DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office Action is in response to Application 17537186 filed on 11/29/2021. Claims 1, 8 and 15 are independent claims. Claims 1-20 have been examined and are pending in this application. This Office Action is made Non-Final.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/29/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3-9 and 11-17 of U.S. Patent No. 11,190,517. They are not patentably distinct from each other because the claims of the instant application are anticipated by the reference claims.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1, 3-9 and 11-17 of U.S. Patent No. 11,190,517.  Although the claims at issue are not identical, they are not patentably distinct from each other because Claims 1-20 of the instant application are anticipated by claims 1, 3-9 and 11-17 of the US Patent No. 11,190,517, respectively (refer to the comparison table below for detail).

Instant Application 17/537,186
US patent No. 11,190,517
Claim 1. A method comprising: 




storing, by an access gateway, authentication data including a plurality of authentication factors, 
wherein each authentication factor of the plurality of authentication factors corresponds to a particular user of a multi-resource computing environment, 
wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user, and 
wherein each authentication factor of the plurality of authentication factors is included in a corresponding access request received from a respective one of the plurality of computing devices during the period of time to access a corresponding one of a plurality of computing resource systems in the multi-resource computing environment;
determining, by the access gateway for each authentication factor of the plurality of authentication factors, a respective intrinsic value, wherein the respective intrinsic value indicates a corresponding level of validity for each authentication factor of the plurality of authentication factors; 
determining, by the access gateway, a cumulative assurance level of the authentication data, 
wherein the cumulative assurance level is based on a combination of respective intrinsic values associated with the plurality of authentication factors; 
after the period of time, receiving, by the access gateway from a computing device of the plurality of computing devices associated with the particular user, an access request to access a computing resource system of the plurality of computing resource systems in the multi-resource computing environment,

the computing resource system associated with a threshold authentication level; 
in response to receiving the access request from the computing device, determining, by the access gateway based on a comparison of the cumulative assurance level of the authentication data with the threshold authentication level of the computing resource system, 

that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system; and 

responsive to determining that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system, 







providing, by the access gateway, 



the computing device that provided the access request as well as each of the plurality of computing devices that provided the corresponding access request received during the period of time with access to the computing resource system.
Claim 1. A method of authenticating an access request for accessing a computing resource system in a multi-resource computing environment, the method comprising: 
storing, by an access gateway, authentication data including a plurality of authentication factors, 
wherein each authentication factor of the plurality of authentication factors corresponds to a particular user of the multi-resource computing environment, 
wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user, and 
wherein each authentication factor of the plurality of authentication factors is included in a corresponding access request received from a respective one of the plurality of computing devices during the period of time to access a corresponding one of a plurality of computing resource systems in the multi-resource computing environment;
determining, by the access gateway for each authentication factor of the plurality of authentication factors, a respective intrinsic value, wherein the respective intrinsic value indicates a corresponding level of validity for each authentication factor of the plurality of authentication factors; 
determining, by the access gateway, a cumulative assurance level of the authentication data, 
wherein the cumulative assurance level is based on a combination of respective intrinsic values associated with the plurality of authentication factors; 
after the period of time, receiving, by the access gateway from a computing device of the plurality of computing devices associated with the particular user, the access request to access the computing resource system of the plurality of computing resource systems in the multi-resource computing environment, 
the computing resource system associated with a threshold authentication level; 
in response to receiving the access request from the computing device, determining, by the access gateway based on a comparison of the cumulative assurance level of the authentication data with the threshold authentication level of the computing resource system, 

that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the authentication data; 

responsive to determining that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the authentication data, 

requesting, by the access gateway, an additional authentication factor from the computing device; receiving, by the access gateway, the additional authentication factor from the computing device; and 

providing, by the access gateway based at least in part on the additional authentication factor, 

the computing device that provided the access request as well as each of the plurality of computing devices that provided the corresponding access request received during the period of time with access to the computing resource system. 

Claim 8. An access gateway comprising: 




a processor; and a memory storing instructions that, when executed by the processor, cause the processor to perform operations comprising storing authentication data including a plurality of authentication factors, 
wherein each authentication factor of the plurality of authentication factors corresponds to a particular user of a multi-resource computing environment, 
wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user, and 
wherein each authentication factor of the plurality of authentication factors is included in a corresponding access request received from a respective one of the plurality of computing devices during the period of time to access a corresponding one of a plurality of computing resource systems in the multi-resource computing environment,
determining, for each authentication factor of the plurality of authentication factors, a respective intrinsic value, wherein the respective intrinsic value indicates a corresponding level of validity for each authentication factor of the plurality of authentication factors, 
determining a cumulative assurance level of the authentication data, wherein the cumulative assurance level is based on a combination of respective intrinsic values associated with the plurality of authentication factors, 
after the period of time, receiving, from a computing device of the plurality of computing devices associated with the particular user, 
an access request to access a computing resource system of the plurality of computing resource systems in the multi-resource computing environment, the computing resource system associated with a threshold authentication level, 
in response to receiving the access request from the computing device, determining, based on a comparison of the cumulative assurance level of the authentication data with the threshold authentication level of the computing resource system, 

that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system, and 

responsive to determining that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system, 





providing the computing device that provided the access request as well as each of the plurality of computing devices that provided the corresponding access request received during the period of time with access to the computing resource system.
Claim 9. An access gateway for authenticating an access request for a computing resource system in a multi-resource computing environment, the access gateway comprising: 
a processor; and a memory storing instructions that, when executed by the processor, cause the processor to perform operations comprising storing authentication data including a plurality of authentication factors, 
wherein each authentication factor of the plurality of authentication factors corresponds to a particular user of the multi-resource computing environment, 
wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user, and 
wherein each authentication factor of the plurality of authentication factors is included in a corresponding access request received from a respective one of the plurality of computing devices during the period of time to access a corresponding one of a plurality of computing resource systems in the multi-resource computing environment,
determining, for each authentication factor of the plurality of authentication factors, a respective intrinsic value, wherein the respective intrinsic value indicates a corresponding level of validity for each authentication factor of the plurality of authentication factors, 
determining a cumulative assurance level of the authentication data, wherein the cumulative assurance level is based on a combination of respective intrinsic values associated with the plurality of authentication factors, 
after the period of time, receiving, from a computing device of the plurality of computing devices associated with the particular user, 
the access request to access the computing resource system of the plurality of computing resource systems in the multi-resource computing environment, the computing resource system associated with a threshold authentication level, 
in response to receiving the access request from the computing device, determining, based on a comparison of the cumulative assurance level of the authentication data with the threshold authentication level of the computing resource system, 

that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the authentication data, 

responsive to determining that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the authentication data, requesting an additional authentication factor from the computing device, 

receiving the additional authentication factor from the computing device, and
providing, based at least in part on the additional authentication factor, the computing device that provided the access request as well as each of the plurality of computing devices that provided the corresponding access request received during the period of time with access to the computing resource system.

Claim 15. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor of an access gateway, cause the access gateway to perform operations comprising:
storing authentication data including a plurality of authentication factors, wherein each authentication factor of the plurality of authentication factors corresponds to a particular user of a multi-resource computing environment, 
wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user, and 
wherein each authentication factor of the plurality of authentication factors is included in a corresponding access request received from a respective one of the plurality of computing devices during the period of time to access a corresponding one of a plurality of computing resource systems in the multi-resource computing environment;
determining, for each authentication factor of the plurality of authentication factors, a respective intrinsic value, wherein the respective intrinsic value indicates a corresponding level of validity for each authentication factor of the plurality of authentication factors; 
determining a cumulative assurance level of the authentication data, wherein the cumulative assurance level is based on a combination of respective intrinsic values associated with the plurality of authentication factors; 
after the period of time, receiving, from a computing device of the plurality of computing devices associated with the particular user, 
an access request to access a computing resource system of the plurality of computing resource systems in the multi-resource computing environment, the computing resource system associated with a threshold authentication level; 
in response to receiving the access request from the computing device, determining, based on a comparison of the cumulative assurance level of the authentication data with the threshold authentication level of the computing resource system, 
that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system; and 

responsive to determining that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system, 

providing the computing device that provided the access request as well as each of the plurality of computing devices that provided the corresponding access request received during the period of time with access to the computing resource system.  

Claim 17. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor of an access gateway, cause the access gateway to perform operations comprising:
storing authentication data including a plurality of authentication factors, wherein each authentication factor of the plurality of authentication factors corresponds to a particular user of a multi-resource computing environment, 
wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user, and 
wherein each authentication factor of the plurality of authentication factors is included in a corresponding access request received from a respective one of the plurality of computing devices during the period of time to access a corresponding one of a plurality of computing resource systems in the multi-resource computing environment;
determining, for each authentication factor of the plurality of authentication factors, a respective intrinsic value, wherein the respective intrinsic value indicates a corresponding level of validity for each authentication factor of the plurality of authentication factors; 
determining a cumulative assurance level of the authentication data, wherein the cumulative assurance level is based on a combination of respective intrinsic values associated with the plurality of authentication factors; 
after the period of time, receiving, from a computing device of the plurality of computing devices, 

an access request to access a computing resource system of the plurality of computing resource systems in the multi-resource computing environment, the computing resource system associated with a threshold authentication level; 
in response to receiving the access request from the computing device, determining, based on a comparison of the cumulative assurance level of the authentication data with the threshold authentication level of the computing resource system, 
that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the authentication data; 
responsive to determining that the threshold authentication level of the computing resource system exceeds the cumulative assurance level of the authentication data requesting an additional authentication factor from the computing device; 

receiving the additional authentication factor from the computing device; and
providing, based at least in part on the additional authentication factor, 

the computing device that provided the access request as well as each of the plurality of computing devices that provided the corresponding access request received during the period of time with access to the computing resource system.







Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.





Claims 1-2, 5, 8-9, 12, 15-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (“Smith,” US 20140096177, published on 04/03/2014) in view of DASGUPTA et al. (“DASGUPTA,” US 20160359838, published on 12/08/2016)

Regarding Claim 1; 
Smith discloses a method comprising: 
storing, by an access gateway, authentication data including a plurality of authentication factors (par 0013; fig. 2, the client device environment uses a client device to process data input via a plurality of authentication factors to authenticate the user [according to specification par 0062: access gateway includes processors communicatively coupled to memory devices]; par 0016; client device environment includes the plurality of authentication factors and a logic architecture executing on a client device, wherein the authentication factors may be connected to the logic architecture via a trusted path mechanism. An input output subsystem having bus lines that are dedicated to the authentication factors and logic architecture may be used to facilitate communication between the authentication factors and logic architecture),
wherein each authentication factor of the plurality of authentication factors corresponds to a particular user of a multi-resource computing environment (par 0012; a user interacts with a client device environment in order to access resources of a service provider; par 0013; the client device environment uses a client device to process data input via a plurality of authentication factors to authenticate the user. For example, a text entry field on a display of the client device might be used as a first authentication factor to receive a traditional password or PIN, whereas another text entry field may be used in combination with a one-time password transceiver as a second authentication factor), 
determining, by the access gateway for each authentication factor of the plurality of authentication factors, a respective intrinsic value (par 0014; fig. 1; authentication factors have varying sensitivity/confidence levels as to the amount of security provided by the authentication factors; par 0017; a policy module determine composite FMRs for the authentication factors 18 as they are used to gain access to resources such as the resources),
wherein the respective intrinsic value indicates a corresponding level of validity for each authentication factor of the plurality of authentication factors (par 0014; fig. 1; authentication factors have varying sensitivity/confidence levels as to the amount of security provided by the authentication factors; par 0018; score module that maps composite  FMRs to scores such as the scores 20. For example, the score module might implement a choice relationship between the composite FMRs and specific sensitivity levels); 
determining, by the access gateway, a cumulative assurance level of the authentication data, wherein the cumulative assurance level is based on a combination of respective intrinsic values associated with the plurality of authentication factors (par 0014; two or more of the authentication factors could also be associated with a similar amount of security, wherein combining authentication factors in and of itself may increase the amount of security provided; par 0017; a plurality of FMRs can be multiplied together to determine a composite FMR; par 0016; client device environment includes the plurality of authentication factors and a logic architecture executing on a client device, wherein the authentication factors may be connected to the logic architecture via a trusted path mechanism; par 0018; the score module might implement a choice relationship between the composite FMRs and specific sensitivity levels);
after the period of time, receiving, by the access gateway from a computing device of the plurality of computing devices associated with the particular user, an access request to access a computing resource system of the plurality of computing resource systems in the multi-resource computing environment (par 0027; the resource access request into the access tokens. Moreover, the notification module encrypt the access tokens prior to sending the access tokens to the service provider; par 0028; upon receiving either attestation messages from the client device environment or access tokens; par 0016; client device environment includes the plurality of authentication factors and a logic architecture executing on a client device, wherein the authentication factors may be connected to the logic architecture via a trusted path mechanism; par 0025; different service providers may establish different score ranges based on the particular security needs of the service provider),  
the computing resource system associated with a threshold authentication level (par 0017; the logic architecture may have a policy module to determine composite FMRs for the authentication factors as they are used to gain access to resources such as the resources [] a plurality of FMRs can be multiplied together to determine a composite FMR; par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen); 
in response to receiving the access request from the computing device, determining, by the access gateway based on a comparison of the cumulative assurance level of the authentication data with the threshold authentication level of the computing resource system (par 0028; upon receiving either attestation messages from the client device environment or access tokens; par 0030; the score can be compared to the provider ranges; par 0014; two or more of the authentication factors could also be associated with a similar amount of security, wherein combining authentication factors in and of itself may increase the amount of security provided; par 0015; the scores enable the service provider to determine whether to grant access to the resources; par 0017; the logic architecture may have a policy module to determine composite FMRs for the authentication factors as they are used to gain access to resources such as the resources [] a plurality of FMRs can be multiplied together to determine a composite FMR; par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen),
that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system (par 0014; two or more of the authentication factors could also be associated with a similar amount of security, wherein combining authentication factors in and of itself may increase the amount of security provided; 0017; the logic architecture may have a policy module to determine composite FMRs for the authentication factors as they are used to gain access to resources such as the resources [] a plurality of FMRs can be multiplied together to determine a composite FMR; par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen); and 
responsive to determining that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system, providing, by the access gateway, the computing device that provided the access request as well as each of the plurality of computing devices that provided the corresponding access request received during the period of time with access to the computing resource system (par 0028; fig. 3C; upon receiving either attestation messages from the client device environment or access tokens; par 0030; the score can be compared to the provider ranges; par 0014; two or more of the authentication factors could also be associated with a similar amount of security, wherein combining authentication factors in and of itself may increase the amount of security provided; par 0024; the target FMR may be specified by the service provider or user defined. In one example, the target FMR is cached locally in the client device environment for a certain amount of time; par 0035; determine whether the score is within the appropriate provider range for the resource. If so, grants the client device access to the resource).
Smith discloses all the limitations as recited above, but do not explicitly disclose wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user, and wherein each authentication factor of the plurality of authentication factors is included in a corresponding access request received from a respective one of the plurality of computing devices during the period of time to access a corresponding one of a plurality of computing resource systems in the multi-resource computing environment.
However, in an analogous art, DASGUPTA discloses multi factor authentication system/method that includes:
wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user (DASGUPTA: par 0011; fig. 3; selection of a set of authentication factors in different device, media and surrounding conditions over time; par 0030; a user is authenticated at various times with different modalities, as determined by the adaptive selection process of the present invention; par 0031; these criteria may be triggered at different times by a user, and the selected set of authentication factors is expected to vary), and 
wherein each authentication factor of the plurality of authentication factors is included in a corresponding access request received from a respective one of the plurality of computing devices during the period of time to access a corresponding one of a plurality of computing resource systems in the multi-resource computing environment (DASGUPTA: par 0011; fig. 3; selection of a set of authentication factors in different device, media and surrounding conditions over time; par 0014; multi-factor authentication system [] allows for the checking of the authenticity of users not only at the initial time of accessing the service, but on an intermittent or continuous basis throughout the access period or session for a particular user; par 0030; a user is authenticated at various times with different modalities, as determined by the adaptive selection process of the present invention; par 0031; these criteria may be triggered at different times by a user, and the selected set of authentication factors is expected to vary). 
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of DASGUPTA with the method/system of Smith to include wherein each authentication factor of the plurality of authentication factors is received at a different time over a period of time from a different one of a plurality of computing devices associated with the particular user, and wherein each authentication factor of the plurality of authentication factors is included in a corresponding access request received from a respective one of the plurality of computing devices during the period of time to access a corresponding one of a plurality of computing resource systems in the multi-resource computing environment. One would have been motivated to determining a composite false match rate for a plurality of authentication factors in a client device environment (DASGUPTA: abstract).

Regarding Claim 2;
The combination of the Smith and DASGUPTA disclose method of claim 1,
Smith further discloses wherein the threshold authentication level of the computing resource system is indicated by a policy associated with the computing resource system (Smith: par 0012; a multi-factor authentication in which a user interacts with a client device environment in order to access resources of a service provider, wherein the resources may be associated with varying sensitivity/authorization levels; 0017; the logic architecture may have a policy module to determine composite FMRs for the authentication factors as they are used to gain access to resources such as the resources [] a plurality of FMRs can be multiplied together to determine a composite FMR; par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen).  

Regarding Claim 5;
The combination of the Smith and DASGUPTA disclose the method of claim 1, 
Smith discloses wherein the comparison of the cumulative assurance level of the authentication data to the threshold authentication level of the computing resource system is performed by a policy decision point (Smith: par 0014; two or more of the authentication factors could also be associated with a similar amount of security, wherein combining authentication factors in and of itself may increase the amount of security provided; par 0017; a policy module determine composite FMRs for the authentication factors as they are used to gain access to resources such as the resources; par 0030; the score can be compared to the provider ranges; par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen).
Regarding Claim 8;
This Claim recites an access gateway that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

Regarding Claim 9;
This Claim recites an access gateway that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  

Regarding Claim 12;
This Claim recites an access gateway that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  

Regarding Claim 15;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

Regarding Claim 16;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  

Regarding Claim 19;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  

Claims 3-4, 10-11 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US 20140096177) in view of DASGUPTA et al. (US 20160359838) and further in view of Emaminouri et al. (“Emaminouri,” US 9680812, published on 06/13/2017)

Regarding Claim 3;
The combination of the Smith and DASGUPTA disclose the method of claim 2, 
The combination of the Smith and DASGUPTA disclose all the limitations as recited above, but do not explicitly disclose wherein the policy further indicates a permission level associated with the computing resource system, the permission level indicating an authorization requirement for accessing the computing resource system.  
However, in an analogous art, Emaminouri discloses authentication procdure system/method that includes:
wherein the policy further indicates a permission level associated with the computing resource system (Emaminouri: Col 2, lines 3-5; the various strengths and security levels associated with different combinations of authentication factors can be easily defined by a set of rules or policies; Col 7, lines 53-67; a specialized authentication server application to perform user authentication [] policies defining security levels (e.g., rules associating certain combinations of authentication factors with security strength), the permission level indicating an authorization requirement for accessing the computing resource system (Emaminouri: Col 1, lines 12-16; if the human user supplies authentication factors which match expected authentication factors, authentication is considered successful and the human user is allowed to access the protected resources using the smart device; Col 7, lines 53-67; a specialized authentication server application to perform user authentication [] policies defining security levels (e.g., rules associating certain combinations of authentication factors with security strength, parameters indicating which users  or groups of users are allowed to use certain types of authentication procedures, etc.), and other operating parameters (e.g., risk engine details and machine learning logic, authentication statistics, configuration data, etc.).
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Emaminouri with the method/system of Smith and DASGUPTA to include wherein the policy further indicates wherein the policy further indicates a permission level associated with the computing resource system, the permission level indicating an authorization requirement for accessing the computing resource system. One would have been motivated to authenticate the user at a first security level within a range of security levels. The new authentication procedure is operative to authenticate the user at a second security level within the range of security levels, the first security level being at least as high as the second security level within the range of security levels (Emaminouri: abstract).

Regarding Claim 4;
The combination of the Smith and DASGUPTA and Emaminouri disclose the method of claim 3, 
Smith discloses wherein determining that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system (par 0014; two or more of the authentication factors could also be associated with a similar amount of security, wherein combining authentication factors in and of itself may increase the amount of security provided; 0017; the logic architecture may have a policy module to determine composite FMRs for the authentication factors as they are used to gain access to resources such as the resources [] a plurality of FMRs can be multiplied together to determine a composite FMR; par 0020; once a composite FMR exceeds a threshold for a certain level, the score for that particular level may be chosen).
Emaminouri further discloses based on a comparison of the permission level to authorization information associated with the access request (Emaminouri: Col 1, lines 12-16; if the human user supplies authentication factors which match expected authentication factors, authentication is considered successful and the human user is allowed to access the protected resources using the smart device; Col 7, lines 53-67; a specialized authentication server application to perform user authentication [] policies defining security levels (e.g., rules associating certain combinations of authentication factors with security strength, parameters indicating which users  or groups of users are allowed to use certain types of authentication procedures, etc.), and other operating parameters (e.g., risk engine details and machine learning logic, authentication statistics, configuration data, etc.).
One would have been motivated to authenticate the user at a first security level within a range of security levels. The new authentication procedure is operative to authenticate the user at a second security level within the range of security levels, the first security level being at least as high as the second security level within the range of security levels (Emaminouri:: abstract).

Regarding Claim 10;
This Claim recites an access gateway that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  

Regarding Claim 11;
This Claim recites an access gateway that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Regarding Claim 17;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  

Regarding Claim 18;
This Claim recites a non-transitory computer-readable medium that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Claims 6-7, 13-14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US 20140096177) in view of DASGUPTA et al. (US 20160359838) and further in view of Krishnamoorthyet al. (“Krishnamoorthy,” US 20200042723, filed on 08/03/2018)

Regarding Claim 6; 
The combination of the Smith and DASGUPTA disclose the method of claim 1, 
The combination of the Smith and DASGUPTA disclose all the limitations as recited above, but do not explicitly disclose wherein a policy decision point determines a risk score associated with the access request, the risk score indicating a likelihood of the access request being a fraudulent request.  
However, in an analogous art, Krishnamoorthy discloses identity fraud risk system/method that includes:
wherein a policy decision point determines a risk score associated with the access request, the risk score indicating a likelihood of the access request being a fraudulent request (Krishnamoorthy: par 0014; a risk assessment platform assesses a level of risk of identity fraud associated with users attempting to access protected resources [] the risk assessment platform then performs a risk score calculation process to determine a level of risk of identity fraud associated with the user based on the collected user and/or device attributes). 
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Krishnamoorthy with the method/system of Smith and DASGUPTA to include wherein a policy decision point determines a risk score associated with the access request, the risk score indicating a likelihood of the access request being a fraudulent request. One would have been motivated to determines a level of risk of identity fraud associated with the user based on the first and second user and device attributes, and grants or denies the user access to the second protected resource based on the determined level of risk of identity fraud associated with the user (Krishnamoorthy: abstract).


Regarding Claim 7;
The combination of the Smith and DASGUPTA and Krishnamoorthy disclose the method of claim 6, 
Krishnamoorthy further discloses wherein determining that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system is further based on a comparison of the risk score to a risk tolerance associated with the computing resource system (Krishnamoorthy: par 0019; policy manager, upon receipt of the risk score associated with a user, compares the risk score with a policy threshold score or policy score range, previously set by, for example, an administrator, to determine whether the risk score indicates a risk failure [] a risk failure/denial indicates that the determined risk score for the user is too high, and that the attempt to access protected digital resources should be denied).  
  One would have been motivated to determines a level of risk of identity fraud associated with the user based on the first and second user and device attributes, and grants or denies the user access to the second protected resource based on the determined level of risk of identity fraud associated with the user (Krishnamoorthy: abstract).

Regarding Claim 13;
This Claim recites an access gateway that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.  
Regarding Claim 14;
This Claim recites an access gateway that perform the same steps as method of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.  

Regarding Claim 20; 
	The combination of the Smith and DASGUPTA disclose the non-transitory computer-readable medium of claim 15, 
The combination of the Smith and DASGUPTA disclose all the limitations as recited above, but do not explicitly disclose wherein a policy decision point determines a risk score associated with the access request, the risk score indicating a likelihood of the access request being a fraudulent request, and wherein determining that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system is further based on a comparison of the risk score to a risk tolerance associated with the computing resource system.
However, in an analogous art, Krishnamoorthy discloses identity fraud risk system/method that includes:
wherein a policy decision point determines a risk score associated with the access request, the risk score indicating a likelihood of the access request being a fraudulent request (Krishnamoorthy: par 0014; a risk assessment platform assesses a level of risk of identity fraud associated with users attempting to access protected resources [] the risk assessment platform then performs a risk score calculation process to determine a level of risk of identity fraud associated with the user based on the collected user and/or device attributes), and wherein determining that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system is further based on a comparison of the risk score to a risk tolerance associated with the computing resource system (par 0019; policy manager, upon receipt of the risk score associated with a user, compares the risk score with a policy threshold score or policy score range, previously set by, for example, an administrator, to determine whether the risk score indicates a risk failure [] a risk failure/denial indicates that the determined risk score for the user is too high, and that the attempt to access protected digital resources should be denied).  
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Krishnamoorthy with the method/system of Smith and DASGUPTA to include wherein a policy decision point determines a risk score associated with the access request, the risk score indicating a likelihood of the access request being a fraudulent request, and wherein determining that the cumulative assurance level of the authentication data at least meets the threshold authentication level of the computing resource system is further based on a comparison of the risk score to a risk tolerance associated with the computing resource system. One would have been motivated to determines a level of risk of identity fraud associated with the user based on the first and second user and device attributes, and grants or denies the user access to the second protected resource based on the determined level of risk of identity fraud associated with the user (Krishnamoorthy: abstract).

  
Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.W./Examiner, Art Unit 2439    



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439