Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments

Applicant has filed a Terminal Disclaimer to overcome the previous double patenting rejection. Therefore the previous double patenting rejection is withdrawn.
Applicant argues: “the cited art teaches receiving explicit authentication data from possession factors. To the extent any references teach or suggest the use of implicit authentication data, the implicit authentication data is not received from a possession factor. For example, Agrafioti teaches a wearable biometric device that determines if it is worn by the user which is to be authenticated. The signals sent by the wearable device provide explicit confirmation that the wearable device is being worn by the user. (Remarks pg. 15-16)”
	The Examiner respectfully disagrees. Applicant’s specification defines “implicit authentication” as “implicit authentication data is collected or generated without the user’s intervention or assisting the possession factor (Paragraph [0029]).”
	Agrafioti teaches in Paragraph [0140] “Passwords, PINS, voice commands, finger tapping, finger swiping, or other deterministic inputs may be used as additional authentication mechanisms. Once authenticated, the wearable device may be considered preauthorized…until it is separated from the user.”
	Therefore Agrafioti teaches first explicit authentication (i.e. Passwords or other deterministic inputs) and then once authenticated Agrafioti teaches implicit authentication (i.e. authenticated as long as the wearable is not separated from the user.)
	The previously cited portions of Agrafioti teach implicit authentication of a preauthorized device. That is, Paragraphs [0161-0162] teaches the user being passively and implicitly authenticated by wearing the device (i.e. possession factor) without requiring active user intervention.
	Therefore Agrafioti teaches “obtaining…implicit authentication data based on the possession factor.”
	Applicant in Remarks pages 16-17 argues Smith and Johnson do not teach the obtaining from a possession factor, however Smith and Johnson are not being used to teach these limitations.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Applicant has amended that to include obtaining at a remote server, an authentication request and obtaining at the remote server from the possession factor, implicit authentication data.
Agrafioti teaches obtaining at a remote server, an authentication request (Fig. 9, 908, and associated text teaches obtaining at an access point an authentication request),  and obtaining at the remote server from the possession factor, implicit authentication data (Fig. 9, 910, and associated text teaches the access point checks the biometric device to determine whether the user is wearing the biometric device).
Therefore Agrafioti teaches the amended limitations.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-12, 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Agrafioti (US 2015/0028996) in view of Smith (US 2014/0282945) further in view of Johnson (US 2014/0298421)


Regarding Claim 1,

Agrafioti (US 2015/0028996) teaches a system for authentication using implicit authentication data, the system comprising: 
an authentication platform that includes a remote server comprising one or more computing processors and one or more non-transitory storage media storing computer instructions that, when executed by the one or more computing processors perform: 
obtaining, via one or more communication networks, at a remote server an authentication request that initiates an implicit authentication process for a transaction involving authentication (Paragraph [0162] teaches transactions requiring authentication, e.g. purchase coffee, transit payments)(Fig. 9, 908, and associated text teaches obtaining at an access point an authentication request), and wherein the implicit authentication process includes passively authenticating a user based on whether implicit authentication data obtained from a possession factor indicates a calculated likelihood that the user has possession of the possession factor, wherein the possession factor comprises one or more user authentication credentials (Paragraph [0161-0162] teaches a wearable biometric device that passively authenticates the user); 
obtaining, via the one or more communication networks at the remote server from the possession factor, implicit authentication data based on the possession factor, wherein the implicit authentication data includes data relating to one or more activities involving the possession factor and/or a present state of the possession factor indicative of whether the possession factor is currently, or was recently, in possession of the user (Fig. 9, 910, and associated text teaches the access point checks the biometric device to determine whether the user is wearing the biometric device)(Figure 10, 10002, determines whether possession factor is in possession of the user); 

Agrafioti does not explicitly teach using the implicit authentication data from the possession factor to determine a likelihood of possession of the possession factor by the user based on a possession factor continuum of a plurality of authentication requirements for authenticating the user; and implicitly authenticating the user if the likelihood of possession satisfies a possession confidence threshold that enables implicit authentication of the user.
Smith (US 2014/0282945) teaches the user based on a possession factor continuum of a plurality of authentication requirements for authenticating the user; and implicitly authenticating the user if the likelihood of possession satisfies a possession confidence threshold that enables implicit authentication of the user (Paragraph [0076] teaches a continuous authentication confidence module)(Paragraph [0080-0082] teaches the CACM may apply contextual and/or presence evidence supporting that the human authenticated by the device)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention do modify Agrafioti with the analysis of Smith

The motivation is to maintain a degree of confidence that the authenticated user is present (Paragraph [0068] of Smith)

Agrafioti and Smith do not explicitly teach 
wherein the authentication request is generated by a service provider, separate from the authentication platform, in response to receipt of an access request from an unauthorized device

Johnson (US 2014/0298421) teaches wherein the authentication request is generated by a service provider, separate from the authentication platform, in response to receipt of an access request from an unauthorized device (Figure 2, primary service 202, separate from authentication platform, generates authentication request)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Agrafioti and Smith with the service provider sending the request as taught by Johnson
The motivation is to protect high value web service providers such as banks (Paragraph [0003])


Regarding Claim 2,

Agrafioti, Smith and Johnson teaches the system of claim 1. Smith teaches further at the authentication platform: if it is determined that the user is not currently or was not recently in possession of the possession factor (Figure 10, 1002), selectively changing from implicit authentication to an express authentication involving user-interactive authentication at the possession factor in which user authentication input interaction with the possession factor is performed to obtain an explicit authentication response from the user (Figure 10, 10006, reset wearable biometric to return to unauthenticated state)(Paragraph [0189] teaches requiring user to authenticate biometric again)

Regarding Claim 3,


Agrafioti, Smith and Johnson teaches the system of claim 1. Smith teaches the system of claim 1, further at the authentication platform: generating a likelihood of possession of the possession factor by the user, wherein the likelihood of possession comprises a probability value or a confidence level indicating a probability or confidence that the possession factor is possessed by the user (Paragraph [0078] teaches generating a likelihood of possession factor), wherein the generating the likelihood of possession includes: (i) selectively parsing, by the authentication platform, determinative data from the implicit authentication data that indicates a likely possession or that indicates a potential lack of possession of the possession factor by the user from the implicit authentication data thereby generating a subset of the implicit authentication data (Paragraph [0078]), (ii) applying one or more analysis techniques or transformation techniques to the subset of the implicit authentication data to determine possession insights relating to the likely possession or the lack of possession of the possession factor (Paragraph [0079-0080]), and (iii) calculating the probability value or the confidence level for the likelihood of possession using the subset of the implicit authentication data and the possession insights (Paragraph [0079-0080] teaches initial confidence level).

Regarding Claim 4,

Agrafioti, Smith and Johnson teaches the system of claim 1. Johnson teaches further at the authentication platform: receiving the authentication request is initialized by a transmission provided midstream of a primary authentication, the transmission indicating that the primary authentication is being performed at a service provider for authenticating the transaction; wherein the primary authentication is: (i) performed independent of the secondary authentication process using the secondary authentication data, and (ii) performed by the service provider (Figure 2, primary authentication is done by service provider 202, 203, which is performed separate from the secondary authentication data 205, 206). Agrafioti teaches secondary authentication may be implicit authentication.

Regarding Claim 5,

Claim 5 is similar in scope to Claim 1 and is rejected for a similar rationale.

Regarding Claims 6-7,

Agrafioti, Smith and Johnson teaches the system of claim 5 . Johnson teaches further comprising: receiving a possession-factor authentication request that triggers an initialization of the secondary authentication based on the possession factor (Figure 2, 310, 215, 230), wherein the possession-factor authentication request comprises an indication that a primary authentication separate from the secondary authentication was performed successfully or is being performed on a basis of authentication data provided expressly by the user (Figure 2, 240, 250, 260) Agrafioti teaches secondary authentication may be implicit authentication.

Regarding Claim 8,

Claim 8 is similar in scope to Claim 3 and is rejected for a similar rationale.

Regarding Claim 9,

Agrafioti, Smith and Johnson teaches the system of claim 5 . Agrafioti teaches further comprising: querying the possession factor for the implicit authentication data and analysis of the implicit authentication data, wherein the analysis provides one or more indications to determine if the possession factor is possessed by the user (Figure 12, 1202, 1204, .

Regarding Claim 10,

Agrafioti, Smith and Johnson teaches the system of claim 9 . Agrafioti teaches wherein: the possession factor comprises a smartphone or a mobile electronic device that includes a mechanism native to an operating system thereof that generates the analysis of the implicit authentication data captured or generated by one or more of device sensors and computing resources of the smartphone or the mobile electronic device (Paragraph [0057] teaches authorized authentication device is a possession factor)(Paragraph [0093] teaches generating analysis of biometric data).

Regarding Claim 11,

Agrafioti, Smith and Johnson teaches the system of claim 5 . Agrafioti teaches wherein the implicit authentication data comprises biometric data, wherein the biometric data comprises: (1) an analysis of or data related to a gait of a user having, at some historical time, possession of the possession factor (Paragraph [0028, 0091] teaches biometric data may be gait), or (2) an analysis of or data related to a fingerprint of a user, wherein the analysis of or the data related to the fingerprint was generated or collected in a historical authentication event that is separate from the implicit authentication.

Regarding Claim 12,

Agrafioti, Smith and Johnson teaches the system of claim 5 . Agrafioti teaches further comprising: identifying, among a plurality of varying authentication requirements, an authentication requirement for a transaction based on a likelihood of possession, the authentication requirement defining (i) a process or one or more actions to prove authority to perform the transaction or (ii) a process or one or more actions to prove an identity of a user attempting to perform a transaction (Paragraph [0155] teaches one ore more actions (i.e. gestural or postural) to prove the identity of the user);
 and identifying authentication requirements based on predetermined possession factor authentication policy set at the possession factor, wherein the predetermined possession factor authentication policy defines the plurality of varying authentication requirements permissible via an attempt to implicitly authenticate the user and dictates one or more conditions for performing each of the plurality of varying authentication requirements (Paragraph [0193-0194] teaches security policy and authentication requirements)

Regarding Claim 15,

Agrafioti, Smith and Johnson teaches the system of claim 5 . Smith teaches further comprising: generating a likelihood of possession of the possession factor by the user, wherein the likelihood of possession comprises a probability value indicating a probability that the possession factor is possessed by the user (Paragraph [0079] teaches a confidence level that the possession factor is possessed by the user), wherein generating a possession confidence level includes: (i) comparing the probability value of the likelihood of possession to a possession factor continuum, the possession factor continuum being defined by a plurality of possession confidence levels provided in an increasing manner or a decreasing manner along the possession factor continuum, and (ii) determining the possession confidence level based on the comparing (Paragraph [0080-0081] teaches providing a decay rate to the data and generate a confidence level based on the decay rate)

Regarding Claims 16-19,

Claims 16-18 are similar in scope to Claims 1-3, 9 and are rejected for a similar rationale.

Claims 13-14, 20  is/are rejected under 35 U.S.C. 103 as being unpatentable over Agrafioti (US 2015/0028996) in view of Smith (US 2014/0282945) further in view of Johnson (US 2014/0298421) further in view of Kursun (US 2015/0035643)


Regarding Claim 13,

Agrafioti, Smith and Johnson teaches the system of claim 5 but do not explicitly teach the remaining limitations
Kursun teaches further comprising: generating a likelihood of possession comprising generating a possession confidence score using the implicit authentication data and transaction request data provided with the authentication request, wherein the transaction request data comprises data exchanged as part of a transaction request initiating the transaction requiring authentication (Paragraph [0090, 0101, 0120] teaches a confidence level)(Paragraph [0110] teaches transaction request data), 
and wherein the data exchanged comprises one or more of an originating service provider, an originating Internet Protocol (IP) address of the transaction request, a time of the transaction request, and details of a primary authentication for the transaction (Paragraph [0110] teaches transaction request data including originating source provider); and using the implicit authentication data and the possession confidence score to determine whether to automatically authenticate the user (Paragraph [0024] teaches automatically authenticating user)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Agrafioti, Smith and Johnson with the method of using  confidence score in transactions as taught in Kursun
The motivation is to protect user privacy in transactions (Paragraph [0036])

Regarding Claim 14,

Agrafioti, Smitha and Johnson teaches the method of claim 13, wherein, based on the implicit authentication data, the authentication requirement comprises one of.

(1) performing automatic authentication of the transaction without intervention at the possession factor by the user (Kursun, Paragraph [0024])), (2) performing user-interactive authentication based on transmitting a push notification to the possession factor, wherein the user-interactive authentication comprises a binary prompt for approval or denial of the transaction by the user, (3) performing additional authentication to verify an identity or authorization of the user attempting to perform the transaction, and (4) automatically denying authentication of the transaction.



Regarding Claim 20,

Claim 20 is similar in scope to Claim 13 and is rejected for a similar rationale.

Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRIS C WANG whose telephone number is (571)270-1462. The examiner can normally be reached M-F 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HARRIS C WANG/Primary Examiner, Art Unit 2439