DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are pending.

Priority
Acknowledgement is made of applicant's claim for priority based on application 16/883,680 filed on 05/26/2020 (PAT 11321484) that is a CON of 16/654,046 filed on 10/16/2019 (PAT 10685137).

Claim Objections
Claims --1, 2, 4, 7, 8, 10, 11, and 16-20 are objected to because of the following informalities:  
“the stored data” in line 13 of claim 1, line 7 of claim 7, line 6 of claim 17 should read “the stored user data”.
“based on the category” in line 2 of claims 2, 4, 8, line 1 of claim 10 should read “based on the stored user data in the category”.
“stored user data” in line 5 of claim 4, line 4 of claim 10, line 4 of claim 19 should read “the stored user data”.
“of to” in last line of claim 11 should read “of”.
“A non-transitory computer-readable media” in line 1 of claims 16-20 should read “A non-transitory computer-readable medium”.
Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 10685137. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-18 of U.S. Patent No. 10685137 include the limitations recited in claims 1-20 of the instant application.
Claims 6-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 6-18 of U.S. Patent No. 11321484. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 6-18 of U.S. Patent No. 11321484 include the limitations recited in claims 6-20 of the instant application.
Claims 1-5 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-5 of U.S. Patent No. 11321484 in view of Shah (US 20170374070).  Claims 1-5 of U.S. Patent No. 11321484 include most of the limitations recited in claims 1-5 of the instant application except for the limitations of “in response to verifying the user-provided data in the category, select a default algorithm for responding to the verification request, wherein the default algorithm is selected by the requestor” and “generate an assurance level of the credentials of the user based on the default algorithm” recited in claim 1 of the instant application.  Shah discloses the above limitations (e.g. ¶40, 44-46).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Shah into the claims of the patent for the purpose of providing for robust and scalable multi-factor authentication where necessary authentication factors are determined in order to meet the required assurance level specified by a service provider (Shah, ¶4, 79).
Instant application 17710883
Patent 11321484
Patent 10685137
1
1 + Shah
1
2-5
2-5
2-5
6
6
6
7-15
6-14
6-14
16
15
15
17-20
15-18
15-18


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

 
Claims 6, 14, 15, 16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Merz (US 20160335639) in view of Shah (US 20170374070).

Claim 6, Merz discloses A method for protecting personal data while verifying user credentials, the method comprising: 
storing, in a database of a verification service, user data for a user; (e.g. ¶21-22, 63-64: authentication data includes one or more of: (1) consumer device attributes such as, for example, device attribute data (i.e., data derived from the device that the cardholder is transacting from, which can ultimately be used for creating a device fingerprint, and which may include IP address, physical address associated with IP address, device type, and phone number), and geo-location data (i.e., data from the device of the cardholder, indicating the assessed location of the device, such as GPS location, country, city, etc.); (2) data from the merchant such as, for example, consumer contact information (personally identifiable information (PII) about the cardholder associated with the payment account that the candidate online payment transaction is for, which will be used to determine the likelihood that the merchant has the correct cardholder, and which may include email address, mobile phone number, landline phone number, confirmed shipping address, and consumer identity verification (e.g., anonymous, unverified, externally scored (e.g., credit reference agency), authentic issued official ID (e.g., passport, driver's license)), and age of cardholder relationship); and (3) merchant reference data such as, for example, days account has been on file with the merchant, days since the cardholder last used the card on file, verification method of the cardholder performed by the merchant at the time of candidate online payment transaction, purchases information (i.e., type of goods/services provided-digital only, low value, high value with verified address, in-store), and a merchant risk score (i.e., a risk score derived from the merchant's risk systems and reference data, also known as a merchant fraud grading)…The AE computer device stores the authentication data associated with the candidate online payment transaction in a database)
receiving, from a remote server, a verification request for credentials of the user, wherein the verification request indicates a type of the verification request, an identity of a requestor of the verification request; (e.g. ¶23-24, 65-66: The AE computer device receives an authorization request message for candidate online payment transaction from a payment network. In the example embodiment, the AE computer device receives the authorization request message from the interchange network. In other embodiments, the AE computer device receives the authorization request message from the merchant bank. The authorization request message includes transaction data about the candidate online payment transaction, such as, but not limited to, transaction amount, primary account number, and merchant identifier)
determining, using control circuitry, a category of required data for the verification request based on the type of the verification request, the identity of the requestor; (e.g. ¶24, 66: The AE computer device retrieves the authentication data associated with the candidate online payment transaction from the database. The AE computer device determines which set of stored authentication data is associated with the candidate online payment transaction to retrieve the corresponding authentication data. In some embodiments, the authentication data and the authorization request message each contain a transaction identifier. The AE computer device uses the transaction identifier to match up the stored authentication data with the corresponding authorization request message.)
determining, using the control circuitry, whether the stored user data includes the category; (e.g. ¶24, 66: The AE computer device retrieves the authentication data associated with the candidate online payment transaction from the database. The AE computer device determines which set of stored authentication data is associated with the candidate online payment transaction to retrieve the corresponding authentication data. In some embodiments, the authentication data and the authorization request message each contain a transaction identifier. The AE computer device uses the transaction identifier to match up the stored authentication data with the corresponding authorization request message.)
generating, using the control circuitry, an assurance level of the credentials of the user; and (e.g. ¶25, 67: The AE computer device combines the authentication data and the authorization request message to calculate an assurance level score for the candidate online payment transaction. The assurance level score represents a level of confidence that the candidate online payment transaction is not fraudulent. In the example embodiment, the assurance level score includes a plurality of calculations and business rules to determine the level of confidence in the candidate online payment transaction. The AE computer device may also use the previously calculated initial assurance score in calculating the assurance level score)
outputting the assurance level for display on a user device. (e.g. ¶30-31, 72-73: The AE computer device transmits the authorization request message including the assurance level score to the issuer processor. In the example embodiment, the AE computer device transmits the authorization request message to the payment processing network, which then transmits the authorization request message to the issuer processor…In some embodiments, the AE computer device receives a request for the assurance level score from a client system. In some embodiments, the request comes from the merchant. In other embodiments, the request comes from other sources, such as the merchant bank…The AE computer device retrieves the assurance level score from the database and transmits the assurance level score to the requesting client system.)
Although Merz discloses receiving, from a remote server, a verification request for credentials of the user, wherein the verification request indicates a type of the verification request, an identity of a requestor of the verification request, determining, using control circuitry, a category of required data for the verification request based on the type of the verification request, the identity of the requestor, determining that the stored user data includes the category, and generating, using the control circuitry, an assurance level of the credentials of the user (see above), Merz does not appear to explicitly disclose but Shah discloses: 
receiving, from a remote server, a verification request for credentials of the user, wherein the verification request indicates a verification request purpose of the verification request; (e.g. ¶40, 44, 48, 114: the MFAS 102 controls a policy processing engine, which actively selects an enforceable authentication policy based on an assurance level (AL) that is received from the SP 108… At 206, in accordance with the illustrated example, the SP 108 specifies an assurance level (AL) that is required by the SP for user authentication, such that the user 110 can access the service…an assurance level that is required by the RP 108 may be communicated from the RP 108 to the MFAS 102… a policy management operation performed by the MFAS 102 to determine the set of authentication factors based on the authentication request that is received from the RP 108…A userID may be contained in the request…the required AL may be included in the authentication request)
determining, using control circuitry, a category of required data for the verification request based on the required type of assurance level; (e.g. ¶40, 114: the MFAS 102 controls a policy processing engine, which actively selects an enforceable authentication policy based on an assurance level (AL) that is received from the SP 108… Information stored in a policy database may also contain policies that are specified by an SP to control selection and prioritization of authentication factors. In some cases, a database may contain information related to various users and various devices. In an example embodiment, the MFAS 102 maps a given AL to an authentication policy that stipulates an authentication factor that should be performed, or a prioritized list of authentication factors that should be performed, to achieve the AL…In response to the authentication request, the MFAS 102 may obtain information from at least one database to authenticate the user in accordance with policy information related to the SP 108)
in response to determining that the stored user data includes the category, determining, using the control circuitry, whether criteria based on the stored user data in the category is approved for use in responding to the verification request; (e.g. ¶44-45: the MFAS may access a user authentication database 114e to determine the current authentication status. At 216, the MFAS 102 determines whether the current authentication related to the user 110 and user device 112 is valid (not expired) and sufficient as compared to the required AL. If the current authentication is not valid or sufficient, the process may proceed to 218, where the MFAS 102 selects the authentication factors that should be executed…the MFAS 102 determines whether the authentication capabilities of the user 110 and user device 112 are sufficient to achieve the required AL. If there are adequate authentication factors available, for example, the process may proceed to 224, where the local and/or network-based authentications are performed)
in response to determining that the criteria is approved for use in responding to the verification request, generating, using the control circuitry, an assurance level of the credentials of the user; (e.g. ¶46, 80, 115: After the authentication factors are executed at 224, the process may proceed to 228. At 228, in accordance with the illustrated example, the assurance level that is achieved by the authentications is sent to the SP 108 in an assertion…the MFAS 102 may return an authentication response assertion that may satisfy the required assurance level. In some cases, the MFAS includes the required (and authenticated) assurance level received from the RP in the signed assertion)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Shah into the invention of Merz for the purpose of providing for robust and scalable multi-factor authentication where necessary authentication factors are determined in order to meet the required assurance level specified by a service provider (Shah, ¶4, 79).

Claim 14, Merz-Shah discloses The method of claim 6, further comprising: selecting an algorithm for responding to the verification request from a plurality of potential algorithms for responding to the verification request, wherein each of the plurality of potential algorithms uses the criteria and generates assurance levels, wherein selecting the algorithm, further comprises: determining that the category includes a type of personally identifying information; and determining that the selected algorithm is approved for personally identifying information. (Shah, e.g. ¶40, 44-45).  Same motivation as in claim 6 would apply.

Claim 15, Merz-Shah discloses The method of claim 6, further comprising: selecting an algorithm for responding to the verification request from a plurality of potential algorithms for responding to the verification request, wherein each of the plurality of potential algorithms uses the criteria and generates assurance levels, wherein selecting the algorithm is based on the type of the verification request, the identity of the requestor, and the verification request purpose. (Shah, e.g. ¶40, 44-45, 81, 115).  Same motivation as in claim 6 would apply.

Claim 16, this claim is rejected for similar reasons as in claim 6.

Claim 20, this claim is rejected for similar reasons as in claim 15.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 20030115142 discloses systems for providing an authentication service through a number of authentication mechanisms associated with each user. Lists of the authentication mechanisms associated with each user are stored in a set of portfolios, one portfolio for each user. Authentication mechanisms include laptops, PCs, biometric input devices, smart card readers, proximity badge readers, magnetic stripe readers, and the like. The systems have various configurations of registration servers, authentication servers, and authorization servers. Methods for providing an authentication service include relating a user identity to a portfolio, relating a type of transaction to a level of authentication, and authenticating the user identity through one or more authentication mechanisms for the type of transaction, according to the level of authentication required.

US 20150127547 discloses receiving a token generation message containing a requested token assurance level associated with a payment token and generating the payment token and the token assurance level.

US 20170364917 discloses assuring identity information representing identity of an entity that involves determining a level of assurance associated with identity information of the entity.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436