DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
2. The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A non-statutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 

Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

3. Claims 1,3-6,8-11,13,15-20 of the instant application are provisionally rejected on the ground of non-statutory double patenting as being unpatentable over claims 1,4-6,8-10,12,14-16,19-21,24 and 26-28  of the US patent nos.11,343,260.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the current application encompass the same subject matter as the patent application, but with obvious wording variations. This is a non-statutory double patenting rejection.

Claim Rejections - 35 USC § 112
4. The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

5. Claims 2-3, 7, 12-13 and 17  are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

6. Claim 2 recites: “The method…,wherein the request fails to satisfy the request failure rate when the request failure rate is disabled”.
It is not clear what is meant by this limitation. The failure rate can be reduced or decrement based on successful authentication using user credential. But it is not clear how the request can fail if the failure rate is disabled, since the disabled failure rate would mean no failure.

Similar problem is found in claim 12. Appropriate correction is needed.

7. Claim 3 recites: “obtaining a random number; comparing the random number with a reference number associated with the request failure rate; and granting or denying access to the resource when the random number satisfies the comparison with the reference number”, it is not clear what is meant by this limitation.
The random number can be 5 or 35 or 5500, a million or a billion. It is not clear what is achieved by comparing the random number with a reference number associated with the request failure rate.
Similar problem is found in claim 13. Appropriate correction is needed.

8. Claim 7 recites: “receiving an indication of a selection of the resource through a user interface for a security credential update; …. and receiving the request failure rate for requests to access the resource using the security credential, it is not clear what is meant by this limitation.

Similar problem is found in claim 17.  Appropriate correction is needed.


Examiner Note: A rejection over prior art is not feasible at this time for claims 2-3, 7, 12-13 and 17. The claims 2-3,7, 12-13 and 17 are replete with indefiniteness such that it cannot be ascertained as to what the scope of the claims are with respect to applying prior art.


Claim Rejections - 35 USC § 102
9. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


10. Claim(s) 1,4-6,9-11,14-16 and 19-20 are rejected under 35 U.S.C. 102 (a) (1) as being anticipated by Addala (US Pub.No.9, 438,604).

11.   Regarding claims 1,11  Addala teaches a system and a computer-implemented method when executed by data processing hardware causes the data processing hardware to perform operations comprising: receiving from a client, a request to access a resource, the request comprising a request credential; obtaining a security credential associated with the resources (Figs.1-2 and Col.4, lines.8-18 teaches the client computer 110 used by a user will attempt to access an application (e.g., web service) hosted on application server 120. The user will provide his credential which include a user identifier to access and use the application on the application server 120. The authentication server 130 will be configured for authenticating (e.g., validating, confirming) the user credentials before the user is allowed to access the application on the application server 120);

comparing the request credential against the security credential; determining whether the client is authorized to access the resources based on the comparison of the request credential and the security credentials (Fig.3-4, Col.6,lines.55-66 and Col.7,lines.3-54 teaches the authentication server 130 includes a primary authentication mechanism 331, primary user credentials 332, and completed authentication notification module 333. The primary authentication mechanism 331 will be configured to receive primary user credentials for a user operating at a remote computer (e.g., client computer 110) and to complete authentication attempts on these user credentials by comparing them to the copy of the primary user credentials 332 [security credential herein] stored in a secure location on the authentication server 130. The primary user credentials will include a user identifier (e.g., a username) and at least one additional authentication factor (e.g., a password). After completing an authentication attempt, the primary authentication mechanism 331 will send the results of the completed attempt (e.g., either an indicator that the user identifier has been properly authenticated or an indicator that the user identifier has not been properly authenticated) to the completed authentication notification module 333. The completed authentication notification module 333 will be configured to notify the results of the completed attempt to the application server 120. A primary access module 321 will be configured to act as the primary gatekeeper to the application located on the application server 120. The primary access module 321 will receive notifications from the completed authentication notification module 333 about users that have (or have not) been authenticated by the authentication server 130. The primary access module will store this information as part of the allowance rate statistics 326. Additionally, when receiving requests to access the application 327 from a user communicating from the client computer 110, the primary access module 321 will be configured to determine whether that user is currently acting in an authenticated session. This determination will involve comparing the user identifier for the requesting user with a list of currently authenticated users received from the completed authentication notification module 333. If the user's primary credentials have been properly authenticated, then the primary access module 321 will allow the user to access the application 327);

and when the client is authorized to access the resource: determining a request failure rate associated with the security credential; determining whether granting or denying the request satisfies the request failure rate, when denying the request satisfies the request failure rate, denying access to the resource; and when granting the request satisfies the request failure rate, granting access to the resource (Figs.3-4 and Col.7, lines.54-67 and Col.8, lines.1-8 teaches if it is determined that the primary authentication mechanism 331 is unable to complete an authentication attempt, then the primary access module 321 will be configured to pass the user's request to access the application 327 to the secondary access module 322. The secondary access module 322 will serve as the secondary gatekeeper to the application 327 and will be used in situations where, for one or more reasons, an attempt to complete a primary authentication fails. Upon receipt of a user request that is passed to the secondary access module 322, the criteria evaluation module 324 will be configured to analyze allowance rate statistics 326 associated with the user identifier requesting access and then compare these statistics to a set of criteria. If the results of this comparison by the criteria evaluation module 324 are unfavorable, then the user will be denied access to the application 327.
Col.5, lines.1-65 and Col.6, lines. 1-12 teaches the user's access allowance rate information will be stored locally (e.g., on the application server). The information will include statistics or other records relating to completed authentication attempts for the user by the primary authentication mechanism. For example, the allowance rate information could include a table showing that the user identifier for the user has been associated with five successful and one unsuccessful completed authentication by the primary authentication mechanism in the past month. For another example, the allowance rate information could include a single value of ninety-seven that indicates that ninety-seven percent of the time in the last year this user was allowed access to the application after the primary authentication mechanism completed authentication attempts on the user's credentials (compared to only three percent denials after completed authentication attempts). Further, in some embodiments, the access allowance rate information may also include records relating to whether or not past authentication attempts were actually completed. The user's access allowance rate is identified from the access allowance rate information and is compared to a set of (e.g., one or more) criteria. The set of criteria will refer to one or more factors or requirements associated with the access allowance rate. The set of criteria may include a single threshold (e.g., a minimum acceptable access allowance rate). A determination is made as to whether the set of criteria are satisfied. If they are not satisfied, the user is denied access to the application).

12.    Regarding claims 4, 14 Addala teaches the method and the system, further comprising:
determining that a number of received requests having corresponding request credentials satisfying the security credential satisfies a threshold number; and implementing a remedial action (Fig. 3, Col.8, lines.54-67 and Col.9, lines.1-50 teaches a scenario, in which, John Smith, the CEO of Smith Corp, uses his laptop (client computer 110) for his work over a series of weeks. In a first week, Smith connects to Smith Corp's authentication server (authentication server 130) from his laptop and, when prompted, enters his primary user credentials, including his user identifier, "JSmith", and his password, "abc123". His credentials are authenticated (by the primary authentication mechanism 331) and his computer is then logged in to an authenticated session. Smith then attempts to access banking software (application 327) from his laptop. The application server (application server 120) confirms that Smith is currently in an authenticated session (e.g., by communicating with the completed authentication notification module 333). Smith is able to have full access to the banking software and completes his work for the day. In the second week, Smith is working from his home and is unable to access Smith Corp's authentication server from his laptop. He again tries to access the banking software. The application server is unable to confirm that Smith has been authenticated by the authentication server. In response, the application server checks the access allowance rate for the authentication server. Specifically, the application server checks whether the access allowance rate statistics 326 associated with Smith's user identifier, "JSmith", have been above ninety percent over the past month. Finding the applicable rate to be ninety-five percent the application server (via secondary authentication mechanism 323) prompts Smith to provide his mother's maiden name and his place of birth (secondary user credentials 325). Smith enters these credentials correctly and is provided quarantined access to the banking software. As part of the quarantined access, Smith has the ability to view some of the information about Smith Corp's accounts, but is not able to make significant financial transactions using the software. 
Each time a completed authentication attempt fails, the authentication server informs the application server (via the completed authentication notification module 333), and the application server records the reduction in the allowance rate (in the allowance rate statistics 326) associated with the JSmith user identifier.
Late in the third week, a thief steals Smith's laptop. Using the stolen laptop, the thief attempts to use the JSmith user identifier to access Smith Corp's banking software directly through the application server without first communicating with Smith Corp's authentication server. Upon determining that authentication server is not able to complete an authentication attempt (because the thief bypassed communicating with the authentication server altogether), the application server then checks the access allowance rate associated with the JSmith user identifier. Finding the allowance rate to have dropped below the ninety-percent success rate threshold (due to the multiple failed authentication attempts in the third week), the application server denies the thief access to the banking software).

13.   Regarding claims 5, 15 Addala teaches the method and the system wherein implementing the remedial action comprises granting access to the resource when the request credential satisfies the security credential; and not enforcing the request failure rate associated with the security credential (Fig.2 and Col.6, lines.1-39 teaches the user's access allowance rate is identified from the access allowance rate information and is compared to a set of (e.g., one or more) criteria. The set of criteria will refer to one or more factors or requirements associated with the access allowance rate. The set of criteria may include a single threshold (e.g., a minimum acceptable access allowance rate). 
A determination is made as to whether the set of criteria are satisfied. If they are not satisfied, then, the user is denied access to the application. If, however, the set of criteria are satisfied, then, the user is requested to provide secondary user credentials. The secondary user credentials may include, alphanumeric passwords or security question and answer pairs. 
A determination is made as to whether the secondary user credentials are authentic. If the secondary user credentials are not authentic, then, the user is denied access to the application. If, however, the secondary user credentials are authentic, then, the user is allowed quarantine access to the application. The quarantine access will allow the user lesser privileges with respect to the application than full access. Restrictions placed on quarantine access may include, for example, read-only data access, access to only limited features or functionality of the application, or access that incorporates only a limited ability to modify the settings of the application). 

14.    Regarding claims 6, 16 Addala teaches the method and the system, wherein the security credential comprises an old security credential and a new security credential; and determining whether granting or denying the request satisfies the new security credential (Col.7, lines.52-67 and Col.8, lines.1-47 teaches if it is determined, that, the primary authentication mechanism 331 is unable to complete an authentication attempt, then the primary access module 321 will be configured to pass the user's request to access the application 327 to the secondary access module 322.   The secondary access module 322 will serve as the secondary gatekeeper to the application 327 and will be used in situations where, for one or more reasons, an attempt to complete a primary authentication fails. Upon receipt of a user request that is passed to the secondary access module 322, the criteria evaluation module 324 will be configured to analyze allowance rate statistics 326 associated with the user identifier requesting access and then compare these statistics to a set of criteria. If the results of this comparison by the criteria evaluation module 324 are unfavorable, then the user may be denied access to the application 327. However, if the results are favorable, then the user's request may be passed to the secondary authentication mechanism 323. The secondary authentication mechanism 323 will be configured for verifying the identity of users based on secondary user credentials 325 [(such as his mother's maiden name and his place of birth), which is the new credential herein], rather than primary user credentials 332 (such as username, password). Upon receiving these credentials, the secondary authentication mechanism 323 will be further configured to complete secondary authentication attempts on these user credentials by comparing them to the copy of the secondary user credentials 325 stored in a secure location on the application server 120. If the credentials match, then the secondary access module 322 will be configured to allow the user to have quarantine (e.g., limited) access to the application 327.
Fig.5 and Col.10, lines.29-60 teaches if the primary user credentials are currently authenticated, then the user's access allowance rate information is increased, per operation, to reflect the current authentication. The primary version of the data set is replaced, in the main portion of the application database, with the modified version of the data set. The user is upgraded to full access to the application. 
If, however, the quarantined user failed the most recent authentication attempt (and is therefore not currently authenticated), then the user's access allowance rate is decreased, per operation. User's quarantine access to the application is revoked. And, the modified version of the data set is deleted from the quarantine portion of the application database). 

15.    Regarding claim 9 and 19 Addala teaches the method and the system, wherein the request failure rate increases based on a function of time (Figs.3- 4 and Col.9, lines.54-67 teaches a table representing the access allowance rate statistics 326, the table includes a plurality of user identifiers (RJones, SMichaels, and LStein). Associated with each user credential are the five most-recent completed authentication attempts by the primary authentication mechanism for that particular user credential. For example, the last row of the table shows that LStein is associated with three successful authentications and two failed authentications out of the last five completed attempts. The last column of the table includes the calculated access allowance rate (e.g., the success rate among completed authentication attempts) for each user identifier over the five most-recent attempts associated with each user identifier. The table will be updated each time a new authentication attempt is completed for a particular user identifier.
Col.8, lines.54-67 and Col.9, lines.1-50 teaches if, however, a determination is made that the user's credentials have not been authenticated (due to multiple failed authentication attempts) then, the user's access allowance rate would have dropped below a success rate threshold (due to the multiple failed authentication), then the application server will deny the user to access the application).

16.    Regarding claims 10, 20 Addala teaches the method and the system, wherein the request failure rate comprises at least one of: a denial count for request credential satisfying the security credential; a percentage of request credential satisfying the security credential and denied access to the resource; or a percentage of request credential satisfying the security credential and granted access to the resource (Col.5, lines. 40-61 teaches the user's access allowance rate information may be stored locally (e.g., on the application server). The information may include statistics or other records relating to completed authentication attempts for the user by the primary authentication mechanism. For example, the allowance rate information could include a table showing that the user identifier for the user has been associated with five successful and one unsuccessful completed authentication by the primary authentication mechanism in the past month. For another example, the allowance rate information could include a single value of ninety-seven that indicates that ninety-seven percent of the time in the last year this user was allowed access to the application after the primary authentication mechanism completed authentication attempts on the user's credentials (compared to only three percent denials after completed authentication attempts). Further, in some embodiments, the access allowance rate information may also include records relating to whether or not past authentication attempts were actually completed).

Claim Rejections - 35 USC § 103
17. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

18. Claims 8,18 are rejected under 35 U.S.C. 103 as being unpatentable over Addala (US Pub.No.9, 438,604) as applied to claims 1,11 above and further in view of Atzmony (US Pat.No.7,945,776).

19.   Regarding claims 8  and 18 Addala teaches all the above claimed limitations, but does not expressly teach the method and the system wherein the security credential comprises at least one of a public key or a hash message authentication code (hmac) key.

Atzmony teaches the security credential comprises at least one of a public key or a hash message authentication code (hmac) key (Col.16, lines.38-44 teaches the security credential comprises of a Hashed Message Authentication Code (HMAC) key).

Therefore, it would have been obvious to one of the ordinary skills in the art before the effective filing date of the invention was filed to modify Addala to include the security credential comprises a hash message authentication code (hmac) key, as taught by Atzmony such a setup would yield a predictable result of providing secure access to computer resources.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506.  The examiner can normally be reached on Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DEREENA T CATTUNGAL/            Primary Examiner, Art Unit 2431