Prosecution Insights
Last updated: July 17, 2026
Application No. 17/940,299

PROXIMITY-AWARE MULTIFACTOR AUTHENTICATION FOR CONTINUOUS TRUSTED ACCESS

Final Rejection §103
Filed
Sep 08, 2022
Examiner
DUFFIELD, JEREMY S
Art Unit
2498
Tech Center
2400 — Computer Networks
Assignee
Cisco Technology Inc.
OA Round
6 (Final)
49%
Grant Probability
Moderate
7-8
OA Rounds
0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 49% of resolved cases
49%
Career Allowance Rate
219 granted / 445 resolved
-8.8% vs TC avg
Strong +52% interview lift
Without
With
+52.4%
Interview Lift
resolved cases with interview
Typical timeline
3y 9m
Avg Prosecution
19 currently pending
Career history
472
Total Applications
across all art units

Statute-Specific Performance

§101
0.8%
-39.2% vs TC avg
§103
95.2%
+55.2% vs TC avg
§102
1.8%
-38.2% vs TC avg
§112
1.8%
-38.2% vs TC avg
Black line = Tech Center average estimate • Based on career data from 445 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, see pages 12-16, filed 11 May 2026, with respect to the rejection of claims 1, 2, 4-6, 8-10, 12-17, and 19-24 under 35 U.S.C. 103 have been fully considered and are persuasive in view of the new claim amendments. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground of rejection is made in view of Koutenaei et al. (US 2016/0269403 A1), Lynn et al. (US 2020/0322330 A1), and Malik et al. (US 2023/0275886 A1). See the 35 U.S.C. 103 section below for detailed analysis. Claim Objections Claim 1 is objected to because of the following informalities: Regarding claim 1, line 10—“the monitoring service”, lacks sufficient antecedent basis for the claim. It appears that “the monitoring service” is referring to “a monitoring service” of line 12. This objection may be overcome by moving “wherein the monitoring service is associated with a Continuous Access Evaluation (CAEP) service” of lines 10-11 to be after the “sending…authentication” limitation of lines 12-13. Regarding claim 1, line 15—“authentication , a logout instruction” includes an extra space before the comma. Appropriate correction is required. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 2, 4, 5, 8-10, 12, 13, 16, 17, 19, 20, and 24 are rejected under 35 U.S.C. 103 as being unpatentable over by Koutenaei et al. (US 2016/0269403 A1) in view of Lynn et al. (US 2020/0322330 A1) and further in view of Malik et al. (US 2023/0275886 A1). Regarding claim 1, Koutenaei teaches a method comprising: monitoring a proximity-based direct networking connection between a primary device, e.g., browsing device 10 (Fig. 1, el. 10), and a secondary device, e.g., authentication device 20 (Fig. 1, el. 20), associated with a multi-factor authentication (MFA) application executing on the secondary device, the proximity-based direct networking connection established in association with an authentication of the primary device as a MFA-authenticated primary device to access a resource and using the secondary device associated with the MFA application, e.g., prior to process 200, in order to set up this multi-factor authentication (MFA), the user needs to assign a device as the browsing device 10 and another device as the authentication device 20 (Fig. 2, el. 200; Para. 25); at 203, the user downloads and installs the authentication application—MFA application-- on the assigned authentication device 20 (Fig. 2, el. 203; Para. 27); once the authentication application is downloaded and opened for the first time, the authentication application acquires the user's biometric information, and once the user is locally authenticated for the first time based on the acquired biometric, at 207, the application on the authentication device 20 and the browsing device 10 must be registered and paired (Fig. 2, el. 207; Para. 29); at 209, a secure communication channel is established between the user's browsing device 10 and the authentication device 20 (Fig. 2, el. 209; Para. 30); at 211, the authentication device 20 and the browsing device 10 are registered with the authentication server 30 thereby to complete the initial setup process (Fig. 1, el. 30; Fig. 2, el. 211; Para. 31); an authentication or authorization process 300 after the user has completed the initial setup, therefore, the browsing device 10 and the authentication device 20 are already paired and a secure communication channel has been setup between them, and the user takes (at 301) an action on his/her browsing device 10 that requires authentication or authorization (for instance, log into an application, online account, webpage, VPN, a computing device, the browsing device and the like) the browsing device 10 requests to start communicating with the authentication device 20 (Fig. 3, el. 300, 301; Para. 33); after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403), wherein this process of checking proximity varies based on the method of connection between the browsing device 10 and the authentication device 20, via any number of protocols or techniques, such as Wi-Fi, Bluetooth, cable, NFC, and the like (Fig. 4, el. 401, 403; Para. 53), determining, based at least in part on the monitoring, that a proximity between the MFA-authenticated primary device and the secondary device exceeds a threshold proximity subsequent to the authentication…, e.g., after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403) (Fig. 4, el. 401, 403; Para. 53); if the browsing device 10 cannot detect the presence of authentication device 20, the authentication expires and the user's access to accounts, website, and the like is denied (Para. 54); sending, to a monitoring service, e.g., authentication server 30 (Fig. 1, el. 30), an indication that the proximity exceeds the threshold proximity subsequent to the authentication, e.g., after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403) (Fig. 4, el. 401, 403; Para. 53); a message (405) may be sent from the browsing device 10 to authentication server 30 indicating the authentication device 20 is not in proximity of the browsing device (Fig. 4, el. 405; Para. 54); receiving…based at least in part on the proximity exceeding the threshold proximity subsequent to the authentication, a logout instruction to restrict the access to the resource for the MFA-authenticated primary device, e.g., the authentication device 20 not being in the proximity of the browsing device 10 means that the user has left the browsing device 10 taking the authentication device 20 (e.g. smartphone or smart wearable) with them, and that session must be expired and the user must be logged out, as the user is not present, and therefore as long as auto-logout based on proximity of two device is enabled on a secured account, application or website, there is no need to use auto-logout based on time (Para. 55); and based at least in part on the logout instruction, causing a logout event for the resource…, the logout event including restriction of the access to…the resource for the MFA-authenticated primary device subsequent to the authentication…, e.g., the authentication device 20 not being in the proximity of the browsing device 10 means that the user has left the browsing device 10 taking the authentication device 20 (e.g. smartphone or smart wearable) with them, and that session must be expired and the user must be logged out, as the user is not present, and therefore as long as auto-logout based on proximity of two device is enabled on a secured account, application or website, there is no need to use auto-logout based on time (Para. 55). Koutenaei does not clearly teach wherein the monitoring service is associated with a Continuous Access Evaluation Protocol (CAEP) service; receiving, from the monitoring service and based at least in part on the proximity exceeding the threshold proximity subsequent to the authentication, a logout instruction to restrict the access to the resource for the MFA-authenticated primary device; and based at least in part on the logout instruction, causing a logout event for the resource and using a CAEP protocol, the logout event including restriction of the access to a first portion of the resource for the MFA-authenticated primary device subsequent to the authentication and while maintaining the access to a second portion of the resource subsequent to the proximity exceeding the threshold proximity. Lynn teaches monitoring a proximity-based direct networking connection between a primary device, e.g., access device 110 (Fig. 1, el. 110), and a secondary device, e.g., continuous multifactor authentication (CMFA) device 120 (Fig. 1, el. 120), associated with a multi-factor authentication (MFA) application, e.g., CMFA application 150 (Fig. 1, el. 150), executing on the secondary device, the proximity-based direct networking connection established in association with an authentication of the primary device as a MFA-authenticated primary device to access a resource and using the secondary device associated with the MFA application, e.g., the system illustrated in FIG. 14 can allow User 100 to bind their digital identity with the devices used to authenticate and connect to a service or resource, wherein such binding can increase a trust score provided by a CMFA Device 120 when the user is accessing a service using Access Device 110, wherein the system can ensure with high trust the physical proximity of User 100 to Access Device 110, and CMFA Device 120 can act as a trusted proxy in verifying this physical presence (Fig. 14; Para. 119); Trusted Authentication Provider 160 binds (1590) Access Device 110 and CMFA Device 120, wherein this binding can signify using the identification credential to verify the physical proximity of Access Device 110 to CMFA Device 120 (Fig. 1, el. 160; Fig. 15, el. 1590; Para. 124); CMFA Device 120 collects (800) a plurality of types of identifying data from User 100 and contextual information from applications on CMFA Device 120, wherein this can include biometric data like fingerprints or retinal scans, behavioral data like movement or browsing activity, or contextual data like geospatial location or proximity to another device (Fig. 8, el. 800; Para. 85); in addition to using Trust Score 710 to permit access (to initiate a session) with a service, Trust Score 710 can be repeatedly refreshed, and a session can be permitted to continue as long as Trust Score 710 remains above the threshold specified by the application or service provider policy (Para. 92); trust factors can include contextual information (such as location or proximate device information, device orientation, background applications, etc.), biometric information, or behavioral information (Para. 94); determining, based at least in part on the monitoring, that a proximity between the MFA-authenticated primary device and the secondary device exceeds a threshold proximity subsequent to the authentication…, e.g., Trusted Authentication Provider 160 binds (1590) Access Device 110 and CMFA Device 120, wherein this binding can signify using the identification credential to verify the physical proximity of Access Device 110 to CMFA Device 120 (Fig. 1, el. 160; Fig. 15, el. 1590; Para. 124); in addition to using Trust Score 710 to permit access (to initiate a session) with a service, Trust Score 710 can be repeatedly refreshed, and a session can be permitted to continue as long as Trust Score 710 remains above the threshold specified by the application or service provider policy (Para. 92); trust factors can include contextual information (such as location or proximate device information, device orientation, background applications, etc.), biometric information, or behavioral information (Para. 94); sending, to a monitoring service, e.g., Trusted Authentication Provider 160 (Fig. 1, el. 160), an indication that the proximity exceeds the threshold proximity subsequent to the authentication, e.g., upon receiving an IDActivKey and a trust score—an indication that the proximity exceeds the threshold proximity--, Trusted Authentication Provider 160 can use this information in tandem with the access requirements received from Application Provider 170 to authenticate a session with Application Provider 170 on behalf of Application Provider 170 (Par. 44); the identification credential is derived by combining a user's biometric information and hardware cryptographic information given the appropriate “context” of the user (such as location, proximity to another device, or other contextual information) (Para. 28); in response CMFA Device 120 can then collect (304) biometric and behavior information from the user and any contextual information, and can create (306) an IDActivKey (Para. 53); CMFA Device 120 collects (800) a plurality of types of identifying data from User 100 and contextual information from applications on CMFA Device 120, wherein this can include biometric data like fingerprints or retinal scans, behavioral data like movement or browsing activity, or contextual data like geospatial location or proximity to another device (Para. 85); in addition to using Trust Score 710 to permit access (to initiate a session) with a service, Trust Score 710 can be repeatedly refreshed, and a session can be permitted to continue as long as Trust Score 710 remains above the threshold specified by the application or service provider policy (Para. 92); trust factors can include contextual information (such as location or proximate device information, device orientation, background applications, etc.), biometric information, or behavioral information (Para. 94); receiving, from the monitoring service and based at least in part on the proximity exceeding the threshold proximity subsequent to the authentication, a logout instruction to restrict the access to the resource for the MFA-authenticated primary device, e.g., IDActivKey Comparison Service 210 can compare an IDActivKey stored on Trusted Authentication Provider 160 with the updated IDActivKey sent across Secure Dual-VPN Tunnel 200, wherein if the variation too large, then Trusted Authentication Provider 160 can fail to authenticate a session or terminate the current session through Access Policy Compliance Service 220, or change the access level of User 100 (Para. 49); Access Policy Compliance Service 220 takes information from IDActivKey Comparison Service 210 and the updated trust score to make any needed changes to the existing access policy—such as to terminate or suspend an active session, or alter access levels (Para. 50); Trusted Authentication Provider 160 can send new access policies in response to new information during a session (Para. 45); this allows CMFA Device 120 to continually ensure that User 100 is authenticated, and if not, to terminate the session or change the access level of User 100 (Para. 88); and based at least in part on the logout instruction, causing a logout event for the resource…, the logout event including restriction of the access to a first portion of the resource for the MFA-authenticated primary device subsequent to the authentication and while maintaining the access to a second portion of the resource subsequent to the proximity exceeding the threshold proximity, e.g., if the variation too large, then Trusted Authentication Provider 160 can fail to authenticate a session or terminate the current session through Access Policy Compliance Service 220, or change the access level of User 100, wherein for instance, having great certainty in the identity and compliance of User 100 can result in full access to an Application Provider 170, but lesser certainty can result in restricted access, while low certainty can result in authentication failure or session termination (Para. 49); Access Policy Compliance Service 220 takes information from IDActivKey Comparison Service 210 and the updated trust score to make any needed changes to the existing access policy—such as to terminate or suspend an active session, or alter access levels (Para. 50); Trusted Authentication Provider 160 can send new access policies in response to new information during a session (Para. 45); this allows CMFA Device 120 to continually ensure that User 100 is authenticated, and if not, to terminate the session or change the access level of User 100 (Para. 88). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Koutenaei to include receiving, from the monitoring service and based at least in part on the proximity exceeding the threshold proximity subsequent to the authentication, a logout instruction to restrict the access to the resource for the MFA-authenticated primary device; and based at least in part on the logout instruction, causing a logout event for the resource, the logout event including restriction of the access to a first portion of the resource for the MFA-authenticated primary device subsequent to the authentication and while maintaining the access to a second portion of the resource subsequent to the proximity exceeding the threshold proximity, using the known method of generating an IDActivKey from proximity data, sending the IDActivKey to the Trusted Authentication Provider, determining, at the Provider, that the IDActivKey has too much variation from a stored IDActivKey, and altering access levels, as taught by Lynn, in combination with the MFA system of Koutenaei, for the purpose of continuously utilizing multi-factor authentication techniques to verify the identity of a user and authenticate access devices to ensure device and networking security, and doing so in such a way that sensitive information is shielded from data collection practices (Lynn-Para. 26). Koutenaei in view of Lynn does not clearly teach wherein the monitoring service is associated with a Continuous Access Evaluation Protocol (CAEP) service; and based at least in part on the logout instruction, causing a logout event for the resource and using a CAEP protocol, the logout event including restriction of the access to a first portion of the resource for the MFA-authenticated primary device subsequent to the authentication and while maintaining the access to a second portion of the resource subsequent to the proximity exceeding the threshold proximity. Malik teaches wherein the monitoring service is associated with a Continuous Access Evaluation Protocol (CAEP) service, e.g., continuous access evaluation is a mechanism by way of which a backend service of a resource provider be informed, in real-time (or near real-time), of changes in the client's access permissions (Para. 24); the proxy service 106 and/or resource provider 104 may be granted continuous access evaluation (CAE) for the client computing device 102 and/or a user of the client computing device 102 (Fig. 1, el. 102, 104, 106; Para. 33); CAE communication session 200 is a communication session between client computing device 102 (and/or a particular user of client device 102) and resource provider 104 (Fig. 2A, el. 200; Para. 35); sending, to a monitoring service, an indication that the proximity exceeds the threshold proximity subsequent to the authentication, e.g., upon detecting a critical event that causes the user's credentials to fail the access policies, the IDP backend 118 may provide an indication of the critical event to proxy backend 116, wherein the proxy backend 116 may reject ATs whose corresponding client device access permissions are effected, and in at least one embodiment, the RP backend 114 may be receive notifications of the detection of critical events, where the indication of the critical event (received by the proxy backend 116 or the RP backend 114) may further encode the updated status of the user's permissions, wherein the critical event may cause a revocation of the user's permissions or a narrowing (or limiting) of the user's access permissions (Fig. 1, el. 114, 116, 118; Para. 32); at a first moment in time, an access policy may indicate that a user of a client computing device 102 may be granted access to the resource provider 104, and the user may request a resource from resource provider 104, and resource provider 104 may redirect the client computing device to the first IDP 108, and based upon one or more conditions of the environment 100 and/or the user's credentials, the first IDP 108 may determine that the user's credentials satisfy a particular access policy (for the resource provider 104) implemented by the first IDP 108—authentication-- (Fig. 1, el. 108; Para. 30); at a second moment in time that is subsequent to the first moment in time, but prior to the AT expiring, a critical event may occur, where the triggering of the critical event may be such that if the particular access policy is evaluated after the second moment in time, the user's credentials would no longer satisfy the particular access policy, and accordingly, after the occurrence of the critical event, the user should no longer be granted access to the resource provider 104, wherein such critical events may include the client device 102 switching to an IP address that is outside of a geographical (or logical) range of allowable IP addresses (Para. 31); receiving, from the monitoring service and based at least in part on the proximity exceeding the threshold proximity subsequent to the authentication, a logout instruction to restrict the access to the resource for the …authenticated primary device, e.g., upon detecting a critical event that causes the user's credentials to fail the access policies, the IDP backend 118 may provide an indication of the critical event to proxy backend 116, wherein the proxy backend 116 may reject ATs whose corresponding client device access permissions are effected, and in at least one embodiment, the RP backend 114 may be receive notifications of the detection of critical events, where the indication of the critical event (received by the proxy backend 116 or the RP backend 114) may further encode the updated status of the user's permissions, wherein the critical event may cause a revocation of the user's permissions or a narrowing (or limiting) of the user's access permissions (Fig. 1, el. 114, 116, 118; Para. 32); at a second moment in time that is subsequent to the first moment in time, but prior to the AT expiring, a critical event may occur, where the triggering of the critical event may be such that if the particular access policy is evaluated after the second moment in time, the user's credentials would no longer satisfy the particular access policy, and accordingly, after the occurrence of the critical event, the user should no longer be granted access to the resource provider 104, wherein such critical events may include the client device 102 switching to an IP address that is outside of a geographical (or logical) range of allowable IP addresses (Para. 31); and based at least in part on the logout instruction, causing a logout event for the resource and using a CAEP protocol, the logout event including restriction of the access to…the resource for the …authenticated primary device subsequent to the authentication…, e.g., upon detecting a critical event that causes the user's credentials to fail the access policies, the IDP backend 118 may provide an indication of the critical event to proxy backend 116, wherein the proxy backend 116 may reject ATs whose corresponding client device access permissions are effected, and in at least one embodiment, the RP backend 114 may be receive notifications of the detection of critical events, where the indication of the critical event (received by the proxy backend 116 or the RP backend 114) may further encode the updated status of the user's permissions, wherein the critical event may cause a revocation of the user's permissions or a narrowing (or limiting) of the user's access permissions (Fig. 1, el. 114, 116, 118; Para. 32); the backend of the resource provider may subscribe to be notified (in real-time) for the detection of critical events (e.g., password reset, account deleted/disabled, high-risk user etc.) from the IDP and/or the proxy service (Para. 22); continuous access evaluation is a mechanism by way of which a backend service of a resource provider be informed, in real-time (or near real-time), of changes in the client's access permissions (Para. 24). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify Koutenaei in view of Lynn to include wherein the monitoring service is associated with a Continuous Access Evaluation Protocol (CAEP) service; and based at least in part on the logout instruction, causing a logout event for the resource and using a CAEP protocol, the logout event including restriction of the access to a first portion of the resource for the MFA-authenticated primary device subsequent to the authentication and while maintaining the access to a second portion of the resource subsequent to the proximity exceeding the threshold proximity, using the known method of utilizing continuous access evaluation protocol to provide authentication monitoring after the initial authentication of the client device, as taught by Malik, in combination with the proximity authentication system of Koutenaei in view of Lynn, for the purpose of providing a mechanism to continuously monitor environmental conditions and detect when conditions change such that the client’s permission to access the provider’s resource should also change (Malik-Para. 18). Regarding claim 2, Koutenaei in view of Lynn in view of Malik teaches the method of claim 1, further comprising detecting a disconnection in the proximity-based direct networking connection between the MFA-authenticated primary device and the secondary device, wherein determining that the proximity between the MFA-authenticated primary device and the secondary device exceeds the threshold proximity is based at least in part on detecting the disconnection, e.g., a pair of devices may be considered to be in each other's proximity if they are within a predefined range of each other, and a pair of devices may be considered to be in each other's proximity if they are connected to the same WiFi/LAN network, same cellular network, and the like, and a pair of devices may be considered to be in each other's proximity if they are able to send and receive Bluetooth beacons (Koutenaei-Para. 20); after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403), wherein for example, the browser device 10, may send a ping (401) to authentication device 20 over Bluetooth, and if the authentication device 20 is in close proximity to receive the Bluetooth transmission, the authentication device 20 responds (403) to the browser device (Koutenaei-Para. 53). Regarding claim 4, Koutenaei in view of Lynn in view of Malik teaches the method of claim 1, wherein a communication protocol associated with the proximity-based direct networking connection is at least one of a short-range wireless communication protocol or a near-field communication (NFC) protocol, e.g., a pair of devices may be considered to be in each other's proximity if they are within a predefined range of each other, and a pair of devices may be considered to be in each other's proximity if they are connected to the same WiFi/LAN network, same cellular network, and the like, and a pair of devices may be considered to be in each other's proximity if they are able to send and receive Bluetooth beacons (Koutenaei-Para. 20). Regarding claim 5, Koutenaei in view of Lynn in view of Malik teaches the method of claim 1, further comprising: determining that the proximity-based direct networking connection has been established between the primary device and the secondary device; and responsive to determining that the proximity-based direct networking connection has been established between the primary device and the secondary device, causing the primary device to be authenticated as the MFA-authenticated primary device to access the resource, e.g., a pair of devices may be considered to be in each other's proximity if they are within a predefined range of each other, and a pair of devices may be considered to be in each other's proximity if they are connected to the same WiFi/LAN network, same cellular network, and the like, and a pair of devices may be considered to be in each other's proximity if they are able to send and receive Bluetooth beacons (Koutenaei-Para. 20); an authentication or authorization process 300 after the user has completed the initial setup, therefore, the browsing device 10 and the authentication device 20 are already paired and a secure communication channel has been setup between them, and the user takes (at 301) an action on his/her browsing device 10 that requires authentication or authorization (for instance, log into an application, online account, webpage, VPN, a computing device, the browsing device and the like) the browsing device 10 requests to start communicating with the authentication device 20 (Koutenaei-Fig. 3, el. 300, 301; Para. 33); after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403), wherein for example, the browser device 10, may send a ping (401) to authentication device 20 over Bluetooth, and if the authentication device 20 is in close proximity to receive the Bluetooth transmission, the authentication device 20 responds (403) to the browser device (Koutenaei-Para. 53); the system illustrated in FIG. 14 can allow User 100 to bind their digital identity with the devices used to authenticate and connect to a service or resource, wherein such binding can increase a trust score provided by a CMFA Device 120 when the user is accessing a service using Access Device 110, wherein the system can ensure with high trust the physical proximity of User 100 to Access Device 110, and CMFA Device 120 can act as a trusted proxy in verifying this physical presence (Lynn-Fig. 14; Para. 119); Trusted Authentication Provider 160 binds (1590) Access Device 110 and CMFA Device 120, wherein this binding can signify using the identification credential to verify the physical proximity of Access Device 110 to CMFA Device 120 (Lynn-Fig. 1, el. 160; Fig. 15, el. 1590; Para. 124). Regarding claim 8, Koutenaei in view of Lynn in view of Malik teaches the method of claim 1, wherein the proximity is at least one of a physical proximity or a networking proximity, e.g., after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403), wherein this process of checking proximity varies based on the method of connection between the browsing device 10 and the authentication device 20, via any number of protocols or techniques, such as Wi-Fi, Bluetooth, cable, NFC, and the like (Koutenaei-Fig. 4, el. 401, 403; Para. 53), the method further comprising: monitoring additional data associated with the MFA-authenticated primary device and the secondary device, the additional data indicative of either the physical proximity or the networking proximity, e.g., a pair of devices may be considered to be in each other's proximity if they are within a predefined range of each other, and a pair of devices may be considered to be in each other's proximity if they are connected to the same WiFi/LAN network, same cellular network, and the like, and a pair of devices may be considered to be in each other's proximity if they are able to send and receive Bluetooth beacons (Koutenaei-Para. 20); after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403), wherein for example, the browser device 10, may send a ping (401) to authentication device 20 over Bluetooth, and if the authentication device 20 is in close proximity to receive the Bluetooth transmission, the authentication device 20 responds (403) to the browser device (Koutenaei-Para. 53), the additional data including at least one of: global positioning system (GPS) data associated with each of the MFA-authenticated primary device and the secondary device, the GPS data indicative of the physical proximity between the MFA-authenticated primary device and the secondary device; network connection data associated with each of the MFA-authenticated primary device and the secondary device, the network connection data indicative of at least one of the physical proximity or the networking proximity between the MFA-authenticated primary device and the secondary device; network interface data associated with each of the MFA-authenticated primary device and the secondary device, the network interface data indicative of at least one of the physical proximity or the networking proximity between the MFA-authenticated primary device and the secondary device, e.g., a pair of devices may be considered to be in each other's proximity if they are within a predefined range of each other, and a pair of devices may be considered to be in each other's proximity if they are connected to the same WiFi/LAN network, same cellular network, and the like, and a pair of devices may be considered to be in each other's proximity if they are able to send and receive Bluetooth beacons (Koutenaei-Para. 20); after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403), wherein for example, the browser device 10, may send a ping (401) to authentication device 20 over Bluetooth, and if the authentication device 20 is in close proximity to receive the Bluetooth transmission, the authentication device 20 responds (403) to the browser device (Koutenaei-Para. 53). Regarding claim 9, it is a system claim that recites limitations similar to the ones of the method claim 1. Therefore, claim 9 is rejected for the same rationale and motivation as applied against claim 1. Koutenaei in view of Lynn in view of Malik further teaches a system comprising: one or more processors, e.g., processor 1202 (Koutenaei-Fig. 12, el. 1202); circuitry 1200, some or all of which may be included in, for example, authentication device 20, browsing device 10, and/or authentication server 30, wherein circuitry 1200 can include various means, such as processor 1202 (Koutenaei-Para. 153); and one or more non-transitory computer-readable media storing instructions that, when executed, cause the one or more processors to perform operations, e.g., memory 1204 (Koutenaei-Fig. 12, el. 1204); circuitry 1200, some or all of which may be included in, for example, authentication device 20, browsing device 10, and/or authentication server 30, wherein circuitry 1200 can include various means, such as memory 1204 (Koutenaei-Para. 153). Regarding claim 10, Koutenaei in view of Lynn in view of Malik teaches the system of claim 9 as outlined above. In addition, Claim 10 is a system claim that recites limitations similar to the ones of the method claim 2. Therefore, claim 10 is rejected for the same rationale and motivation as applied against claim 2. Regarding claim 12, Koutenaei in view of Lynn in view of Malik teaches the system of claim 9 as outlined above. In addition, claim 12 is a system claim that recites limitations similar to the ones of the method claim 4. Therefore, claim 12 is rejected for the same rationale and motivation as applied against claim 4. Regarding claim 13, Koutenaei in view of Lynn in view of Malik teaches the system of claim 9 as outlined above. In addition, claim 13 is a system claim that recites limitations similar to the ones of the method claim 5. Therefore, claim 13 is rejected for the same rationale and motivation as applied against claim 5. Regarding claim 16, it is a non-transitory computer-readable media claim that recites limitations similar to the ones of the method claim 1. Therefore, claim 16 is rejected for the same rationale and motivation as applied against claim 1. Koutenaei in view of Lynn in view of Malik further teaches one or more non-transitory computer-readable media, e.g., memory 1204 (Koutenaei-Fig. 12, el. 1204); circuitry 1200, some or all of which may be included in, for example, authentication device 20, browsing device 10, and/or authentication server 30, wherein circuitry 1200 can include various means, such as memory 1204 (Koutenaei-Para. 153), storing instructions that, when executed, cause one or more processors, e.g., processor 1202 (Koutenaei-Fig. 12, el. 1202); circuitry 1200, some or all of which may be included in, for example, authentication device 20, browsing device 10, and/or authentication server 30, wherein circuitry 1200 can include various means, such as processor 1202 (Koutenaei-Para. 153), to perform operations. Regarding claim 17, Koutenaei in view of Lynn in view of Malik teaches the non-transitory computer-readable media of claim 16 as outlined above. In addition, Claim 17 is a non-transitory computer-readable media claim that recites limitations similar to the ones of the method claim 2. Therefore, claim 17 is rejected for the same rationale and motivation as applied against claim 2. Regarding claim 19, Koutenaei in view of Lynn in view of Malik teaches the non-transitory computer-readable media of claim 16 as outlined above. In addition, claim 19 is a non-transitory computer-readable media claim that recites limitations similar to the ones of the method claim 4. Therefore, claim 19 is rejected for the same rationale and motivation as applied against claim 4. Regarding claim 20, Koutenaei in view of Lynn in view of Malik teaches the non-transitory computer-readable media of claim 16 as outlined above. In addition, claim 20 is a non-transitory computer-readable media claim that recites limitations similar to the ones of the method claim 5. Therefore, claim 20 is rejected for the same rationale and motivation as applied against claim 5. Regarding claim 24, Koutenaei in view of Lynn in view of Malik teaches the method of claim 1, wherein the authentication is an initial session authentication, the method further comprising: determining that the proximity between the MFA-authenticated primary device and the secondary device exceeds the threshold proximity during an existing session, e.g., after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403) (Koutenaei-Fig. 4, el. 401, 403; Para. 53); if the browsing device 10 cannot detect the presence of authentication device 20, the authentication expires and the user's access to accounts, website, and the like is denied (Koutenaei-Para. 54); Also note Lynn discloses in addition to using Trust Score 710 to permit access (to initiate a session) with a service, Trust Score 710 can be repeatedly refreshed, and a session can be permitted to continue as long as Trust Score 710 remains above the threshold specified by the application or service provider policy (Lynn-Para. 92); and trust factors can include contextual information (such as location or proximate device information, device orientation, background applications, etc.), biometric information, or behavioral information (Lynn-Para. 94); wherein receiving the logout instruction is further based at least in part on the proximity exceeding the threshold proximity subsequent to the initial session authentication and during the existing session, e.g., the authentication device 20 not being in the proximity of the browsing device 10 means that the user has left the browsing device 10 taking the authentication device 20 (e.g. smartphone or smart wearable) with them, and that session must be expired and the user must be logged out, as the user is not present, and therefore as long as auto-logout based on proximity of two device is enabled on a secured account, application or website, there is no need to use auto-logout based on time (Koutenaei-Para. 55); Also note Lynn discloses IDActivKey Comparison Service 210 can compare an IDActivKey stored on Trusted Authentication Provider 160 with the updated IDActivKey sent across Secure Dual-VPN Tunnel 200, wherein if the variation too large, then Trusted Authentication Provider 160 can fail to authenticate a session or terminate the current session through Access Policy Compliance Service 220, or change the access level of User 100 (Lynn-Para. 49); Access Policy Compliance Service 220 takes information from IDActivKey Comparison Service 210 and the updated trust score to make any needed changes to the existing access policy—such as to terminate or suspend an active session, or alter access levels (Lynn-Para. 50); Trusted Authentication Provider 160 can send new access policies in response to new information during a session (Lynn-Para. 45); and this allows CMFA Device 120 to continually ensure that User 100 is authenticated, and if not, to terminate the session or change the access level of User 100 (Lynn-Para. 88). Claims 6, 14, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Koutenaei in view of Lynn in view of Malik and further in view of Xia et al. (US 2020/0233949 A1). Regarding claim 6, Koutenaei in view of Lynn in view of Malik teaches the method of claim 1. Koutenaei in view of Lynn further teaches …the MFA-authenticated primary device…, e.g., the system illustrated in FIG. 14 can allow User 100 to bind their digital identity with the devices used to authenticate and connect to a service or resource, wherein such binding can increase a trust score provided by a CMFA Device 120 when the user is accessing a service using Access Device 110, wherein the system can ensure with high trust the physical proximity of User 100 to Access Device 110, and CMFA Device 120 can act as a trusted proxy in verifying this physical presence (Lynn-Fig. 14; Para. 119); Trusted Authentication Provider 160 binds (1590) Access Device 110 and CMFA Device 120, wherein this binding can signify using the identification credential to verify the physical proximity of Access Device 110 to CMFA Device 120 (Lynn-Fig. 1, el. 160; Fig. 15, el. 1590; Para. 124); and wherein causing the restriction of the access to the first portion of the resource for the MFA-authenticated primary device…, e.g., if the variation too large, then Trusted Authentication Provider 160 can fail to authenticate a session or terminate the current session through Access Policy Compliance Service 220, or change the access level of User 100, wherein for instance, having great certainty in the identity and compliance of User 100 can result in full access to an Application Provider 170, but lesser certainty can result in restricted access, while low certainty can result in authentication failure or session termination (Lynn-Para. 49); Access Policy Compliance Service 220 takes information from IDActivKey Comparison Service 210 and the updated trust score to make any needed changes to the existing access policy—such as to terminate or suspend an active session, or alter access levels (Lynn-Para. 50); Trusted Authentication Provider 160 can send new access policies in response to new information during a session (Lynn-Para. 45); this allows CMFA Device 120 to continually ensure that User 100 is authenticated, and if not, to terminate the session or change the access level of User 100 (Lynn-Para. 88). Koutenaei in view of Lynn in view of Malik does not clearly teach further comprising: determining, based at least in part on the monitoring, a period of time in which the proximity between the MFA-authenticated primary device and the secondary device has exceeded the threshold proximity; determining that the period of time meets or exceeds a threshold period of time; and wherein causing the restriction of the access to the first portion of the resource for the MFA-authenticated primary device is further based at least in part on the period of time meeting or exceeding the threshold period of time. Xia teaches determining, based at least in part on the monitoring, a period of time in which the proximity between the…primary device and the secondary device has exceeded the threshold proximity, e.g., (Xia [0126] In addition to verifying that the same mobile device 110 both sends the authentication data 230 and enters proximity of the resource 120, the resource 120 may enforce a time limit between the transmission of the authentication data 230 and the detection of proximity of the device 110. For example, when the mobile device 110 sends the authentication data 230, the server system 130 or resource 120 may determine a time when the authentication data 230 is received. The resource 120 may then require the same mobile device 110 that sent the authentication data 230 to enter the predetermined level of proximity within a predetermined time period, e.g., 5 seconds, 15 seconds, 1 minute, etc.); determining that the period of time meets or exceeds a threshold period of time, e.g., (Xia [0126] If the proximity of the mobile device 110 cannot be verified within an appropriate time window before and/or after the transmission of the authentication data 230 or the sending of the message 210, the resource 120 may deny access); wherein causing the restriction of the access to…the resource for the…primary device is further based at least in part on the period of time meeting or exceeding the threshold period of time, e.g., (Xia [0126] If the proximity of the mobile device 110 cannot be verified within an appropriate time window before and/or after the transmission of the authentication data 230 or the sending of the message 210, the resource 120 may deny access). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Koutenaei in view of Lynn in view of Malik to include determining, based at least in part on the monitoring, a period of time in which the proximity between the MFA-authenticated primary device and the secondary device has exceeded the threshold proximity; determining that the period of time meets or exceeds a threshold period of time; and wherein causing the restriction of the access to the first portion of the resource for the primary device is further based at least in part on the period of time meeting or exceeding the threshold period of time, using the known method of verifying the proximity of the device within a time window, as taught by Xia, in combination with the MFA system of Koutenaei in view of Lynn in view of Malik, for the purpose of providing the user with more flexibility regarding proximity and when the system restricts the user’s access. Regarding claim 14, claim 14 is rejected for the same rationale and motivation as applied against claim 6. Regarding claim 21, Koutenaei in view of Lynn in view of Malik teaches the method of claim 1. Koutenaei further teaches wherein the proximity-based direct networking connection is a first proximity-based direct networking connection, the primary device is a first primary device, the secondary device is a first secondary device, the proximity is a first proximity, and the logout instruction is a first logout instruction, the method further comprising: monitoring a…proximity-based direct networking connection between a…primary device and a…secondary device, the…proximity-based direct networking connection established in association with the authentication of the…primary device as a MFA-authenticated…primary device to access a first application, e.g., prior to process 200, in order to set up this multi-factor authentication (MFA), the user needs to assign a device as the browsing device 10 and another device as the authentication device 20 (Fig. 2, el. 200; Para. 25); at 203, the user downloads and installs the authentication application—MFA application-- on the assigned authentication device 20 (Fig. 2, el. 203; Para. 27); once the authentication application is downloaded and opened for the first time, the authentication application acquires the user's biometric information, and once the user is locally authenticated for the first time based on the acquired biometric, at 207, the application on the authentication device 20 and the browsing device 10 must be registered and paired (Fig. 2, el. 207; Para. 29); at 209, a secure communication channel is established between the user's browsing device 10 and the authentication device 20 (Fig. 2, el. 209; Para. 30); at 211, the authentication device 20 and the browsing device 10 are registered with the authentication server 30 thereby to complete the initial setup process (Fig. 1, el. 30; Fig. 2, el. 211; Para. 31); an authentication or authorization process 300 after the user has completed the initial setup, therefore, the browsing device 10 and the authentication device 20 are already paired and a secure communication channel has been setup between them, and the user takes (at 301) an action on his/her browsing device 10 that requires authentication or authorization (for instance, log into an application, online account, webpage, VPN, a computing device, the browsing device and the like) the browsing device 10 requests to start communicating with the authentication device 20 (Fig. 3, el. 300, 301; Para. 33); after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403), wherein this process of checking proximity varies based on the method of connection between the browsing device 10 and the authentication device 20, via any number of protocols or techniques, such as Wi-Fi, Bluetooth, cable, NFC, and the like (Fig. 4, el. 401, 403; Para. 53); determining, based at least in part on the monitoring, that a…proximity between the MFA-authenticated…primary device and the…secondary device exceeds the threshold proximity, e.g., after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403) (Fig. 4, el. 401, 403; Para. 53); if the browsing device 10 cannot detect the presence of authentication device 20, the authentication expires and the user's access to accounts, website, and the like is denied (Para. 54); sending, to the monitoring service, an indication that the…proximity exceeds the threshold proximity, e.g., after the user is authenticated and access to the account is granted, the browser device constantly checks if the authentication device 20 is in its proximity (items 401 and 403) (Fig. 4, el. 401, 403; Para. 53); a message (405) may be sent from the browsing device 10 to authentication server 30 indicating the authentication device 20 is not in proximity of the browsing device (Fig. 4, el. 405; Para. 54); receiving…based at least in part on the…proximity exceeding the threshold proximity, a…logout instruction to restrict the access to the first application…associated with the MFA-authenticated…primary device, e.g., the authentication device 20 not being in the proximity of the browsing device 10 means that the user has left the browsing device 10 taking the authentication device 20 (e.g. smartphone or smart wearable) with them, and that session must be expired and the user must be logged out, as the user is not present, and therefore as long as auto-logout based on proximity of two device is enabled on a secured account, application or website, there is no need to use auto-logout based on time (Para. 55); and based at least in part on the…logout instruction, causing a logout event for the first application, e.g., the authentication device 20 not being in the proximity of the browsing device 10 means that the user has left the browsing device 10 taking the authentication device 20 (e.g. smartphone or smart wearable) with them, and that session must be expired and the user must be logged out, as the user is not present, and therefore as long as auto-logout based on proximity of two device is enabled on a secured account, application or website, there is no need to use auto-logout based on time (Para. 55). Koutenaei does not clearly teach monitoring a second proximity-based direct networking connection between a second primary device and a second secondary device, the second proximity-based direct networking connection established in association with the authentication of authenticating the second primary device as a MFA-authenticated second primary device to access a first application associated with the second primary device; determining, based at least in part on the monitoring, that a second proximity between the MFA-authenticated second primary device and the second secondary device exceeds the threshold proximity; sending, to the monitoring service, an indication that the second proximity exceeds the threshold proximity; receiving, from the monitoring service and based at least in part on the second proximity exceeding the threshold proximity, a second logout instruction to restrict the access to the first application while maintaining the access to a second application associated with the MFA-authenticated second primary device; and based at least in part on the second logout instruction, causing a logout event for the first application. Lynn further teaches wherein the proximity-based direct networking connection is a first proximity-based direct networking connection, the primary device is a first primary device, the secondary device is a first secondary device, the proximity is a first proximity, and the logout instruction is a first logout instruction, the method further comprising: monitoring a…proximity-based direct networking connection between a…primary device and a…secondary device, the…proximity-based direct networking connection established in association with the authentication of the…primary device as a MFA-authenticated…primary device to access a first application, e.g., Application Provider 170 can be accessed through Application 190 on Access Device 110, wherein Application 190 can be an application that is specifically for accessing Application Provider 170 or can be a more general application (Fig. 1, el. 190; Para. 38); the system illustrated in FIG. 14 can allow User 100 to bind their digital identity with the devices used to authenticate and connect to a service or resource, wherein such binding can increase a trust score provided by a CMFA Device 120 when the user is accessing a service using Access Device 110, wherein the system can ensure with high trust the physical proximity of User 100 to Access Device 110, and CMFA Device 120 can act as a trusted proxy in verifying this physical presence (Fig. 14; Para. 119); Trusted Authentication Provider 160 binds (1590) Access Device 110 and CMFA Device 120, wherein this binding can signify using the identification credential to verify the physical proximity of Access Device 110 to CMFA Device 120 (Fig. 1, el. 160; Fig. 15, el. 1590; Para. 124); CMFA Device 120 collects (800) a plurality of types of identifying data from User 100 and contextual information from applications on CMFA Device 120, wherein this can include biometric data like fingerprints or retinal scans, behavioral data like movement or browsing activity, or contextual data like geospatial location or proximity to another device (Fig. 8, el. 800; Para. 85); in addition to using Trust Score 710 to permit access (to initiate a session) with a service, Trust Score 710 can be repeatedly refreshed, and a session can be permitted to continue as long as Trust Score 710 remains above the threshold specified by the application or service provider policy (Para. 92); trust factors can include contextual information (such as location or proximate device information, device orientation, background applications, etc.), biometric information, or behavioral information (Para. 94); determining, based at least in part on the monitoring, that a…proximity between the MFA-authenticated…primary device and the…secondary device exceeds the threshold proximity, e.g., Trusted Authentication Provider 160 binds (1590) Access Device 110 and CMFA Device 120, wherein this binding can signify using the identification credential to verify the physical proximity of Access Device 110 to CMFA Device 120 (Fig. 1, el. 160; Fig. 15, el. 1590; Para. 124); in addition to using Trust Score 710 to permit access (to initiate a session) with a service, Trust Score 710 can be repeatedly refreshed, and a session can be permitted to continue as long as Trust Score 710 remains above the threshold specified by the application or service provider policy (Para. 92); trust factors can include contextual information (such as location or proximate device information, device orientation, background applications, etc.), biometric information, or behavioral information (Para. 94); sending, to the monitoring service, an indication that the…proximity exceeds the threshold proximity, e.g., upon receiving an IDActivKey and a trust score—an indication that the proximity exceeds the threshold proximity--, Trusted Authentication Provider 160 can use this information in tandem with the access requirements received from Application Provider 170 to authenticate a session with Application Provider 170 on behalf of Application Provider 170 (Par. 44); the identification credential is derived by combining a user's biometric information and hardware cryptographic information given the appropriate “context” of the user (such as location, proximity to another device, or other contextual information) (Para. 28); in response CMFA Device 120 can then collect (304) biometric and behavior information from the user and any contextual information, and can create (306) an IDActivKey (Para. 53); CMFA Device 120 collects (800) a plurality of types of identifying data from User 100 and contextual information from applications on CMFA Device 120, wherein this can include biometric data like fingerprints or retinal scans, behavioral data like movement or browsing activity, or contextual data like geospatial location or proximity to another device (Para. 85); in addition to using Trust Score 710 to permit access (to initiate a session) with a service, Trust Score 710 can be repeatedly refreshed, and a session can be permitted to continue as long as Trust Score 710 remains above the threshold specified by the application or service provider policy (Para. 92); trust factors can include contextual information (such as location or proximate device information, device orientation, background applications, etc.), biometric information, or behavioral information (Para. 94); receiving, from the monitoring service and based at least in part on the…proximity exceeding the threshold proximity, a…logout instruction to restrict the access to the first application while maintaining the access to a second application associated with the MFA-authenticated…primary device, e.g., there can be any number of Applications 190 or Application Providers 170, wherein each Application Provider 170 can have its own access policy, and any IDActivKey will be unique to each respective Application Provider 170 (Para. 46); IDActivKey Comparison Service 210 can compare an IDActivKey stored on Trusted Authentication Provider 160 with the updated IDActivKey sent across Secure Dual-VPN Tunnel 200, wherein if the variation too large, then Trusted Authentication Provider 160 can fail to authenticate a session or terminate the current session through Access Policy Compliance Service 220, or change the access level of User 100 (Para. 49); Access Policy Compliance Service 220 takes information from IDActivKey Comparison Service 210 and the updated trust score to make any needed changes to the existing access policy—such as to terminate or suspend an active session, or alter access levels (Para. 50); Trusted Authentication Provider 160 can send new access policies in response to new information during a session (Para. 45); this allows CMFA Device 120 to continually ensure that User 100 is authenticated, and if not, to terminate the session or change the access level of User 100 (Para. 88); based at least in part on the…logout instruction, causing a logout event for the first application, e.g., if the variation too large, then Trusted Authentication Provider 160 can fail to authenticate a session or terminate the current session through Access Policy Compliance Service 220, or change the access level of User 100, wherein for instance, having great certainty in the identity and compliance of User 100 can result in full access to an Application Provider 170, but lesser certainty can result in restricted access, while low certainty can result in authentication failure or session termination (Para. 49); Access Policy Compliance Service 220 takes information from IDActivKey Comparison Service 210 and the updated trust score to make any needed changes to the existing access policy—such as to terminate or suspend an active session, or alter access levels (Para. 50); Trusted Authentication Provider 160 can send new access policies in response to new information during a session (Para. 45); this allows CMFA Device 120 to continually ensure that User 100 is authenticated, and if not, to terminate the session or change the access level of User 100 (Para. 88). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Koutenaei to include receiving, from the monitoring service and based at least in part on the proximity exceeding the threshold proximity, a logout instruction to restrict the access to the first application while maintaining the access to a second application associated with the MFA-authenticated primary device, using the known method of generating an IDActivKey from proximity data, sending the IDActivKey to the Trusted Authentication Provider, determining, at the Provider, that the IDActivKey has too much variation from a stored IDActivKey, and altering access levels, as taught by Lynn, in combination with the MFA system of Koutenaei, using the same motivation as in claim 1. Koutenaei in view of Lynn in view of Malik does not explicitly teach monitoring a second proximity-based direct networking connection between a second primary device and a second secondary device, the second proximity-based direct networking connection established in association with the authentication of authenticating the second primary device as a MFA-authenticated second primary device to access a first application associated with the second primary device; determining, based at least in part on the monitoring, that a second proximity between the MFA-authenticated second primary device and the second secondary device exceeds the threshold proximity; sending, to the monitoring service, an indication that the second proximity exceeds the threshold proximity; receiving, from the monitoring service and based at least in part on the second proximity exceeding the threshold proximity, a second logout instruction to restrict the access to the first application while maintaining the access to a second application associated with the MFA-authenticated second primary device; and based at least in part on the second logout instruction, causing a logout event for the first application. Xia further teaches wherein the proximity-based direct networking connection is a first proximity-based direct networking connection, the primary device is a first primary device, the secondary device is a first secondary device, the proximity is a first proximity, and the logout instruction is a first logout instruction, the method further comprising: monitoring a second proximity-based direct networking connection between a second primary device and a second secondary device, the second proximity-based direct networking connection established in association with the authentication of the second primary device…to access a first application associated with the second primary device, e.g., (Xia [0070] FIG. 1 is a diagram that illustrates an example of a system 100 for proximity-based access. The system 100 includes a resource 120, such as a personal computer or other device, and a trusted device 110, such as the mobile phone of a user 102. The system 100 also includes one or more server systems, represented by server 130, to communicate with the resource 120 and the trusted device 110. In the example, the user 102 has previously associated or registered the trusted device 110 as a security token for the user 102, to be used for gaining access to the resource 120. When the user 102 later brings the trusted device 110 into physical proximity of the resource 120, the resource 120 and the trusted device 110 detect each other and communicate to provide the user 102 access to the resource 120 and/or logical resources (e.g., web pages, files, virtual private networks (VPNs), etc.) accessed using the resource 120); a user performs an action that requires authentication, such as attempting to access a secured web site, web application, or VPN (Para. 219); users can set up associations between resources and devices so that proximity triggers automatic access without action by a system administrator (Para. 60); determining, based at least in part on the monitoring, that a second proximity between the…second primary device and the second secondary device exceeds the threshold proximity, e.g., (Xia [0120] The resource 120 compares the signal strength of received messages with a predetermined signal strength threshold representing a minimum distance at which automatic proximity-based authentication is permitted. When the signal strength meets or exceeds the signal strength threshold, the resource 120 determines that the device 110 is within the predetermined level of proximity needed to authorize access to the resource 120. The resource 120 may use multiple transmissions received from the device 110 to evaluate the signal strength over the wireless communication channel 105. For example, the resource 120 may compare an average of multiple signal strength values to the threshold to determine whether the device 110 is sufficiently near to justify providing access); users can set up associations between resources and devices so that proximity triggers automatic access without action by a system administrator (Para. 60); sending, to the monitoring service, an indication that the second proximity exceeds the threshold proximity, e.g., (Xia [0217] FIG. 9 is a diagram that illustrates an example of a system 900 for providing logical access based on proximity of a device. The system includes a mobile device 910, a computer 920, and a server 930. These elements can have the features discussed above for the mobile device 110, resource 120, and server 130; [0244] If the device 910 determines that one or more conditions on the credential are not satisfied, or that the computer 920 is not within the required level of proximity, then the device 910 may indicate to the server 930 that the authentication is not approved); receiving, from the monitoring service and based at least in part on the…threshold proximity, a second…instruction…, e.g., (Xia [0230] In step (953) the server 930 causes a message 932, such as a silent push notification, to be sent to the device 910. The message 932 can include a request for the device 910 to authenticate the session or verify that one or more conditions for authenticating the session are met. For example, the message 932 can instruct the device 910 to determine which devices are nearby. In some instances, the message 932 can instruct the device 910 to determine whether a specific device, e.g., the computer 920, is within a threshold level of proximity); and based at least in part on the second logout instruction, causing a logout event for the first application, e.g., as the second electronic device moves away, the first electronic device may lock itself or otherwise restrict access in response, wherein an access control agent can restrict access to the first electronic device (e.g., by locking a user session, logging out the user, etc.) in response to determining that the signal strength satisfies the threshold level that corresponds to automatically restricting access to the first electronic device (Para. 193); (Xia [0181] The first electronic device receives, over the wireless communication link, a message from a second electronic device, e.g., device 110, that is in proximity to the first electronic device (604). The first electronic device, e.g., resource 120, determines whether the second electronic device is within a threshold level of proximity based on signal strength of one or more signals received from the second electronic device over the wireless communication link. For example, the first electronic device can determine whether the signal strength satisfies a predetermined signal strength threshold, e.g., whether the signal strength is greater than a minimum amount. If the first electronic device determines that the threshold is satisfied, and thus that the minimum level of proximity is achieved, the process continues. If the first electronic device determines that the threshold is not satisfied, and thus the second electronic device is too far away, then the first electronic device does not continue the process and does not allow automatic access). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Koutenaei in view of Lynn in view of Malik to include monitoring a second proximity-based direct networking connection between a second primary device and a second secondary device, the second proximity-based direct networking connection established in association with the authentication of authenticating the second primary device as a MFA-authenticated second primary device to access a first application associated with the second primary device; determining, based at least in part on the monitoring, that a second proximity between the MFA-authenticated second primary device and the second secondary device exceeds the threshold proximity; sending, to the monitoring service, an indication that the second proximity exceeds the threshold proximity; receiving, from the monitoring service and based at least in part on the second proximity exceeding the threshold proximity, a second logout instruction to restrict the access to the first application while maintaining the access to a second application associated with the MFA-authenticated second primary device; and based at least in part on the second logout instruction, causing a logout event for the first application, using the known method of allowing multiple users to set up associations between resources and devices so that proximity triggers automatic access, as taught by Xia, in combination with the MFA system of Koutenaei in view of Lynn in view of Malik, for the purpose of providing the user with more flexibility regarding proximity and when the system restricts the user’s access. Regarding claim 22, the claim is analyzed with respect to claim 21. Regarding claim 23, the claim is analyzed with respect to claim 21. Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Koutenaei in view of Lynn in view of Malik and further in view of Gladstone et al. (US 20130097318 A1). Regarding claim 15, Koutenaei in view of Lynn in view of Malik teaches the system of claim 9. Koutenaei in view of Lynn in view of Malik further teaches wherein the resource is a virtual private network (VPN)…and causing restriction of the access to the first portion of the resource for the MFA-authenticated primary device comprises restricting access to one or more data flows between the MFA-authenticated primary device and the VPN…, e.g., every time the two devices are in proximity of each other and the user takes (at 301) an action on his/her browsing device 10 that requires authentication or authorization (for instance, log into an application, online account, webpage, VPN, a computing device, the browsing device and the like) the browsing device 10 requests to start communicating with the authentication device 20 (Koutenaei-Para. 33); if the variation too large, then Trusted Authentication Provider 160 can fail to authenticate a session or terminate the current session through Access Policy Compliance Service 220, or change the access level of User 100, wherein for instance, having great certainty in the identity and compliance of User 100 can result in full access to an Application Provider 170, but lesser certainty can result in restricted access, while low certainty can result in authentication failure or session termination (Lynn-Para. 49); Access Policy Compliance Service 220 takes information from IDActivKey Comparison Service 210 and the updated trust score to make any needed changes to the existing access policy—such as to terminate or suspend an active session, or alter access levels (Lynn-Para. 50); Trusted Authentication Provider 160 can send new access policies in response to new information during a session (Lynn-Para. 45); this allows CMFA Device 120 to continually ensure that User 100 is authenticated, and if not, to terminate the session or change the access level of User 100 (Lynn-Para. 88). Koutenaei in view of Lynn in view of Malik does not explicitly teach wherein the resource is a virtual private network (VPN) headend and causing restriction of the access to the first portion of the resource for the MFA-authenticated primary device comprises restricting access to one or more data flows between the MFA-authenticated primary device and the VPN headend. Gladstone teaches wherein the resource is a virtual private network (VPN) headend, e.g., (Gladstone [0014] FIG. 1 also includes an enterprise environment 40, which can include an access point 32, a finance server 34, and a set of virtual private network (VPN) headends 36, 38, which have connections to Internet 30. In certain implementations, VPN headends 36 and 38 are consolidated into a single element). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify Koutenaei in view of Lynn in view of Malik to include wherein the resource is a virtual private network (VPN) headend and causing restriction of the access to the first portion of the resource for the MFA-authenticated primary device comprises restricting access to one or more data flows between the MFA-authenticated primary device and the VPN headend, using the known method of enabling a device to communicate with a VPN headend, as taught by Gladstone, in combination with the proximity authentication system of Koutenaei in view of Lynn in view of Malik, for the purpose of utilizing a VPN headend to maintain and manage the VPN tunnels, thereby enabling the VPN to be offloaded to a third party reducing costs and resources. Relevant Prior Art The prior art made of record and not relief upon is considered pertinent to applicant’s disclosure. Lu et al. (US 2023/0396418 A1)—Lu discloses the Continuous Access Evaluation Profile (CAEP) framework from the OpenID Foundation is an example publisher-subscriber framework (Para. 3), and allowing asynchronous communications between publishers and subscribers, using protocols such as CAEP, among participants about events associated with users without unnecessarily revealing user and/or publisher information to receiving parties (Para. 34). Parla et al. (US 2013/0091537 A1)—Parla discloses a technique that applies a network policy responsive to specified events, or triggers, to a networked device. If a specified event occurs, the network policy may restrict the device's access to the network. For example, if a user walks away from their networked device, such as a laptop, the device's network access changes. For example, depending upon the policy, network traffic may be blocked or otherwise restricted (Abstract). Khosravi et al. (US 2017/0289118 A1)—Khosravi discloses a mechanism to detect user proximity to a compute device using Bluetooth latency. User proximity or presence near a computer or other secured computing resource, is an important factor in determining whether the user should be authenticated to the computer (e.g., logged in or allowed to use different enterprise apps) in a Multi-factor Authentication (MFA) system. The systems and methods described here provide for detection of user proximity based on Bluetooth (BT) protocol latency (Para. 11). D’Souza et al. (US 20180241577 A1)—D’Souza discloses a layered spatial gap may use multiple means to ensure that a user is continuously within a threshold proximity to the access point and may log the user out if the user moves away from the access point for a defined period of time (Para. 83). Goyal et al. (US 2019/0320407 A1)—Goyal discloses the Wi-Fi link manager 902 is configured to terminate a BSS link with a second wireless communication device that is a client of the wireless communication device 900 responsive to a notification or instruction from the P2P communications module 908 indicating that the second wireless communication device is no longer within a proximity threshold of the wireless communication device 900 (Para. 85). Goss et al. (EP 3537322 A1) – Goss discloses that Bluetooth or NFC may be used in short-range communication in order to detect computing devices within a proximity of a mobile computing device [0016]. Sagui et al. (US 20190325035 A1) – Sagui discloses that a device may transmit a user identifier once a user is a certain proximity. In order to determine the proximity, a GPS sensor, or network interface to determine information related to the network connection may be utilized [0092]. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMY DUFFIELD whose telephone number is (571)270-1643. The examiner can normally be reached Monday - Friday, 7:00 AM - 3:00 PM (ET). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at (571) 272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 11 June 2026 /Jeremy S Duffield/Primary Examiner, Art Unit 2498
Read full office action

Prosecution Timeline

Show 18 earlier events
Jan 23, 2026
Request for Continued Examination
Jan 29, 2026
Response after Non-Final Action
Feb 10, 2026
Non-Final Rejection mailed — §103
Apr 24, 2026
Interview Requested
May 05, 2026
Applicant Interview (Telephonic)
May 05, 2026
Examiner Interview Summary
May 11, 2026
Response Filed
Jun 16, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12666258
Access-Point Correlation for Fast Client Transitions
2y 0m to grant Granted Jun 23, 2026
Patent 12659335
FRAUD DETECTION METHOD, FRAUD DETECTION DEVICE, AND RECORDING MEDIUM
1y 8m to grant Granted Jun 16, 2026
Patent 12634701
PROXIMITY-BASED AND MULTI-TIME-BASED DEACTIVATION AND/OR ACTIVATION RELATED TO A TOKEN
4y 1m to grant Granted May 19, 2026
Patent 12615154
TECHNIQUES TO CONTROL APPLETS FOR CONTACTLESS CARDS
2y 0m to grant Granted Apr 28, 2026
Patent 12609833
SIGNING VIDEO FOR REDUCED BIT RATE
2y 5m to grant Granted Apr 21, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

7-8
Expected OA Rounds
49%
Grant Probability
99%
With Interview (+52.4%)
3y 9m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 445 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month