DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on November 03, 2022 has been entered. Claims 1-20 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Independent claims have been amended to incorporate a new limitation as “an authentication object that is created by an authentication software development kit (SDK) residing in the application.” 
In previous office action, examiner presented fig. 3 from Chen that showed resource access request 316 corresponds to authentication object which includes attributes and request to access (fig. 3, elements 318, 320, 322). Para. 0025-0029 and 0070. Chen doesn’t teach software development kit (SDK) to create an authentication object. But SDK such as Java development kit, Windows app SDK, MacOS SDK etc. had been known in the art before the applicant’s claimed invention was filed. SDK is not a new tool and the concept of using SDK to generate an object is not a novel or non-obvious concept. An ordinary skill in the art would have been motivated to use well known SDK to create or generate an authentication object.

    PNG
    media_image1.png
    751
    1035
    media_image1.png
    Greyscale

However, US2006/0288404 A1 (Krishnan et al.) is being introduced to explicitly teach the newly added limitation.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-3, 7-12, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0109509 A1 to Baghdasaryan et al. (“Baghdasarayan”) in view of US 2015/0106888 A1 to Cheng et al. (“Cheng”) and in further view of US 2006/0288404 A1 (Krishnan et al.).
Regarding claim 1, Baghdasarayan disclosed a method for providing an enhanced authentication process with risk-based decision making for accessing protected services, the method comprising: 
capturing attributes pertaining to a user and/or a user device; (See ¶0053: current parameters 406 are collected from the client device 400; See further in ¶0048, ¶0051)
determining a risk of data security based on the attributes pertaining to the user and/or the user device; (Para.0052-0053. Determining risk level based on current parameters and historical parameters. The parameters collected and evaluated to determine the risk level 407 may include the identity of each user and a variety of data related to the authenticators 420- 421 registered at the authentication server including, for example, the authentication attestation IDs (AAIDs) which uniquely identify the types of authentication device(s) registered; the Key IDs associated with the keys exchanged during authenticator registration (and stored in secure storage 425 on the client and the authentication server); cryptographic key data used for validating cryptographic signatures generated with the keys; a signature counter indicating the number of times signatures have been generated with the keys; and the authenticator version indicating the version of each of the authenticators. In addition, the parameters used to determine the risk level may include metadata associated with each of the authenticators such as the AAID (mentioned above), the authenticator vendor, the authenticator type (e.g., indicating if the authenticator is internal or external to the client), the authentication factor (e.g., fingerprint, voiceprint, presence, etc), and the key protection method (e.g., Trusted Execution Environment, Secure Elements, etc).))
when the risk is unacceptable, requiring additional authentication for access to the protected services; (Para. 0054: In general, the greater the risk level 407 (e.g., the greater the distance from parameters indicating "normal" behavior), the more rigorous the authentication. For example, in one embodiment, if the risk level is above a specified threshold (i.e. risk is unacceptable), then the authentication server 450 may require authentication using one or more explicit user authentication devices 420-421.) and
when the risk is acceptable, granting access to the protected services without requiring additional authentication, (Para.0054. In contrast, for a risk level below a specified threshold (i.e. the risk is acceptable), then non-intrusive authentication techniques 405 may be sufficient. See ¶0051, ¶0112: If the parameters are within the selected thresholds, then at 506 the interaction is considered to be a normal activity and less rigorous (or no) authentication may be used (e.g., non-intrusive authentication such as described above).)
Baghdasarayan did not but the analogous art Cheng disclosed wherein the capturing the attributes pertaining to the user and/or the user device comprises: performing an authorization call to an application requesting access to the protected services; gathering the attributes while accessing the application; and bundling the attributes and the request to access the protected services into an authentication request object. (Cheng, ¶0025: Users of clients 110, 112, and 114 may utilize clients 110, 112, and 114 to request and gain access to protected resource 116, which is protected by server 104 and/or server 106. ¶0027: Clients 110, 112, and 114 may utilize biometric measuring devices 118, 120, and 122 to capture and record biometric data (i.e. gathering attributes) corresponding to users of clients 110, 112, and 114. Clients 110, 112, and 114 may send the captured biometric data to server 104 or server 106 for user authentication prior to server 104 or server 106 allowing access to protected resource 116. ¶0028: In addition, clients 110, 112, and 114 include context information 124, 126, and 128, respectively. Context information 124, 126, and 128 may be, for example, unique device identifiers and geographic location data (i.e. attributes) regarding clients 110, 112, and 114. Clients 110, 112, and 114 may send context information 124, 126, and 128 to server 104 or server 106 for determining a context of an access request to protected resource 116 prior to allowing access to protected resource 116. ¶0029: Protected resource 116 represents a set of one or more different protected resources A protected resource may be, for example, a network, a document, a software application, or a hardware device in network data processing system 100 that has restricted access to only authorized users. ¶0048: the context information included in a particular access request may include an identification of the client device requesting access to a particular protected resource and a geographic location of the client device at the time of the access request.)
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Baghdasaryan by including the idea of capturing the attributes pertaining to the user and/or the user device comprises: performing an authorization call to an application requesting access to the protected services; gathering the attributes while accessing the application; and bundling the attributes and the request to access the protected services into an authentication request object as taught by Cheng in order to provide a controlled flexibility in resource access control by taking calculated risks, which are prohibited by the traditional access control policies (Cheng, ¶0006).
Baghdasaryan-Cheng combination do not but the analogous art Krishnan taught an authentication object that is created by an authentication software development kit (SDK) residing in the application ([0098] In one embodiment, the following tools are provided for creating extension package for authentication and authorization in an AONS node: a custom bladelet software development kit (hereinafter "Custom Bladelet SDK"). See Para. 0099-0103, Table 1, Para. 0068, 0073.)
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the combined invention of Baghdasaryan & Krishnan by including the well-known idea of an authentication object that is created by an authentication software development kit (SDK) residing in the application as taught by Krishnan so that the package supports both authentication and authorization (Krishnan, Para. 0078).
Claims 9 and 16 recite similar limitations to claim 1, mutatis mutandis, the subject matter of claims 9 and 16, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 2, The method of claim 1, further comprising: when the risk of data security is acceptable, refreshing access to protected services without requiring additional authentication (Para.0056. If the authentication is successful, then the current parameters may be added as historical parameters associated with successful authentications (thereby decreasing the “riskiness” associated with these parameters) as refreshing access to protected services).
Claims 11 and 17 recite similar limitations to claim 2, mutatis mutandis, the subject matter of claims 11 and 17, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 3, Baghdasaryan further taught the method of claim 1, further comprising: when the risk of data security is unacceptable, requiring the user to provide one or more of a password and biometric data (Para.0048, 0112. Password and biometric).
Claims 12 and 18 recite similar limitations to claim 3, mutatis mutandis, the subject matter of claims 12 and 18, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 7, Baghdasaryan further taught the method of claim 1, further comprising: storing the attributes pertaining to the user and/or user device at an authorization database configured to store unique attributes for a plurality of users and/or user devices (Para. 0034, 0048, 0051).
Claim 10 recites similar limitations to claim 7, mutatis mutandis, the subject matter of claim 7, which is therefore, also considered to be taught by Baghdasaryan-Cheng combination as above.
Regarding claim 8, Baghdasaryan further taught the method of claim 1, wherein the attributes pertaining to the user and/or user device comprise one or more of: a cryptographic key, geographic location, time of day, day of week, device hygiene, a user usage pattern, a swipe pattern for touch sensitive displays, malware detection, jailbreak/root detection, debugger mode detection, location reading, accelerometer readings, gyroscope readings, compass readings, user device navigation patterns, application tamper detection, a user device identifier, user device hardware details, user device certificate, user device software details, an International Mobile Station Equipment Identifier (IMEI), a Personal Identification Number (PIN), a password, user biometric data, a device token, a Service Set Identifier (SSID), network proxy detection, device power state, and Virtual Private Network (VPN) detection. (Baghdasaryan, Para. 0025).
Claims 4-6, 13-15, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Baghdasaryan in view of Cheng and Kishnan and further in view of US 2014/0230020 to Mogaki et al. (“Mogaki”).
Regarding claim 4, Baghdasaryan -Cheng-Krishnan combination taught the method of claim 1, the combination did not but the analogous art Mogaki taught further comprising: providing an access token to the user device upon the granting access to the protected services ([0104] If the authorization code is registered in the authorization code table 800, the access management service system 104 judges that the user permits use of the form service system 105, and the process advances to step S1016 to continue processing. [0105] In step S1016, the access management service system 104 generates an access token.), wherein the access token expires after a predetermined period of time ([0105] The access management service system 104 sets a valid period of the access token in the access token valid date and time 903. See 0005, 0084).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention combined of Baghdasaryan, Cheng, and Krishnan by including the idea of providing an access token to the user device upon the granting access to the protected services, wherein the access token expires after a predetermined period of time as taught by Mogaki so that even when authentication information of a client and update authorization information have leaked, authentication information can be prevented from being illicitly re-issued (Mogaki, ¶0013).
Claim 13 recites similar limitations to claim 4, mutatis mutandis, the subject matter of claim 13, which is therefore, also considered to be taught by Baghdasaryan-Cheng-Krishnan-Mogaki combination as above.
Regarding claim 5, Baghdasaryan -Cheng-Krishnan-Mogaki combination further taught the method of claim 4, further comprising determining an updated risk of data security after a time expiration of the access token. (Mogaki, ([0122] If the access token is registered but it falls outside the valid period, the access management service system 104 returns an access token invalid message as a response. [0128] In step S1209, upon reception of the access token invalid message, the external service system 103 requests the access management service system 104 to execute refresh processing.))
Claim 14 recites similar limitations to claim 5, mutatis mutandis, the subject matter of claim 14, which is therefore, also considered to be taught by Baghdasaryan-Cheng-Krishnan-Mogaki combination as above.
Regarding claim 6, Baghdasaryan -Cheng-Krishnan-Mogaki combination further taught the method of claim 4, further comprising determining an updated risk of data security prior to a time expiration of the access token (Mogaki, Para.0122 determining the validity of token as an updated risk prior to expiry of the token’s valid period.).
Claim 15 recites similar limitations to claim 6, mutatis mutandis, the subject matter of claim 15, which is therefore, also considered to be taught by Baghdasaryan-Cheng-Krishnan-Mogaki combination as above.
Regarding claim 19, Baghdasaryan -Cheng-Krishnan-Mogaki combination further taught the non-transitory computer readable storage device of claim 16, further comprising computer executable instructions for: providing an access token to the user device upon the granting access to the protected services (Mogaki, [0104] If the authorization code is registered in the authorization code table 800, the access management service system 104 judges that the user permits use of the form service system 105, and the process advances to step S1016 to continue processing. [0105] In step S1016, the access management service system 104 generates an access token.), wherein the access token expires after a predetermined period of time (Mogaki, [0105] The access management service system 104 sets a valid period of the access token in the access token valid date and time 903. See 0005, 0084); and determining an updated risk of data security after a time expiration of the access token (Mogaki, ([0122] If the access token is registered but it falls outside the valid period, the access management service system 104 returns an access token invalid message as a response. [0128] In step S1209, upon reception of the access token invalid message, the external service system 103 requests the access management service system 104 to execute refresh processing.).
Regarding claim 20, Baghdasaryan -Cheng-Krishnan-Mogaki combination further taught the non-transitory computer readable storage device of claim 16, further comprising computer executable instructions for: providing an access token to the user device upon the granting access to the protected services ( Mogaki, [0104] If the authorization code is registered in the authorization code table 800, the access management service system 104 judges that the user permits use of the form service system 105, and the process advances to step S1016 to continue processing. [0105] In step S1016, the access management service system 104 generates an access token.), wherein the access token expires after a predetermined period of time (Mogaki, [0105] The access management service system 104 sets a valid period of the access token in the access token valid date and time 903. See 0005, 0084); and determining an updated risk of data security prior to a time expiration of the access token (Mogaki, Para.0122 determining the validity of token as an updated risk prior to expiry of the token’s valid period.).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Applicant is requested to review the teaching of these references before filing a new amendments/argument.
US 9,652,604 B1 (Johansson et al.): Fig. 5, ref. 500 authentication object; Fig. 6; Col. 3, lines 8-26, Col 4, lines 10-13, Col. 5, lines 5-8, Col. Line 65-Col.6, line 5, Col. 6, line 48-51, Col. 12, lines 5-12. Authentication object and generating an authentication object.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAWNCHOY RAHMAN whose telephone number is (571)270-7471. The examiner can normally be reached Monday - Friday 8:30A-5P ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 5712723787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Shawnchoy Rahman/Primary Examiner, Art Unit 2438