Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Status of Claims
Claims 1-11 are subject to examination.  

Priority
Applicant’s claim for domestic priority (This application is a CON of 16/161,205 10/16/2018 PAT 10810293) as claimed in this application under 35 U.S.C. 119(e) is acknowledged.  

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-11 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 5, 6, 11, 13, 16-18 of U.S. Patent No. 10810293. The patent claims 1, 3, 5, 6, 11, 13, 16-18 anticipate the claims 1-11 of this application.

This application 17/017,248 claims
Patent 10810293 claims
1. A communication device, comprising: an authentication engine receiving a user-originated voice biometric input and 
determining, based on a voice biometric matching threshold, one of: a successful user authentication; an unsuccessful user authentication; 

a database generating non-voice usage compensation controls based on non-voice usage parameters collected during successful user authentications; and 

the authentication engine, subsequent to an unsuccessful user authentication and 



in response to a valid PIN entry, lowering the voice biometric matching threshold and enabling the non-voice usage compensation controls to determine user authentication.







2. A communication device, comprising: an authentication engine configured to:
determine successful and unsuccessful authentications in response to a user-originated voice biometric input being compared to a voice biometric matching threshold; and

enable non-voice usage compensation controls that securely authenticate a user having passed voice-based authentication with a lowered voice biometric matching threshold.

3. The communication device of claim 2, wherein the authentication engine is further operable to receive a valid user PIN entry, indicative of a valid user, and to determine false rejections and valid rejections.

4. The communication device of claim 2, wherein the authentication engine lowers the voice biometric matching threshold to generate the lowered voice biometric matching threshold in response to a user rejection rate that is above a population norm, and the user rejection rate is determined based on a valid PIN entry subsequent to an unsuccessful authentication.

5. The communication device of claim 2, wherein authentication engine is further configured to determine whether a valid rejection is user based or device based.


6. The communication device of claim 5, wherein: the communication device sends a user alert to indicate a need for user training of the device in response to the valid rejection being user based; and the communication device sends a user alert to indicate a need for device servicing in response to the valid rejection being device based.

7. Amethod for user authentication of a communication device, comprising:

determining, by an authentication engine of the communication device, successful and unsuccessful authentications in response to a user-originated voice biometric input being compared to a voice biometric matching threshold; and
enabling non-voice usage compensation controls to securely authenticate a user having passed voice-based authentication with a lowered voice biometric matching threshold.

8. The method of claim 7, wherein the authentication engine is further operable to receive a valid user PIN entry, indicative of a valid user, and to determine false rejections and valid rejections.

9. The method of claim 7, wherein the lowered voice biometric matching threshold is generated by the authentication engine in response to a user rejection rate that is above a population norm, and wherein the user rejection rate is determined based on valid PIN entry subsequent to an unsuccessful authentication.

10. The method of claim 7, further comprising:: detecting a valid biometric rejection; and determining whether the valid biometric rejection is user based or device based.

11. The method of claim 10, further comprising:
sending a user alert to indicate a need for user training of the communication device in response to the valid biometric rejection being user based; and sending a user alert to indicate a need for device servicing in response to the valid biometric rejection being device based.
1. A communication device, comprising: an authentication engine receiving a user-originated voice biometric input and 
determining one of: a successful user authentication based on a voice biometric matching threshold; and an unsuccessful user authentication based on the voice biometric matching threshold; 
a database for building an individual user profile based on successful user authentications, the individual user profile comprising non-voice usage parameters collected during successful user authentications, 
the database generating non-voice usage compensation controls based on the non-voice usage parameters collected during successful user authentications; 
the authentication engine is further operable to receive a valid user PIN entry, indicative of a valid user, and to further determine false rejections and valid rejections; and the authentication engine, subsequent to the detection of a false rejection, adjusting the voice biometric matching threshold and enabling the non-voice usage compensation controls, thereby improving user authentication for a valid user having an individual false rejection rate that falls outside of a public safety population norm.

3. The communication device of claim 1, wherein adjusting the voice biometric matching threshold comprises decreasing the voice biometric matching threshold to decrease the individual false rejection rate.
5. The communication device of claim 1, wherein detection of a valid rejection by the authentication engine further comprises determining whether the valid rejection is user based or device based.

6. The communication device of claim 5, wherein: the communication device sends a user alert to indicate a need for user training of the device in response to the valid rejection being user based; and the communication device sends a user alert to indicate a need for device servicing in response to the valid rejection being device based.

11. The communication device of claim 1, wherein receipt of entry of an invalid PIN results in a valid authentication failure and prevents the enablement of the non-voice usage compensation controls.

12. A method for adjusting user authentication for accessing a communication device, comprising: receiving a user-originated voice biometric input to the communication device that meets a voice biometric matching threshold indicative of a successful user authentication; building an individual user profile of non-voice usage parameters collected during the successful user authentication; generating non-voice usage compensation controls based on the of non-voice usage parameters collected during the successful user authentication; receiving a user-originated voice biometric input to the communication device that fails the voice biometric matching threshold indicative of an unsuccessful user authentication; receiving a valid PIN entry, indicative of a valid user, to the communication device after the unsuccessful user authentication; calculating an individual user-based false rejection rate in response to the valid PIN entry; comparing the user-based false rejection rate to a public safety population norm; detecting that the user-based false rejection rate exceeds that of the public safety population norm; adjusting the voice biometric matching threshold to reduce the individual user-based false rejection rate; and enabling the non-voice usage compensation controls.

13. The method of claim 12, wherein adjusting the biometric matching threshold comprises: decreasing the voice biometric matching threshold.

16. The method of claim 12, further comprising: detecting a valid biometric rejection; and determining whether the valid biometric rejection is user based or device based.


18. The method of claim 12, further comprising: enabling user access to public safety services via the communication device in response to verification of the user's current non-voice usage parameters against the non-voice usage compensation controls and the adjusted voice biometric matching threshold being decreased.


17. The method of claim 16, further comprising: sending a user alert to indicate a need for user training of the device in response to the valid biometric rejection being user based; and sending a user alert to indicate a need for device servicing in response to the valid biometric rejection being device based



Drawings
The figures submitted on the filing date of this application are acknowledged. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-5, is/are rejected under 35 U.S.C. 103 as being unpatentable over Summerfield et al., 2021/0366489 in view of Lindemann, 10769635 (please refer to the NPL including paragraph numbers).
Referring to claim(s) 1, Summerfield discloses a communication device (para 34, 55), comprising: an authentication engine receiving a user-originated voice biometric input and determining, based on a voice biometric matching threshold, one of: a successful user authentication; an unsuccessful user authentication (para 34, 55). Summerfield does not specifically mention about, which is well-known in the art, which Lindemann discloses, a database generating non-voice usage compensation controls based on non-voice usage parameters collected during successful user authentications; 
(292) In addition, another non-intrusive technique involves the authentication engine 2610 monitoring the time which has passed since the last explicit user authentication. For example, if the user has authenticated using a fingerprint or other biometric device 2620-2621 or has entered a password recently (e.g., within 10 minutes), then it will use this information to increase the assurance level 2606. By contrast, if the user has not explicitly authenticated for several days, then it may require more rigorous authentication by the facial recognition module 2605 and eye tracking module 2605 (e.g., it may require a higher correlation with the template data than usual to increase the assurance level to an acceptable value for the current transaction).
(289) To perform eye tracking analysis, the eye tracking module 2605 relies on eye tracking templates stored within a secure eye tracking database 2645. Although illustrated as a separate database, the eye tracking database and facial recognition database may actually be the same secure database. In one embodiment, an eye tracking template specifies the text, graphics, pictures, videos and/or blank regions which are to be displayed for the user on the client device's display 2601 (some examples of which are shown in FIGS. 28A-B below) and potentially the order in which the content is to be displayed. In addition, the eye tracking template includes data specifying the expected motion characteristic of a user's eyes in response to the content displayed to the user (e.g. in form of a heatmap, see below). Matching logic within the eye tracking module 2605 compares the expected motion of the user's eyes with the actual motion (captured from the video images) to arrive at a “score” based on the similarity between the expected motion and the actual motion. As mentioned, the score may then be combined with scores from other authentication modules (e.g., such as facial recognition module 2604) to form an assurance level 2606. The eye tracking template data stored in the database 2646 may be compiled using recorded eye movements of other users and/or of the actual user of the device in response to each displayed Web page or other displayed image. For example, as with the facial recognition template, the eye tracking template may be generated as part of an enrollment process in which the user enrolls his/her eye motion with the device 2600.
and the authentication engine, subsequent to an unsuccessful user authentication and in response to a valid PIN entry,
(74) Some embodiments of the invention described below may work completely frictionless (i.e. without requiring any explicit user authentication). Behavioral or other techniques may be used to continuously measure an assurance level which indicates the current assurance that an authorized user is in possession of the device. The assurance level may be calculated, for example, based on the time which has passed since the last explicit user authentication (e.g., to SIM card or phone unlock with PIN or finger swipe). Assuming that amount of time which has passed is within a particular threshold (e.g., 5 seconds, 5 minutes, 1 hour, etc), the device may be considered to be in a “legitimate user state” and the assurance level set to a maximum value (e.g., 100 on a normalized scale of −100 to 100).
(371) Regardless of how the assurance level is generated, the results of the authentication may be provided to the relying party over the network in a manner which protects the user's privacy (e.g., without providing data that specifically identifies the client device). For example, as previously mentioned, the assurance level itself and/or an indication of the success or failure of authentication may be provided to the relying party, without disclosing any confidential user information 
(12) Passwords still are the predominant explicit authentication methods. Unfortunately they are attacked easily and those attacks scale well. Additionally, entering passwords is cumbersome especially on small devices like smartphones. As a consequence many users do not use password based protection methods to lock their phones at all or they use trivial PIN code.
lowering the voice biometric matching threshold and enabling the non-voice usage compensation controls to determine user authentication.
(14) Various “fusion” methods for combining biometric modalities have been proposed. Some of them address usability issues by reducing the false rejection rate (FRR); other address the security issue by reducing the false acceptance rate (FAR). These methods thus far have proposed static fusion algorithms. Unfortunately this approach still leads to varying assurance levels depending on the “other inputs” (as discussed above).
(235) In addition, a rule or set of rules may be used to create ordered, ranked combinations of authentication policies for an interaction. For example, the rules may specify combinations of policies for individual authentication policies, allowing the creation of rich policies that accurate reflect the authentication preferences of the relying party. This would allow, for example, the relying party to specify that fingerprint sensors are preferred, but if none is available, then either trusted platform module (TPM)-based authentication or face recognition are equally preferable as the next best alternatives (e.g., in a prioritized order).
(506) Alternatively, or in addition, at 5307, the user may be provided with an opportunity to review the list and/or select specific authentication capabilities to be used with this particular server 4730. For example, the filtered list may indicate the option to use authentication with a fingerprint scan, facial recognition, and/or voice recognition. The user may then choose to use one or more of these options when authenticating with the server 4730.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Summerfield to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known non-voice usage compensation controls. When necessary, non-voice usage compensation controls would enable performing user authentication along with voice biometric authentication (para 289). 

Referring to claim(s) 2, Lindermann discloses an authentication engine configured to: 
determine successful and unsuccessful authentications in response to a user-originated voice biometric input being compared to a voice biometric matching threshold; and 
(2) FIG. 1 illustrates an exemplary client 120 with a biometric device 100. When operated normally, a biometric sensor 102 reads raw biometric data from the user (e.g., capture the user's fingerprint, record the user's voice, snap a photo of the user, etc) and a feature extraction module 103 extracts specified characteristics of the raw biometric data (e.g., focusing on certain regions of the fingerprint, certain facial features, etc). A matcher module 104 compares the extracted features 133 with biometric reference data 110 stored in a secure storage on the client 120 and generates a score 153 based on the similarity between the extracted features and the biometric reference data 110. The biometric reference data 110 is typically the result of an enrollment process in which the user enrolls a fingerprint, voice sample, image or other biometric data with the device 100. An application 105 may then use the score 135 to determine whether the authentication was successful (e.g., if the score is above a certain specified threshold).
(385) Returning to FIG. 37, in one embodiment, authentication may be performed via an authentication engine 3710 on the client devices 3600-3602 designed to perform a series of transactions with the relying party 3650 to remotely authenticate each user. For example, as described in the co-pending applications an authentication framework and associated authentication techniques may be employed in which a user enrolls with biometric devices 3720-3721 of a client to generate biometric template data (e.g., by swiping a finger, snapping a picture, recording a voice, etc); registers the biometric devices with one or more relying parties 3650 over a network (e.g., Websites or other relying parties equipped with secure transaction services); and subsequently authenticates with those relying parties 3650 using data exchanged during the registration process (e.g., encryption keys provisioned into the biometric devices).

enable non-voice usage compensation controls that securely authenticate a user having passed voice-based authentication with a lowered voice biometric matching threshold.
(206) In one embodiment, the authentication policy engine 1710 may use the correlation results provided by the device proximity detection logic 2001 to determine the level of authentication required by the user for each relying party 1750. For example, if a high correlation exists (i.e., above a specified threshold), then the authentication policy engine may not require explicit authentication by the end user. By contrast, if there is a low correlation between the user's current location and the historical device proximity data 2004 (i.e., below a specified threshold), then the authentication policy engine 1710 may require more rigorous authentication (e.g., a biometric authentication such as a fingerprint scan and/or requesting PIN entry).

(215) In one embodiment, the supplemental data correlation module 2140 compares data gathered from sensors 1743 on the user's device against multiple other end users in the immediate area to identify anomalies that suggest the user is not operating in the same physical location as those known users. For example, if a set of authenticated users are identified who are operating the same physical area, and all of those users' devices note that the local temperature in the area is 10° C., the supplemental data correlation module 2140 may generate a low correlation score for an end user whose temperature sensor 2101 indicates the local temperature is 20° C. As a result, the authentication policy 1711 may require more rigorous authentication techniques 1712.
(216) As yet another example, the supplemental data correlation module 2140 may compare current readings against historical data for a particular user. For example, as mentioned, sensor data may be analyzed during periods of time when the user is known to be in possession of the device 1700 (e.g., for a time period following an explicit authentication). The supplemental data correlation module 2140 may then look for discontinuities in the local data to identify suspicious behavior. For example, if the user's ambient temperature normally floats between 10° C. and 20° C. and it is currently at 30° C., this may indicate the user is not in a typical location, thereby generating a low correlation and causing the authentication policy module 1711 to require an additional level of scrutiny for a transaction.
(217) The supplemental data correlation module 2140 may perform various different types of correlations between sensor data and supplemental location data while still complying with the underlying principles of the invention. For example, various known correlation mechanisms may be used to determine the statistical relationship between the two sets of data. In one embodiment, the correlation score provided to the authentication policy engine 1711 comprises a normalized value (e.g., between 0-1) indicating a level of correlation. In one embodiment, various threshold levels may be set for detected differences between the sensors 1743 and supplemental location data 2110. For example, if the temperature sensor 2101 measures a temperature of more than 3 degrees off of the current temperature (gathered from other devices or the Internet), then a first threshold may be triggered (resulting in a lowering of the correlation score). Each additional 3 degrees off from the current temperature may then result in a new threshold being met (resulting in a corresponding lowering of the correlation score). It should be noted, however, that these are merely examples of one embodiment of the invention; the underlying principles of the invention are not limited to any particular manner of performing a correlation.
(218) A method in accordance with one embodiment of the invention is illustrated in FIG. 22. At 2201, the current location being reported by the client device (e.g., via the GPS module on the device) is read. At 2202, supplemental location data is collected for the reported location along with sensor data from the client device. As mentioned above, the supplemental location data may be collected locally or remotely (e.g., from other clients and/or servers on the Internet) and may include data such as the current temperature, pressure and/or humidity for the reported location. The sensor data may be provided by temperature sensors, barometric or altimeter pressure sensors, and/or humidity sensors.
(219) At 2203, a correlation is performed between the supplemental location data and the sensor data provided by the device sensors. In one embodiment, a relatively higher correlation will result in a relatively higher correlation score at 2204 whereas lower correlations will result in relatively lower correlation scores. As mentioned, in one embodiment, the correlation score is a normalized value (e.g., between 0-1) indicating the similarity between the sensor readings and supplemental data.
(220) At 2205 one or more authentication techniques are selected based (at least in part) on the correlation score. For example, if a relatively low correlation score is provided, then more rigorous authentication techniques may be selected whereas if a relatively high correlation exists then less rigorous authentication techniques may be selected (potentially those which do not require explicit authentication by the end user).

Referring to claim(s) 3, Lindermann discloses receive a valid user PIN entry, indicative of a valid user, and to determine false rejections and valid rejections.
(103) FIG. 8 illustrates one embodiment of the invention for implementing adaptive authentication techniques. As in the embodiments discussed above, this embodiment includes one or more non-intrusive authentication modules 230 for performing non-intrusive authentication (e.g., based on location, sensed user behavior, etc) and one or more explicit authentication modules 222 for performing explicit user authentication (e.g., requiring a PIN, fingerprint scan, etc). In addition, as in prior embodiments, an assurance calculation module 212 performs assurance calculations based on, for example, the time since the last explicit authentication (provided by timer 211) and/or authentication data provided by the various authentication modules 230, 222. The secure communication module 213 establishes secure communication with the relying party 250 (e.g., using a secure encryption key as discussed above).
(200) If authentication is not successful, then the transaction is blocked at 1907. At this stage, the transaction may be permanently blocked or additional authentication steps may be requested. For example, if the user entered an incorrect PIN, the user may be asked to re-enter the PIN and/or perform biometric authentication.
(225) In one embodiment, the authentication device data 2329 comprises data associated with each of the explicit user authentication devices 1720-1721 known to be used with clients 1700. For example, the policy database 2325 may include an entry for a “Validity Model 123” fingerprint sensor along with technical details related to this sensor such as the manner in which the sensor stores sensitive data (e.g., in cryptographically secure hardware, EAL 3 certification, etc) and the false acceptance rate (indicating how reliable the sensor is when generating a user authentication result).
(226) In one embodiment, the authentication device classes 2328 specify logical groupings of authentication devices 2329 based on the capabilities of those devices. For example, one particular authentication device class 2328 may be defined for (1) fingerprint sensors (2) that store sensitive data in cryptographically secure hardware that has been EAL 3 certified, and (3) that use a biometric matching process with a false acceptance rate less than 1 in 1000. Another device class 2328 may be (1) facial recognition devices (2) which do not store sensitive data in cryptographically secure hardware, and (3) that use a biometric matching process with a false acceptance rate less than 1 in 2000. Thus, a fingerprint sensor or facial recognition implementation which meets the above criteria will be added to the appropriate authentication device class(es) 2328.
14) Various “fusion” methods for combining biometric modalities have been proposed. Some of them address usability issues by reducing the false rejection rate (FRR); other address the security issue by reducing the false acceptance rate (FAR). These methods thus far have proposed static fusion algorithms. Unfortunately this approach still leads to varying assurance levels depending on the “other inputs” (as discussed above).

Referring to claim(s) 4, Summerfield discloses voice biometric, para 34, 55, Lindermann discloses  
wherein the authentication engine lowers the biometric matching threshold to generate the lowered biometric matching threshold in response to a user rejection rate that is above a population norm, and the user rejection rate is determined based on a valid PIN entry subsequent to an unsuccessful authentication.
(75) Following the legitimate user state, the assurance level may be measured based on a combination of the elapsed time since explicit user authentication and other variables which indicate that the authorized user is in possession of the device (e.g., based on non-intrusive input detected from device sensors). For example, the biometric gait of the user may be measured using an accelerometer or other type of sensor in combination with software and/or hardware designed to generate a gait “fingerprint” from the user's normal walking pattern. In addition, the distance to frequently visited destinations of the legitimate user may be tracked, stored and subsequently used to determine the assurance level. For example, if the user is connecting to a relying party from a location known to be the user's home or office, then the assurance level may be set to a relatively high value, whereas if the device is connecting from an unknown or distant location, then the assurance level may be adjusted to a lower level.
(200) If authentication is not successful, then the transaction is blocked at 1907. At this stage, additional authentication steps may be requested. For example, if the user entered an incorrect PIN, the user may be asked to re-enter the PIN and/or perform biometric authentication.
(77) The end result is that an assurance level that the legitimate user still is in the possession of the device may be sent to the relying party in the authentication response. In one embodiment, the assurance level is “signed” or otherwise authenticated by a key (e.g., a relying-party specific key established and attested in a registration phase as discussed below). In one embodiment, the assurance level is normalized to a value between −100 and 100, where −100 means “almost certain it is not the legitimate user,” 0 means “don't know,” and 100 means “almost certain that it is the legitimate user.”
In one embodiment, the risk engine 812 then evaluates this data to arrive at an implicit “risk score” (or a preliminary assurance level inversely related to the risk score), which may be used to determine the amount of additional assurance required to authenticate the user for a given transaction.
(108) In one embodiment, based on the implicit risk score, the adaptive authentication module on the relying party 810 or the client device 800 determines a set of one or more authentication modules 222, 230 with the potential of increasing the overall assurance level to the required level for an intended transaction (i.e., when combined with the preliminary assurance level/implicit risk score). In one embodiment, the assurance level gain analysis module 811 determines the amount of gain required and the adaptive authentication module 800, 810 is provided with an indication of the required assurance level gain as a parameter. The adaptive authentication module 800, 810 then uses this “gain” parameter in order to determine the most convenient set of authentication techniques (non-intrusive 230 and/or explicit 222) in order to achieve (at least) the required gain. The adaptive authentication module 800 may include a formal description of the selected set of authentication techniques in a response to the relying party 250 (e.g. as an authenticated extension). The relying party 250 may then verify whether the resulting overall assurance level meets the required level.
(288) The score generated by the facial recognition module 2604 may then be combined with scores from other authentication modules (e.g., such as eye tracking module 2605 discussed below) to form an assurance level 2606, representing the assurance that the legitimate user is initiating the current transaction. In one embodiment, each score must reach a particular threshold value to generate a sufficient assurance level 2606 for a particular transaction. In one embodiment (assuming the thresholds are reached), the scores may be added together or combined using other mathematical formulae (e.g., the scores may be weighted, averaged, added together, or combined in any other way).

Referring to claim(s) 5, Lindermann discloses  
wherein authentication engine is further configured to determine whether a valid rejection is user based or device based.
(369) At 3501, the client enters the vicinity of the local secure transaction device (e.g., an ATM) and, at 3502, a secure connection is established with the local secure transaction device over a local channel. As mentioned, the local channel may be implemented using near field communication, Bluetooth, Wifi, or any other type of protocol supported by both the client device and the local secure transaction device. Operation 3502 may not be required in some embodiments. For example, when the client device is capable of authenticating with the relying party with a high level of assurance that the legitimate user is in possession of the client device and if the client device is capable of verifying its current location to the relying party, then the local channel may not be necessary. (370) At 3503, the client device authenticates with the relying party over the network. Any available techniques for generating an assurance level that the legitimate user is in possession of the device may be used for this operation. For example, the user may perform explicit authentication by swiping a finger on a biometric fingerprint device, capturing a facial image for facial recognition, and/or entering a secret code. Alternatively, non-intrusive authentication techniques may be performed such as determining whether the user has explicitly authenticated with the client device recently (e.g., within a specified time period) and/or using sensor data such as location data, temperature/pressure data, and/or accelerometer data. (371) Regardless of how the assurance level is generated, the results of the authentication may be provided to the relying party over the network in a manner which protects the user's privacy (e.g., without providing data that specifically identifies the client device). For example, as previously mentioned, the assurance level itself and/or an indication of the success or failure of authentication may be provided to the relying party, without disclosing any confidential user information. (199) As mentioned above, the level of authentication required may be determined based on the current transaction. For example, a transaction which requires a transfer of a significant amount of money may require a relatively high authentication assurance threshold, whereas non-monetary transaction may require a relatively lower authentication assurance threshold. Thus, the location-aware authentication techniques described herein may be sufficient for certain transactions but may be combined with more rigorous authentication techniques for other transactions. (200) If authentication is not successful, then the transaction is blocked at 1907. At this stage, the transaction may be permanently blocked or additional authentication steps may be requested. For example, if the user entered an incorrect PIN, the user may be asked to re-enter the PIN and/or perform biometric authentication. (342) One consideration with allowing additional risk information to be provided to web sites is that the rational for why the browser does not provide this information in the first place is not ignored. Certainly, malicious web sites could make good use of this information and web browser developers have a good reason for leaving this information out of reach. Thus, as mentioned, in one embodiment, the underlying client configuration data 3050 is not directly provided to the relying party 3051. Rather, in one embodiment, the client risk data is assessed directly on the client device by the client risk assessment agent 3004 and a risk value is provided to the assurance level calculation. All the relying party 3051 needs to know is whether authentication was successful (if an assurance level was specified ahead of time) and/or the current assurance level. In this manner, the client's configuration data 3050 is protected from disclosure.

Claim(s) 6, is/are rejected under 35 U.S.C. 103 as being unpatentable over Summerfield in view of Lindemann, Van et al., EP 3528173 A1 and Official Notice.
Referring to claim(s) 6, Summerfield and Lindemann do not specifically mention about, which is well-known in the art, which Van discloses, wherein: the communication device sends a user alert to indicate a need for action of the device in response to the valid rejection being user based
In some examples, during the animation, the interface object (e.g., 1519) moves (e.g., tilts and/or shifts) in a predetermined manner (e.g., side to side) to indicate the failure. In some examples, the device (e.g., 100, 300, 500, 1500) generates a tactile output (e.g., 1526) or a sequence of tactile outputs that correspond to the biometric authentication failure animation (e.g., tactile outputs are generated as the simulation of the biometric feature moves back and forth). Outputting a tactile output or a sequence of tactile outputs that correspond to the biometric authentication failure animation further alerts that user that the authentication was unsuccessful and enables the user to quickly identify that authentication is still needed to proceed with the operation. Providing improved tactile feedback to the user enhances the operability of the device and makes the user-device interface more efficient which, additionally, reduces power usage and improves battery life of the device by enabling the user to use the device more quickly and efficiently.
the communication device sends a user alert to indicate a need for device operation in response to the valid rejection being device based.
[0017] In some embodiments, the warning system may utilize indicators, or combinations of indicators, to detect “lateral movement” of a user. This refers to the phenomenon of a user or device presenting authentication credentials corresponding to more than one user. Such lateral movement may be indicative of a cyber attack. In an example embodiment, the warning system tracks lateral movement by reviewing indicators reflecting authentication attempts, and creating, from those authentication attempts, a tally of how many different users one user or device has attempted to authenticate as.
[0099] The top strategies pane 1002 shows the types of activities or indicators monitored that recently generated the most events related to this resource. Advantageously, this allows the analyst to determine whether or not there is a trend of a certain suspicious activity increasing in volume, and whether or not the sources of alerts are concentrated. The open alerts counter 1009 indicates the number of alerts currently requiring a response from the analyst. The alerts and events filter field 1018 accepts text input from the analyst and allows him to filter the alerts and events being displayed. For example, the analyst may enter the name of a specific user or may enter the type of a specific suspicious activity such as authentication failure to filter the alerts displayed. Advantageously, this allows the analyst to investigate certain types of activity related to a cyber attack against a resource in greater detail. The quick action bar 1020 allows the analyst to select one out of several responses to the selected one or more alerts. For example, the analyst may be able to escalate the one or more alerts to a supervisor by selecting the escalate option, the analyst may dismiss the one or more alerts as non-critical by clicking the sign-off option, the analyst may be able to assign another analyst to conduct an investigation by clicking the initiate investigation option.
[0110] In some embodiments, notifications of new alerts, or of other developments, such as a risk score exceeding a critical value, can be generated and automatically transmitted to a device operated by the user associated with a corresponding trigger. The notification and/or notification can be transmitted at the time that the notification is generated or at some determined time after generation of the notification and/or notification. When received by the device, the notification and/or notification can cause the device to display the notification and/or notification via the activation of an application on the device (e.g., a browser, a mobile application, etc.). For example, receipt of the notification and/or notification may automatically activate an application on the device, such as a messaging application (e.g., SMS or MMS messaging application), a standalone application (e.g., a warning system monitoring application), or a browser, for example, and display information included in the notification or additional related information. If the device is offline when the notification and/or notifications are transmitted, the application may be automatically activated when the device is online such that the notification and/or notification are displayed. As another example, receipt of the notification and/or notification may cause a browser to open and be redirected to a login page generated by the warning system so that the user can log in to the warning system and view the notification and related data. Alternatively, the notification and/or notification may include a URL of a webpage (or other online information) associated with the notification, such that when the device (e.g., a mobile ) receives the notification, a browser (or other application) is automatically activated and the URL included in the notification and/or notification is accessed via the Internet. Advantageously, this keeps analysts and other interested members of an organization informed about critical development, without requiring them to periodically check the status of the warning system.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Summerfield to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known sending of user alerts when a condition is met. Upon sending the alert the receiving entity would perform action for further processing based on the type of the alert, para 110. Summerfield, Van and Lindemann do not specifically mention about, training and servicing. Official Notice is taken that these limitations are well-known in the art. The alert would enable containing information that would be sent to another entity. Upon sending the alert the training and servicing would be accomplished.  

Claim(s) 11, is/are rejected under 35 U.S.C. 103 as being unpatentable over Lindemann in view of Van et al., EP 3528173 A1 and Official Notice.
Referring to claim(s) 11, Lindemann does not specifically mention about, which is well-known in the art, which Van discloses, wherein: the communication device sends a user alert to indicate a need for action of the device in response to the valid rejection being user based
In some examples, during the animation, the interface object (e.g., 1519) moves (e.g., tilts and/or shifts) in a predetermined manner (e.g., side to side) to indicate the failure. In some examples, the device (e.g., 100, 300, 500, 1500) generates a tactile output (e.g., 1526) or a sequence of tactile outputs that correspond to the biometric authentication failure animation (e.g., tactile outputs are generated as the simulation of the biometric feature moves back and forth). Outputting a tactile output or a sequence of tactile outputs that correspond to the biometric authentication failure animation further alerts that user that the authentication was unsuccessful and enables the user to quickly identify that authentication is still needed to proceed with the operation. Providing improved tactile feedback to the user enhances the operability of the device and makes the user-device interface more efficient which, additionally, reduces power usage and improves battery life of the device by enabling the user to use the device more quickly and efficiently.
the communication device sends a user alert to indicate a need for device operation in response to the valid rejection being device based.
[0017] In some embodiments, the warning system may utilize indicators, or combinations of indicators, to detect “lateral movement” of a user. This refers to the phenomenon of a user or device presenting authentication credentials corresponding to more than one user. Such lateral movement may be indicative of a cyber attack. In an example embodiment, the warning system tracks lateral movement by reviewing indicators reflecting authentication attempts, and creating, from those authentication attempts, a tally of how many different users one user or device has attempted to authenticate as.
[0099] The top strategies pane 1002 shows the types of activities or indicators monitored that recently generated the most events related to this resource. Advantageously, this allows the analyst to determine whether or not there is a trend of a certain suspicious activity increasing in volume, and whether or not the sources of alerts are concentrated. The open alerts counter 1009 indicates the number of alerts currently requiring a response from the analyst. The alerts and events filter field 1018 accepts text input from the analyst and allows him to filter the alerts and events being displayed. For example, the analyst may enter the name of a specific user or may enter the type of a specific suspicious activity such as authentication failure to filter the alerts displayed. Advantageously, this allows the analyst to investigate certain types of activity related to a cyber attack against a resource in greater detail. The quick action bar 1020 allows the analyst to select one out of several responses to the selected one or more alerts. For example, the analyst may be able to escalate the one or more alerts to a supervisor by selecting the escalate option, the analyst may dismiss the one or more alerts as non-critical by clicking the sign-off option, the analyst may be able to assign another analyst to conduct an investigation by clicking the initiate investigation option.
[0110] In some embodiments, notifications of new alerts, or of other developments, such as a risk score exceeding a critical value, can be generated and automatically transmitted to a device operated by the user associated with a corresponding trigger. The notification and/or notification can be transmitted at the time that the notification is generated or at some determined time after generation of the notification and/or notification. When received by the device, the notification and/or notification can cause the device to display the notification and/or notification via the activation of an application on the device (e.g., a browser, a mobile application, etc.). For example, receipt of the notification and/or notification may automatically activate an application on the device, such as a messaging application (e.g., SMS or MMS messaging application), a standalone application (e.g., a warning system monitoring application), or a browser, for example, and display information included in the notification or additional related information. If the device is offline when the notification and/or notifications are transmitted, the application may be automatically activated when the device is online such that the notification and/or notification are displayed. As another example, receipt of the notification and/or notification may cause a browser to open and be redirected to a login page generated by the warning system so that the user can log in to the warning system and view the notification and related data. Alternatively, the notification and/or notification may include a URL of a webpage (or other online information) associated with the notification, such that when the device (e.g., a mobile ) receives the notification, a browser (or other application) is automatically activated and the URL included in the notification and/or notification is accessed via the Internet. Advantageously, this keeps analysts and other interested members of an organization informed about critical development, without requiring them to periodically check the status of the warning system.
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Summerfield to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known sending of user alerts when a condition is met. Upon sending the alert the receiving entity would perform action for further processing based on the type of the alert, para 110. Van and Lindemann do not specifically mention about, training and servicing. Official Notice is taken that these limitations are well-known in the art. The alert would enable containing information that would be sent to another entity. Upon sending the alert the training and servicing would be accomplished.  

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 7-10 are rejected under 35 U.S.C. 102(a)(2) as being clearly anticipated by Lindermann.
Referring to claim 7, Lindermann clearly discloses a method for user authentication of a communication device, comprising:  determining, by an authentication engine of the communication device, successful and unsuccessful authentications in response to a user-originated voice biometric input being compared to a voice biometric matching threshold; and 
(2) FIG. 1 illustrates an exemplary client 120 with a biometric device 100. When operated normally, a biometric sensor 102 reads raw biometric data from the user (e.g., capture the user's fingerprint, record the user's voice, snap a photo of the user, etc) and a feature extraction module 103 extracts specified characteristics of the raw biometric data (e.g., focusing on certain regions of the fingerprint, certain facial features, etc). A matcher module 104 compares the extracted features 133 with biometric reference data 110 stored in a secure storage on the client 120 and generates a score 153 based on the similarity between the extracted features and the biometric reference data 110. The biometric reference data 110 is typically the result of an enrollment process in which the user enrolls a fingerprint, voice sample, image or other biometric data with the device 100. An application 105 may then use the score 135 to determine whether the authentication was successful (e.g., if the score is above a certain specified threshold).
(385) Returning to FIG. 37, in one embodiment, authentication may be performed via an authentication engine 3710 on the client devices 3600-3602 designed to perform a series of transactions with the relying party 3650 to remotely authenticate each user. For example, as described in the co-pending applications an authentication framework and associated authentication techniques may be employed in which a user enrolls with biometric devices 3720-3721 of a client to generate biometric template data (e.g., by swiping a finger, snapping a picture, recording a voice, etc); registers the biometric devices with one or more relying parties 3650 over a network (e.g., Websites or other relying parties equipped with secure transaction services); and subsequently authenticates with those relying parties 3650 using data exchanged during the registration process (e.g., encryption keys provisioned into the biometric devices).
enabling non-voice usage compensation controls to securely authenticate a user having passed voice-based authentication with a lowered voice biometric matching threshold.
(206) In one embodiment, the authentication policy engine 1710 may use the correlation results provided by the device proximity detection logic 2001 to determine the level of authentication required by the user for each relying party 1750. For example, if a high correlation exists (i.e., above a specified threshold), then the authentication policy engine may not require explicit authentication by the end user. By contrast, if there is a low correlation between the user's current location and the historical device proximity data 2004 (i.e., below a specified threshold), then the authentication policy engine 1710 may require more rigorous authentication (e.g., a biometric authentication such as a fingerprint scan and/or requesting PIN entry).

(215) In one embodiment, the supplemental data correlation module 2140 compares data gathered from sensors 1743 on the user's device against multiple other end users in the immediate area to identify anomalies that suggest the user is not operating in the same physical location as those known users. For example, if a set of authenticated users are identified who are operating the same physical area, and all of those users' devices note that the local temperature in the area is 10° C., the supplemental data correlation module 2140 may generate a low correlation score for an end user whose temperature sensor 2101 indicates the local temperature is 20° C. As a result, the authentication policy 1711 may require more rigorous authentication techniques 1712.
(216) As yet another example, the supplemental data correlation module 2140 may compare current readings against historical data for a particular user. For example, as mentioned, sensor data may be analyzed during periods of time when the user is known to be in possession of the device 1700 (e.g., for a time period following an explicit authentication). The supplemental data correlation module 2140 may then look for discontinuities in the local data to identify suspicious behavior. For example, if the user's ambient temperature normally floats between 10° C. and 20° C. and it is currently at 30° C., this may indicate the user is not in a typical location, thereby generating a low correlation and causing the authentication policy module 1711 to require an additional level of scrutiny for a transaction.
(217) The supplemental data correlation module 2140 may perform various different types of correlations between sensor data and supplemental location data while still complying with the underlying principles of the invention. For example, various known correlation mechanisms may be used to determine the statistical relationship between the two sets of data. In one embodiment, the correlation score provided to the authentication policy engine 1711 comprises a normalized value (e.g., between 0-1) indicating a level of correlation. In one embodiment, various threshold levels may be set for detected differences between the sensors 1743 and supplemental location data 2110. For example, if the temperature sensor 2101 measures a temperature of more than 3 degrees off of the current temperature (gathered from other devices or the Internet), then a first threshold may be triggered (resulting in a lowering of the correlation score). Each additional 3 degrees off from the current temperature may then result in a new threshold being met (resulting in a corresponding lowering of the correlation score). It should be noted, however, that these are merely examples of one embodiment of the invention; the underlying principles of the invention are not limited to any particular manner of performing a correlation.
(218) A method in accordance with one embodiment of the invention is illustrated in FIG. 22. At 2201, the current location being reported by the client device (e.g., via the GPS module on the device) is read. At 2202, supplemental location data is collected for the reported location along with sensor data from the client device. As mentioned above, the supplemental location data may be collected locally or remotely (e.g., from other clients and/or servers on the Internet) and may include data such as the current temperature, pressure and/or humidity for the reported location. The sensor data may be provided by temperature sensors, barometric or altimeter pressure sensors, and/or humidity sensors.
(219) At 2203, a correlation is performed between the supplemental location data and the sensor data provided by the device sensors. In one embodiment, a relatively higher correlation will result in a relatively higher correlation score at 2204 whereas lower correlations will result in relatively lower correlation scores. As mentioned, in one embodiment, the correlation score is a normalized value (e.g., between 0-1) indicating the similarity between the sensor readings and supplemental data.
(220) At 2205 one or more authentication techniques are selected based (at least in part) on the correlation score. For example, if a relatively low correlation score is provided, then more rigorous authentication techniques may be selected whereas if a relatively high correlation exists then less rigorous authentication techniques may be selected (potentially those which do not require explicit authentication by the end user).
Referring to claim 8, Lindemann discloses wherein the authentication engine is further operable to receive a valid user PIN entry, indicative of a valid user, and to determine false rejections and valid rejections.
(103) FIG. 8 illustrates one embodiment of the invention for implementing adaptive authentication techniques. As in the embodiments discussed above, this embodiment includes one or more non-intrusive authentication modules 230 for performing non-intrusive authentication (e.g., based on location, sensed user behavior, etc) and one or more explicit authentication modules 222 for performing explicit user authentication (e.g., requiring a PIN, fingerprint scan, etc). In addition, as in prior embodiments, an assurance calculation module 212 performs assurance calculations based on, for example, the time since the last explicit authentication (provided by timer 211) and/or authentication data provided by the various authentication modules 230, 222. The secure communication module 213 establishes secure communication with the relying party 250 (e.g., using a secure encryption key as discussed above).
(200) If authentication is not successful, then the transaction is blocked at 1907. At this stage, the transaction may be permanently blocked or additional authentication steps may be requested. For example, if the user entered an incorrect PIN, the user may be asked to re-enter the PIN and/or perform biometric authentication.
(225) In one embodiment, the authentication device data 2329 comprises data associated with each of the explicit user authentication devices 1720-1721 known to be used with clients 1700. For example, the policy database 2325 may include an entry for a “Validity Model 123” fingerprint sensor along with technical details related to this sensor such as the manner in which the sensor stores sensitive data (e.g., in cryptographically secure hardware, EAL 3 certification, etc) and the false acceptance rate (indicating how reliable the sensor is when generating a user authentication result).
(226) In one embodiment, the authentication device classes 2328 specify logical groupings of authentication devices 2329 based on the capabilities of those devices. For example, one particular authentication device class 2328 may be defined for (1) fingerprint sensors (2) that store sensitive data in cryptographically secure hardware that has been EAL 3 certified, and (3) that use a biometric matching process with a false acceptance rate less than 1 in 1000. Another device class 2328 may be (1) facial recognition devices (2) which do not store sensitive data in cryptographically secure hardware, and (3) that use a biometric matching process with a false acceptance rate less than 1 in 2000. Thus, a fingerprint sensor or facial recognition implementation which meets the above criteria will be added to the appropriate authentication device class(es) 2328.
14) Various “fusion” methods for combining biometric modalities have been proposed. Some of them address usability issues by reducing the false rejection rate (FRR); other address the security issue by reducing the false acceptance rate (FAR). These methods thus far have proposed static fusion algorithms. Unfortunately this approach still leads to varying assurance levels depending on the “other inputs” (as discussed above).

Referring to claim 9, Lindemann discloses, wherein the lowered voice biometric matching threshold is generated by the authentication engine in response to a user rejection rate that is above a population norm, and wherein the user rejection rate is determined based on valid PIN entry subsequent to an unsuccessful authentication.
(75) Following the legitimate user state, the assurance level may be measured based on a combination of the elapsed time since explicit user authentication and other variables which indicate that the authorized user is in possession of the device (e.g., based on non-intrusive input detected from device sensors). For example, the biometric gait of the user may be measured using an accelerometer or other type of sensor in combination with software and/or hardware designed to generate a gait “fingerprint” from the user's normal walking pattern. In addition, the distance to frequently visited destinations of the legitimate user may be tracked, stored and subsequently used to determine the assurance level. For example, if the user is connecting to a relying party from a location known to be the user's home or office, then the assurance level may be set to a relatively high value, whereas if the device is connecting from an unknown or distant location, then the assurance level may be adjusted to a lower level.
(200) If authentication is not successful, then the transaction is blocked at 1907. At this stage, additional authentication steps may be requested. For example, if the user entered an incorrect PIN, the user may be asked to re-enter the PIN and/or perform biometric authentication.
(77) The end result is that an assurance level that the legitimate user still is in the possession of the device may be sent to the relying party in the authentication response. In one embodiment, the assurance level is “signed” or otherwise authenticated by a key (e.g., a relying-party specific key established and attested in a registration phase as discussed below). In one embodiment, the assurance level is normalized to a value between −100 and 100, where −100 means “almost certain it is not the legitimate user,” 0 means “don't know,” and 100 means “almost certain that it is the legitimate user.”
In one embodiment, the risk engine 812 then evaluates this data to arrive at an implicit “risk score” (or a preliminary assurance level inversely related to the risk score), which may be used to determine the amount of additional assurance required to authenticate the user for a given transaction.
(108) In one embodiment, based on the implicit risk score, the adaptive authentication module on the relying party 810 or the client device 800 determines a set of one or more authentication modules 222, 230 with the potential of increasing the overall assurance level to the required level for an intended transaction (i.e., when combined with the preliminary assurance level/implicit risk score). In one embodiment, the assurance level gain analysis module 811 determines the amount of gain required and the adaptive authentication module 800, 810 is provided with an indication of the required assurance level gain as a parameter. The adaptive authentication module 800, 810 then uses this “gain” parameter in order to determine the most convenient set of authentication techniques (non-intrusive 230 and/or explicit 222) in order to achieve (at least) the required gain. The adaptive authentication module 800 may include a formal description of the selected set of authentication techniques in a response to the relying party 250 (e.g. as an authenticated extension). The relying party 250 may then verify whether the resulting overall assurance level meets the required level.
(288) The score generated by the facial recognition module 2604 may then be combined with scores from other authentication modules (e.g., such as eye tracking module 2605 discussed below) to form an assurance level 2606, representing the assurance that the legitimate user is initiating the current transaction. In one embodiment, each score must reach a particular threshold value to generate a sufficient assurance level 2606 for a particular transaction. In one embodiment (assuming the thresholds are reached), the scores may be added together or combined using other mathematical formulae (e.g., the scores may be weighted, averaged, added together, or combined in any other way).

Referring to claim 10, Lindemann discloses detecting a valid biometric rejection; and determining whether the valid biometric rejection is user based or device based.
(369) At 3501, the client enters the vicinity of the local secure transaction device (e.g., an ATM) and, at 3502, a secure connection is established with the local secure transaction device over a local channel. As mentioned, the local channel may be implemented using near field communication, Bluetooth, Wifi, or any other type of protocol supported by both the client device and the local secure transaction device. Operation 3502 may not be required in some embodiments. For example, when the client device is capable of authenticating with the relying party with a high level of assurance that the legitimate user is in possession of the client device and if the client device is capable of verifying its current location to the relying party, then the local channel may not be necessary. (370) At 3503, the client device authenticates with the relying party over the network. Any available techniques for generating an assurance level that the legitimate user is in possession of the device may be used for this operation. For example, the user may perform explicit authentication by swiping a finger on a biometric fingerprint device, capturing a facial image for facial recognition, and/or entering a secret code. Alternatively, non-intrusive authentication techniques may be performed such as determining whether the user has explicitly authenticated with the client device recently (e.g., within a specified time period) and/or using sensor data such as location data, temperature/pressure data, and/or accelerometer data. (371) Regardless of how the assurance level is generated, the results of the authentication may be provided to the relying party over the network in a manner which protects the user's privacy (e.g., without providing data that specifically identifies the client device). For example, as previously mentioned, the assurance level itself and/or an indication of the success or failure of authentication may be provided to the relying party, without disclosing any confidential user information. (199) As mentioned above, the level of authentication required may be determined based on the current transaction. For example, a transaction which requires a transfer of a significant amount of money may require a relatively high authentication assurance threshold, whereas non-monetary transaction may require a relatively lower authentication assurance threshold. Thus, the location-aware authentication techniques described herein may be sufficient for certain transactions but may be combined with more rigorous authentication techniques for other transactions. (200) If authentication is not successful, then the transaction is blocked at 1907. At this stage, the transaction may be permanently blocked or additional authentication steps may be requested. For example, if the user entered an incorrect PIN, the user may be asked to re-enter the PIN and/or perform biometric authentication. (342) One consideration with allowing additional risk information to be provided to web sites is that the rational for why the browser does not provide this information in the first place is not ignored. Certainly, malicious web sites could make good use of this information and web browser developers have a good reason for leaving this information out of reach. Thus, as mentioned, in one embodiment, the underlying client configuration data 3050 is not directly provided to the relying party 3051. Rather, in one embodiment, the client risk data is assessed directly on the client device by the client risk assessment agent 3004 and a risk value is provided to the assurance level calculation. All the relying party 3051 needs to know is whether authentication was successful (if an assurance level was specified ahead of time) and/or the current assurance level. In this manner, the client's configuration data 3050 is protected from disclosure.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARESH PATEL whose telephone number is (571)272-3973.  The examiner can normally be reached on M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado, can be reached at (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HARESH N PATEL/Primary Examiner, Art Unit 2496