Ex Parte Chang et alDownload PDFPatent Trial and Appeal BoardAug 31, 201814161818 (P.T.A.B. Aug. 31, 2018) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 14/161,818 01/23/2014 48916 7590 Greg Goshorn, P.C. 9600 Escarpment Blvd. Suite 745-9 AUSTIN, TX 78749 08/31/2018 FIRST NAMED INVENTOR Matthew-Louis Chen Wen Chang UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. GB920130001US1 1812 EXAMINER AN,WAYNE ART UNIT PAPER NUMBER 2498 MAIL DATE DELIVERY MODE 08/31/2018 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte MATTHEW-LOUIS CHEN WEN CHANG, JOHN W. DUFFELL, SOPHIE D. GREEN, SAM MARLAND, JOE PA VITT, and STEPHEN D. PIPES Appeal2018-000244 Application 14/161,818 Technology Center 2400 Before ROBERT E. NAPPI, NORMAN H. BEAMER, and JASON M. REPKO, Administrative Patent Judges. REPKO, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Appellants 1 appeal under 35 U.S.C. § 134(a) from the Examiner's rejection of claims 1-23. App. Br. 7. 2 We have jurisdiction under 35 U.S.C. § 6(b). We affirm. 1 Appellants identify the real party in interest as International Business Machines Corp. (IBM) of Armonk, New York. App. Br. 3. 2 Throughout this opinion, we refer to the Final Rejection ("Final Act.") mailed September 30, 2016; the Appeal Brief ("App. Br.") filed March 27, Appeal2018-000244 Application 14/161,818 THE INVENTION Appellants' invention relates to user authentication. Spec. ,r 1. In particular, the Appellants' method provides access to available services using authentication levels. Id. ,r 12. The method dynamically selects authentication levels using a monitored risk profile and a service's intrinsic authentication level. Id. A risk profile may comprise risk levels, and monitoring a risk profile may include collecting biometric, location, environmental, and user-device monitoring data. Id. ,r,r 19-20. Therefore, if the monitored risk profile changes, the authentication also changes. Id. ,r 13. According to Appellants, this makes the method more robust to identity fraud. Id. Claim 1 is reproduced below with our emphasis: 1. A method for providing a user access to a computer system comprising a plurality of services and a plurality of authentication levels, the method comprising: modifying, while a user is accessing the plurality of services, a risk profile of a user based upon user-relevant data; signaling the computing system in response to a change in the risk profile; dynamically selecting a corresponding authentication level of the plurality of authentication levels for each of said services based on said monitored risk profile in response to the signaling; and determining, upon requesting by said user access to a particular service of the plurality of services, a current dynamically selected corresponding authentication level for the particular service is higher than an authentication level for said user; and 2017; the Examiner's Answer ("Ans.") mailed August 10, 2017; and the Reply Brief ("Reply Br.") filed October 6, 2017. 2 Appeal2018-000244 Application 14/161,818 in response to the determining, sending a further authentication request to the user requesting the user to provide authentication information corresponding to at least the current dynamically selected corresponding authentication level. THE EVIDENCE The Examiner relies on the following as evidence: Song et al. US 2011/0314558 Al McMurtry et al. US 8,656,472 B2 Gordon et al. US 2014/0123257 Al THE REJECTIONS Dec. 22, 2011 Feb. 18,2014 May 1, 2014 Claims 1---6, 8-13, 15-19, and 21-23 stand rejected under 35 U.S.C. § I03(a) as unpatentable over Song and McMurty. Final Act. 4--10. Claims 7, 14, and 20 stand rejected under 35 U.S.C. § I03(a) as unpatentable over Song, McMurty, and Gordon. Final Act. 10-11. THE OBVIOUSNESS REJECTION OVER SONG AND MCMURTY The Examiner's Findings The Examiner finds that Song teaches every limitation recited in claims 1, 8, and 15 except for a corresponding authentication level for the recited services. Final Act. 4--7, 9. In concluding that claims 1, 8, and 15 would have been obvious, the Examiner cites McMurty as teaching this feature. Id. at 6, 9. Regarding the limitation "modifying, while a user is accessing the plurality of services," the Examiner finds that Song's option to immediately terminate user access means that the user is currently accessing the document. Ans. 3--4 ( citing Song ,r 18). The Examiner also finds that Song 3 Appeal2018-000244 Application 14/161,818 teaches that the context-analysis engine continuously monitors changes to context data. Final Act. 5 ( citing Song ,r 30). Regarding the limitations to the recited authentication levels, the Examiner finds that McMurty teaches authentication types depending on the type of access requests. Final Act. 6 (citing McMurty 3:52-57). According to the Examiner, McMurty teaches that high-risk operations require high authentication levels and other requests require low authentication levels. Final Act. 6 (citing McMurty 9:6-17). The Examiner concludes that it would have been obvious to apply McMurty's teachings to Song to arrive at the recited authentication levels. Final Act. 6-7. Appellants' Contentions Appellants argue that Song teaches authentication when access is requested, not during access as required by claims 1, 8, and 15. App. Br. 8- 9; Reply Br. 2. According to Appellants, Song's paragraph 18 describes subsequent requests instead of continued access. App. Br. 9 ( citing Song ,r,r 17-18). In Appellants' view, Song's discussion of the "User's current location," "time spent," and a "video feed ... indicating whether a user is present" do not require current access. App. Br. 9. Furthermore, Appellants contend that Song's requests for subsequent services do not suggest authentication while providing that service. Reply Br. 2. Appellants further argue that McMurty's authentication levels are associated with operations, instead of users as recited. App. Br. 10; Reply Br. 2. According to Appellants, the recited risk profile must be "of a user authenticated on said computer system." App. Br. 10 (emphasis removed). 4 Appeal2018-000244 Application 14/161,818 Appellants further contend that McMurty receives a request from a client but does not send an authentication request to a client, as recited. Id. Issues Appellants' arguments for independent claim 1 (see App. Br. 8-10; Reply Br. 2) present us with the following issues: Under§ 103, has the Examiner erred in rejecting independent claim 1, 8, and 15 by finding that Song and McMurty would have collectively taught or suggested: I. modifying, while a user is accessing the plurality of services, a risk profile of a user based upon user-relevant data; II. selecting an authentication level based upon the user's risk profile; and III. sending a further authentication request to the user? Analysis I Claim 1 recites, in part, "modifying, while a user is accessing the plurality of services, a risk profile of a user based upon user-relevant data; signaling the computing system in response to a change in the risk profile" ( emphasis added). Claims 8 and 15 do not recite modifying a risk profile or signaling in response to a change to the profile. We are unpersuaded by Appellants' argument that Song teaches authentication when access is requested, not during access as required by claims 1, 8, and 15. App. Br. 8-9; Reply Br. 2. In particular, Song teaches authentication system 100 periodically authenticates user 102. Song ,r 17. For example, user 102 may initially request access to electronic document 104. Id. In 5 Appeal2018-000244 Application 14/161,818 response, authentication module 106 determines whether user 102 should be permitted to access document 104. Id. Later, user 102 may again request access to document 104. Id. According to Song, Authentication module 106 may determine whether to continue the access of user 102 without further authentication, reauthenticate user 102 using the same authentication mechanism used during the initial authentication, require user 102 to authenticate using a different authentication mechanism, or immediately terminate the access of user 102 with no further authentication allowed. Id. ,r 18 (emphasis added) (formatting removed). Appellants have not explained, persuasively, how Song could terminate the user's access without the user actively accessing the document. See App. Br. 8-9; Reply Br. 2. Instead, we agree with the Examiner that Song's use of the terms "continue" and "terminate" access at least suggest that the user is accessing the document when authentication module 106 makes this determination. Ans. 3--4 ( citing Song ,r 18). The Examiner's findings in this regard are further supported by Song's discussion of continuous monitoring. Song ,r 30, cited in Final Act. 5. In particular, Song teaches a context report, which includes one or more indicators of user 102's risk level. Song ,r 28. Song's modules generate this report and communicate it to the authentication module. Id. Song states that "context analysis engine 108 may not wait for user 102 to request access to electronic document 104 before examining the context of user 102 and authentication module 106 making an authentication decision for user 102." Id. ,r 30 (emphasis added). In the Examiner-cited embodiment, Song's "context analysis engine 108 may continuously monitor user 6 Appeal2018-000244 Application 14/161,818 102 for changes in context data and authentication module 106 may pre-emptively terminate access of user 102." Id. (emphasis added). That is, Song's description of continuous monitoring and pre- emptively terminating access teaches or suggests the relevant authentication operations are performed during user access. See id. Song's disclosure that context engine 108 may not wait for a user request (id.) undermines Appellants' argument that Song teaches authentication only when access is requested (App. Br. 8-9; Reply Br. 2). Rather, we agree with the Examiner that Song actively analyzes the user's context data. Ans. 3. On the weight of this evidence, we are unpersuaded that the Examiner erred in finding that Song teaches or suggests the relevant authentication operations occur while the user is accessing the document in the rejections of claim 1, 8, and 15. See Final Act. 4, 9. Notably, independent claims 8 and 15 do not recite modifying a risk profile or signaling in response to a change to the profile. For this additional reason, Appellants' argument (App. Br. 8-9; Reply Br. 2) is unpersuasive. II Claim 1 further recites, in part, "a risk profile of a user" and "dynamically selecting a corresponding authentication level of the plurality of authentication levels for each of said services based on said monitored risk profile in response to the signaling." Claims 8 and 15 recite similar limitations. Notably, the Examiner relies on the combination of Song and McMurty to address this limitation. Final Act. 4--7, 9. Yet 7 Appeal2018-000244 Application 14/161,818 Appellants' arguments about this limitation are unpersuasive because they are directed to McMurty alone. App. Br. 1 O; Reply Br. 2. Specifically, the Examiner finds that Song teaches a risk profile of a user. Final Act. 4--5. The Examiner then finds that Song lacks but McMurty teaches authentication types depending on the type of access requests. Id. at 6 (citing McMurty 3:52-57). That is, the Examiner relies on McMurty for the limited purpose of teaching authentication levels for the services. See Final Act. 6. On this point, we agree. For example, McMurty teaches that high to moderate risk operations (e.g., deleting a protected resource's information) have different authentication levels than retrieving information from a protected resource. McMurty 9:6-17, cited in Final Act. 6. McMurty also discloses that web-service resources are evaluated based on the request type. McMurty, Abstract, cited in Ans. 8. The Examiner concludes that it would have been obvious to apply McMurty' s authentication levels to Song to arrive at the claimed invention to increase security. Final Act. 6-7. The Examiner supports this conclusion by explaining that the proposed combination would prevent an already authenticated user from accessing elevated privilege levels. Id. ( citing McMurty col. 1 ). Further, we are unpersuaded that McMurty's authentication levels are associated with operations, instead of users as recited. App. Br. 10; Reply Br. 2. McMurty teaches a request made to protected resources where the protected resource can be a private email group, protected website, protected method, protected 8 Appeal2018-000244 Application 14/161,818 procedure, protected operation, or other function that should be limited to specific users. McMurty 3:52-57, cited in Final Act. 6; see also McMurty 3:57---63; Ans. 8. In at least this way, McMurty's authentication levels are associated with users. See Ans. 8 ( discussing user operations). On the weight of this evidence, we are unpersuaded that the Examiner erred in finding that Song and McMurty collectively teach "a risk profile of a user" and "dynamically selecting a corresponding authentication level of the plurality of authentication levels for each of said services based on said monitored risk profile in response to the signaling," and similar limitations in claims 8 and 15. III Claim 1 further recites, in part, "in response to the determining, sending a further authentication request to the user" ( emphasis added). Claims 8 and 15 recite similar limitations. Although Appellants argue that McMurty teaches receiving a request from a client, not sending an authentication request to a client (App. Br. 10), the Examiner does not rely on McMurty to teach this limitation in the proposed combination (Ans. 9). Rather, the Examiner finds that Song teaches this limitation. Final Act. 6 ( citing Song ,r 40). In particular, Song teaches sending a request to the user when reauthenticating with a more secure mechanism, such as biometrics. Song ,r 40. Appellants do not squarely address, let alone persuasively rebut, the Examiner's finding in this regard. See App. Br. 10. Accordingly, we sustain the Examiner's rejection of independent claims 1, 8, and 15. We also sustain the Examiner's rejection of claims 2---6, 9 Appeal2018-000244 Application 14/161,818 9-13, 16-19, and 21-23, which are not separately argued with particularity. See App. Br. 11 ( explaining that these claims are patentable for the same reasons as claims 1, 8, and 15). THE OBVIOUSNESS REJECTIONS OVER SONG, MCMURTY, AND GORDON Claims 7, 14, and 20 depend from claims 1, 8, and 15, respectively. Claim 7 recites, in part, "adjusting the risk profile of the user upon said user providing incorrect authentication information." Claims 14 and 20 recite similar limitations. The Examiner finds that McMurty and Song do not teach or suggest this feature but Gordon does. Final Act. 11. In particular, the Examiner finds that Gordon throttles a user account when the user repeatedly enters incorrect credentials. Id. ( citing Gordon ,r 26). Appellants argue that Gordon does not mention a risk profile, only that a user account is throttled. App. Br. 12 ( citing Gordon ,r 26). In Appellants' view, the Examiner mistakes throttling an account for adjusting a risk profile. App. Br. 12. We disagree. First, Appellants argument is unpersuasive because it does not address the Examiner's reliance on the collective teachings of Song, McMurty, and Gordon. See Final Act. 10-11. As discussed above, the Examiner also relies on Song to teach the recited risk profile. Id. at 4--5. Second, Gordon teaches state information that indicates throttling has occurred. Gordon ,r 26, cited in Final Act. 11. Specifically, Gordon's state information indicates that the cause of the throttling was the user repeatedly entering incorrect credentials or some other action. Gordon ,r 26. That is, like the recited risk profile and Song's data, Gordon collects and uses 10 Appeal2018-000244 Application 14/161,818 information about the user as part of the authentication process. Compare id., with Spec. ,r,r 19-20 ( describing a "risk profile" and "user-relevant data"). On the weight of this evidence, we are unpersuaded that the Examiner erred in rejecting claims 7, 14, and 20. DECISION We affirm the Examiner's rejection of claims 1-23. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(l)(iv). See 37 C.F.R. § 4I.50(f). AFFIRMED 11 Copy with citationCopy as parenthetical citation