DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1 and 14 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 16 of U.S. Patent No. 12,101,327. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the present application are anticipated by the claims of the ‘327 patent. See the chart below for comparison:
Application 18/821,277
U.S. Patent No. 12,101,327
1. A method of multifactor authentication incorporating user preferences and enterprise preferences, comprising: receiving by an identity service provider computer system a request from an enterprise computer system for authentication of a user to access a resource of the enterprise;
requesting by the identity service provider computer system, available authentication at a point of authentication for the user;
determining by the identity service provider computer system a selected set of authentication credentials to apply based on any combination of: context, the available authentication at the point of authentication, the user preferences, and the enterprise preferences;
requesting by the identity service provider computer system, the selected set of authentication credentials from the point of authentication for the user;
receiving by the identity service provider computer system, the requested selected set of authentication credentials from the point of authentication;
authenticating the user by the identity service provider computer system based on the received selected set of authentication credentials from the point of authentication;
providing the user authenticated identity for use by the enterprise to provide or deny access to the resources of the enterprise;
detecting problematic user behavior; and
denying access to the resources of the enterprise in response to detecting the problematic user behavior.
1. A method of multifactor authentication incorporating user preferences and enterprise preferences, comprising: receiving by an identity service provider computer system a request from an enterprise computer system for authentication of a user to access a resource of the enterprise;
requesting by the identity service provider computer system, available authentication at a point of authentication for the user;
determining by the identity service provider computer system a set of authentication credentials to apply based on any combination of: context, the available authentication at the point of authentication, the user preferences, and the enterprise preferences;
requesting by the identity service provider computer system, the set of authentication credentials from the point of authentication for the user;
receiving by the identity service provider computer system, the requested set of authentication credentials from the point of authentication;
authenticating the user by the identity service provider computer system based on the received set of authentication credentials from the point of authentication;
providing the user authenticated identity for use by the enterprise to provide or deny access to the resources of the enterprise; and
determining by the identity service provider computer system a combination of authentication methods to apply based on techniques available to a service at any given time, wherein selection of techniques is based on a canonical strength calculation to determine which set of available methods meets user and enterprise criteria.
14. A multifactor authentication system incorporating user preferences and enterprise preferences, comprising:
a point of authentication for a user, the point of authentication having available authentication credentials for the user;
an identity service provider computer system configured to receive a request from an enterprise computer system for authentication of the user to access a resource of the enterprise; and
a selected set of authentication credentials determined by the identity service provider computer system to apply based on a combination of at least two of:
a canonical authentication strength,
context, the available authentication credentials at the point of authentication, the user preferences, and the enterprise preferences;
wherein the identity service provider computer system receives the selected set of authentication credentials from the point of authentication to authenticate the user based on the authentication credentials received from the point of authentication;
wherein the identity service provider computer system approves the user for access to the resource of the enterprise after authenticating the user;
wherein the identity service provider computer system detects problematic user behavior, and denies access to the resources of the enterprise in response to detecting the problematic user behavior; and wherein location queries are based on affirmative/negative responses without exposing personal information to the enterprise.
16. A multifactor authentication system incorporating user preferences and enterprise preferences, comprising:
a point of authentication for a user, the point of authentication having available authentication credentials for the user;
an identity service provider computer system configured to receive a request from an enterprise computer system for authentication of the user to access a resource of the enterprise;
a set of authentication credentials determined by the identity service provider computer system to apply based on
a combination of
a canonical authentication strength calculation to determine which set of available methods meets user and enterprise criteria, and at least one of context, the available authentication credentials at the point of authentication, the user preferences, and the enterprise preferences;
wherein the identity service provider computer system receives the set of
authentication credentials from the point of authentication to authenticate the user based on the authentication credentials received from the point of authentication; and
wherein the identity service provider computer system approves the user for access to the resource of the enterprise after authenticating the user.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
As per claim 1:
Step 1: Statutory Category: Yes. Claim 1 is directed to a "method" (a process).
Step 2A: Abstract Idea: The core steps of claim elements of claim are: Receiving an authentication request. Checking what authentication methods are available. Choosing which credentials to require based on rules (context, user/enterprise preferences). Requesting and receiving those credentials. Authenticating the user and granting access. Watching for bad behavior and denying access if detected. The claims are directed to an abstract idea. Collecting data, analyzing it using rules, and outputting a result is an abstract idea. More specifically, the concept of verifying an identity to grant access based on a set of rules is considered a method of organizing human activity.
Step 2B: Inventive Concept: The claims recite generic technology: "Identity service provider computer system", "Enterprise computer system", "Point of authentication". These are well-understood, routine, and conventional components in the field of cybersecurity and IT. Simply saying "do this abstract idea on a computer system" or "over a network" does not overcome this step.
As per claims 13 and 14:
Step 1: Statutory Category: Yes. Claim 14 is directed to a "system" (a machine/apparatus).
Step 2A: The system is essentially directed to the same core concept as the previous method claim: authenticating a user based on a set of rules and conditions, controlling access, and maintaining privacy (without exposing personal information to the enterprise). Claim 14 introduces "canonical authentication strength" and a specific privacy function: "location queries are based on affirmative/negative responses without exposing personal information to the enterprise." The concept of keeping information private or only providing a "yes/no" answer is a human activity and commercial practice. Data collection, analysis, and rule-based access control, even with privacy element, is considered "methods of organizing human activity" or "mental processes," which are abstract ideas.
Step 2B: Generic Components: The "identity service provider computer system" and the "point of authentication" are recited at a high level of generality. They act as generic components to perform the abstract idea. The claim states that the system "determines," "authenticates," "approves," and "detects." This describes the result to be achieved, rather than the specific, non-conventional way the system achieves it. As per, "wherein location queries are based on affirmative/negative responses without exposing personal information." As currently drafted, this is still a statement of a desired result (data minimization/privacy). It does not recite the technical mechanism used to achieve that result. Without specifying how the system prevents the exposure of personal information. Therefore this element is considered generic computer functionality (such as, returning a yes/no value) applied to an abstract idea.
As per claims 2-5 & 15: Define "problematic behavior" as "geographic inconsistency" (e.g., logging in from an unknown or imprecise location). Recognizing that a user cannot physically be in two distant places at once is a human mental process/logic rule.
As per claims 6-7 & 16-17: Recite executing this during "routine security operations" and configuring a "SIEM" service. Using SIEM to alert on problematic patterns is conventional in cybersecurity.
As per claims 8-12 & 18-20: Introduce location-restricted services and mapping GUIDs to verified PII. These are administrative business rules and data organization steps, which are considered abstract.
Claim Interpretation
Examination of the claims under the current condition with respect to patentability or rejection under 35 USC 102/103 is not possible until the rejection under 35 USC 101 is resolved.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/AUBREY H WYSZYNSKI/Primary Examiner, Art Unit 2434