Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The claims 1-20 are pending.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/28/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Specification
The Specification has been reviewed and no informalities were found.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lynn et al. (US Pub No 2020/0322330) in view of Lee (US Pub No 2023/0065478).
With respect to claim 1, Lynn teaches a method comprising:
at an identity provider, upon receiving a request for authentication of a user to a target application that is hosted on a user device and into which the user has logged-in (e.g., receiving an authentication request and subsequently an identification credential (IDActivKey) request by the continuous multi-factor authentication (CMFA) device @ Fig. 3A-B and with the CMFA providing IDActivKey, the CMFA is teaching an identity provider ¶ 0027-0028):
identifying one or more biometric tests to be applied to the user to satisfy the request (e.g., the CMFA device collect biometric and behavior information from the user responsive to receiving the access requirements for specific Application Provider ¶ 0053 and A particular service or resource using a trusted authentication provider to authenticate a user can decide which factors should be used to identify and trust a user ¶ 0082);
selecting, [from a list of application services that have trust relationships with the identity provider], an application service which has an active session with the user and supports the one or more biometric tests (e.g., The identification credential, IDActivKey, used to authenticate User on Access Device is made of a pseudo-arbitrary sampling of biometric data (such as fingerprint data, retinal scan data, or facial recognition, for example) collected by CMFA Device ¶ 0060 and the process starts with the IDActivKey Generator ¶ 0071);
requesting the application service to perform multifactor authentication that includes the one or more biometric tests (e.g., the IDActivKey Generator 130 detects (600) biometric data from User 100 and receives (610) access requirements from a service, such as Application Provider 170. The biometric data can include fingerprint data, retinal scans, or facial scans. The access requirements can include specific biometrics, like fingerprints or retina scans, location requirements, trust score thresholds, or other requirements ¶ 0055, 0066 & 0071);
receiving, from the application service, biometric test results that indicate whether each of the one or more biometric tests passed or failed (e.g., continuously or periodically maintain trust that User is still operating Access Device and therefore the session can be maintained by repeatedly generate the IDActivKey in accordance with the access policy ¶ 0057-0058); and
determining that the authentication has passed or failed based on the biometric test results (e.g., dynamically updating authentication status based on the biometric information received within the IDActivKey ¶ 0058-0059).
Lynn discloses the claimed subject matter as discussed above with selecting the application service that is available, but does not explicitly disclose the selecting is from a list of application services that have trust relationships with the identity provider. However, analogous art from the same field of endeavor, Lee teaches this with determining whether the currently run application is an application authentic in an application launching operation (¶ 0118-0119), if the application registered (¶ 0137) and selecting only the registered and authenticated application (¶ 0126-0130).
Therefore, based on Lynn in view of Lee, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Lee to the system of Lynn in order to classify and store the reuse of biometric authentication information when storing biometric authentication in the application launching operation, thus maintaining security while reducing a fatigue level due to iterative authentication (¶ 0026) . Hence, it would have been obvious to combine the references to obtain the invention as specified in the instant claim.
With respect to claim 2, Lynn further teaches wherein: determining that the authentication has passed or failed includes determining that the authentication has passed when the biometric test results indicate that each biometric test has passed; and the method further comprises: when the authentication has passed, sending an authentication token to the user device (e.g., credential is passed on to the requesting application upon successful authentication ¶ 0060-0064 and binding digital identity with the devices used to authenticate and connect to a service ¶ 0088).
With respect to claim 3, Lynn further teaches comprising: verifying that the identity provider has a trust relationship with the target application, wherein determining that the authentication has passed further includes determining that the authentication has passed when the application service and the target application have the trust relationship and the trust relationships with the identity provider and each biometric test has passed (e.g., utilizing the Trusted Authentication Provider ¶ 0035 and authentication request from Application providers ¶ 0117 and the IDActivKey is only generated upon successful verification ¶ 0070-0073).
With respect to claim 4, Lynn further teaches wherein: determining that the authentication has passed or failed includes determining that the authentication has failed when the biometric test results indicate that the one or more biometric tests have failed; and the method further comprises: when the authentication has failed, sending to the user device a device request to perform the multifactor authentication of the user that is to be satisfied through the user device (e.g., authentication failure when variation is too large ¶ 0049-0051 and requesting further authentication ¶ 0052-0056).
With respect to claim 5, Lynn further teaches wherein: receiving the request includes receiving the request to include a user identity of the user; and identifying the one or more biometric tests includes searching multifactor authentication user profiles that include mappings of biometric tests to user identities based on the user identity (e.g., receiving request at the CMFA device for an IDActivKey corresponding to Application Provider ¶ 0055 and the request include a user identity ¶ 0056-0060).
With respect to claim 6, Lynn further teaches wherein: identifying includes identifying, as the one or more biometric tests, facial recognition that includes capturing video of the user and comparing the video to a faceprint of the user, voice recognition that includes capturing voice of the user and comparing the voice to a voiceprint of the user, or fingerprint recognition that includes capturing a fingerprint reading from the user and comparing the fingerprint reading to a known fingerprint of the user; and requesting includes requesting the application service to perform the facial recognition, the voice recognition, or the fingerprint recognition (e.g., IDActivKey generation based on fingerprint data, retinal scan data, or facial recognition ¶ 0060 & 0066).
With respect to claim 7, Lynn further teaches wherein: the request includes a first timestamp; the biometric test results include a second timestamp; and the method further comprises: upon determining that the first timestamp and the second timestamp both fall within a predetermine time period, performing determining that the authentication has passed or failed (e.g., taking into account time of initial authentication and compared subsequent time check with Time 1 to Time 2 ¶ 0078-0081).
With respect to claim 8, Lynn further teaches comprising: upon determining that the first timestamp and the second timestamp do not both fall within the predetermine time period, not performing determining that the authentication has passed or failed (e.g., confidence level of trust factor based on Time 1 and Time 2 ¶ 0078-0081 and time of day ¶ 0088-0089).
With respect to claim 9, Lynn further teaches wherein: the biometric test results further include digital signatures appended by the application service (e.g., binding digital identity ¶ 0119).
With respect to claim 10, Lynn further teaches wherein: each biometric test result that indicates that a biometric test has passed further includes a confidence that the biometric test has passed; and determining that the authentication has passed or failed includes determining that the authentication has passed when each confidence exceeds a predetermined confidence threshold (e.g., evaluated assurance level of Trusted Platform Module ¶ 0041-00047).
With respect to claim 11, Lynn further teaches comprising, by the identity provider: establishing the trust relationships with the application service; and establishing a trust relationship with the target application (e.g., establishing Trusted Authentication Provider and Application Provider ¶ 0032-0038).
With respect to claim 12, Lynn further teaches wherein: the application service includes a collaboration service supported by a meeting server and an endpoint device that operates under control of the meeting server and supports the one or more biometric tests (e.g., obtaining biometric data ¶ 0060-0063 and obtaining an arbitrary number from Trust Platform Module to aid in the obtaining and testing of the user’s biometric data ¶ 0065-0066).
The limitations of claim 13 are substantially similar to claim 1 above, and therefore the claim is likewise rejected.
The limitations of claim 14 are substantially similar to claim 2 above, and therefore the claim is likewise rejected.
The limitations of claim 15 are substantially similar to claim 3 above, and therefore the claim is likewise rejected.
The limitations of claim 16 are substantially similar to claim 4 above, and therefore the claim is likewise rejected.
The limitations of claim 17 are substantially similar to claim 5 above, and therefore the claim is likewise rejected.
The limitations of claim 18 are substantially similar to claim 1 above, and therefore the claim is likewise rejected.
The limitations of claim 19 are substantially similar to claim 2 above, and therefore the claim is likewise rejected.
The limitations of claim 20 are substantially similar to claim 3 above, and therefore the claim is likewise rejected.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Particularly, prior arts:
Gandhi et al. (US Pub No 2022/0321556) discloses relevant disclosure on user identity verification for network access and
Schultz et al. (US Pub No 2014/0359722) discloses relevant disclosure for multi-sensor multi-factor identity verification.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAU LE whose telephone number is (571)270-7217. The examiner can normally be reached M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LINGLAN EDWARDS can be reached at (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHAU LE/Primary Examiner, Art Unit 2408