data” (paragraphs [0007], [0020]).  [After receiving information that comprises the user identifier and device information for the second device, the server transmits a notification, and after receiving from the first device, a response to the notification including data comprising a credential, transmits an authentication result to grant access ([0007]).  The authentication system verifies whether the user inputs valid credentials, if so, those credentials are authenticated; but conversely, if the user inputs invalid credentials, authentication fails  and the client computing device is restricted from access to online resources ([0020]).]  (NOTE: The user identifier and device information are equivalent to the “first notification” and the to the credentials to the  “second data.”)
Regarding Claims 5 and 12,
	Avetisov teaches all the limitations of parent Claims 1, 8, and 15.
Avetisov teaches:
 “receiving, from the client device, a request for a context-based view of an activity feed of notifications, the request including the first data” (paragraph 0033]; fig. 1, elements 101, 135).  [A common context might include an employee using a work or personal laptop or desktop computer, represented client device 135, to request access to online resources, such as a web application, hosted on a server by their employer, and using a work or personal mobile device, such as a smartphone or tablet, represented by mobile device 101, to provide data utilized to authenticate the request to access the online resources.]
“wherein sending the first notification to the client device is performed in response to the request” (paragraph 0033]; fig. 1, element 135).  [The request to access online resources may originate from a different client device, such as client device 135.]

	
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claims 6-7, 13-14, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Avetisov et al. (US 2020/0287901 A1, hereinafter referred to as Avetisov) in view of Devenny et al. (US 11,200,282 B1, hereinafter referred to as Avetisov).
Regarding Claims 6, 13, and 19,
	Avetisov teaches all the limitations of parent Claims 1, 8, and 15.
Avetisov teaches:
“retrieving, by the computing system, second data from the first application using first access credentials associated with the user” and “retrieving, by the computing system, third data from the second application using second access credentials associated with the user” (paragraphs [0006], [0007]).  [The authentication application is configured for establishing a secure session with a trusted execution environment of the computing device ([0006]).  After receiving information that comprises the user identifier and device information for the second device corresponding to an attempt to access the secure asset from a second device, a computing device transmits a notification to the first device based on the device identifier; after receiving the notification from the  device, a response to the notification including data comprising a credential is sent and the received credential is verified ([0007]).]  (NOTE: The authentication application is equivalent to the “first or second application,” the user identifier and device information to the “first or second access credentials” and the credential sent after the notification is sent to the “second data from the first application” or the “third data from the second application.”  The use of numerical terms such as “first,” “second” and “third” in this context does not create a patentable distinction, especially since the specification does not disclose the second limitation recited above. The terms are merely interpreted as multiple iterations of the same process.)
Avetisov does not teach:
“determining, by the computing system, that the second data is indicative of the first event” and “determining, by the computing system, that the third data is indicative of the second event.” 
Devenny teaches:
““determining, by the computing system, that the second data is indicative of the first event” and “determining, by the computing system, that the third data is indicative of the second event”” (column 15, line 64 - column 16, line 4).  [The users screen shows quick actions for researching event space for a team event using an event application indicated by icons, which when clicked, provide a dialogue to take a particular action that has been determined to be the most likely or most relevant action with respect to the data item.] 
Both Avetisov and Devenny teach systems with client authentication, as does the instant application.  Because the two cited references are analogous to the instant application, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, to include in the Avetisov disclosure, associating an event with data being sent, as taught by Devenny.  Such inclusion would have increased the ability for the system to determine event information, and would have been consistent with the rationale of combining prior art elements according to known methods to yield predictable results to show a prima facie case of obviousness (MPEP 2143(I)(A)) under KSR International Co. v. Teleflex Inc., 127 S. Ct. 1727, 82 USPQ2d 1385, 1395-97 (2007).
Regarding Claims 7, 14, and 20,
	Avetisov teaches all the limitations of parent Claims 1, 8, and 15.
Avetisov teaches:
“the computing system retrieves the second data from first application via a first application programming interface (API) of the first application” and “the computing system retrieves the third data from second application via a second API of the second application” (paragraph [0036]).  [A client execution environment (CEE) includes an application programming interface (API) by which those requests are communicated from the CEE to the trusted execution environment (TEE).]  (NOTE: As stated above, the use of numerical terms such as “first” and “second” “third” in this context does not create a patentable distinction, especially since the specification does not disclose the second limitation recited above. The terms are merely interpreted as multiple iterations of the same process.)

	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The additional prior art references listed on Form PTO-892 and not used in the prior art rejections are also relevant to this application.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PHYLLIS A BOOK whose telephone number is (571)272-0698. The examiner can normally be reached M-F 10:00 am - 7:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on 571-272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PHYLLIS A BOOK/Primary Examiner, Art Unit 2454