15409120 - (D) (P.T.A.B. May. 30, 2019)

Ex Parte Roth et al

Patent Trials and Appeals BoardMay 30, 2019

15409120 - (D) (P.T.A.B. May. 30, 2019)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 15/409, 120 01/18/2017 Gregory B. Roth 131836 7590 06/03/2019 Hogan Lovells US LLP - Amazon 3 Embarcadero Center Suite 1500 San Francisco, CA 94111 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 020346.039503 5817 EXAMINER GERGISO, TECHANE ART UNIT PAPER NUMBER 2494 NOTIFICATION DATE DELIVERY MODE 06/03/2019 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): hlusdocketing@hoganlovells.com teri.nelmark@hoganlovells.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte GREGORY B. ROTH, NICHOLAS ALEXANDER ALLEN, and CRISTIAN M. ILAC 1 Appeal 2018-007 660 Application 15/409, 120 Technology Center 2400 Before JOHN A. EV ANS, JAMES W. DEJMEK, and MICHAEL M. BARRY, Administrative Patent Judges. BARRY, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. Â§ 134(a) from a Final Rejection of claims 1-20, which constitute all pending claims. See Final Act. 1 and Appeal Br. 12-17 (Claims App'x). We have jurisdiction under 35 U.S.C. Â§ 6(b ). We affirm. 1 Appellants identify Amazon Technologies, Inc. as the real party in interest. Appeal Br. 3. Appeal 2018-007 660 Application 15/409,120 Introduction Appellants' invention relates systems and methods for "managing security in an electronic environment." Spec. ,r 11. Disclosed embodiments provide for the automated variation of security credentials, which reduces unauthorized access to protected information using an older copy of the security credentials. Id. In one such embodiment, a security credential, such as a usemame and password, may be provided by a client device. Id. ,r 14. Upon successful authentication, a session may be initialized and a session identifier along with a session token may be provided to the client device. Id. ,r 15. When a subsequent request during the session is made by the client device, it may be determined whether to accept the request, for example, based on the age of the session or the period of time since the last request or operation was performed during the session. Spec. ,r,r 11, 21, 34. If the age of the session or period of inactivity is allowable or acceptable, the request may be processed and the session token may be updated accordingly. Id. ,r,r 34, 38. Claims 1, 8, and 15 are independent, of which claim 1 is representative: 1. A system, comprising: at least one processor; and memory storing instructions that, when executed by the at least one processor, cause the system to: receive, from a client, a first request seeking access to at least one resource using at least one security credential; authenticate the client based at least in part on the at least one security credential; 2 Appeal 2018-007 660 Application 15/409,120 send the client a session token, generated by the system, that includes a first value for a session initiated based in part on the authentication; receive, from the client, a second request along with the session token; determine a measure of acceptance based at least in part on a comparison of the first value of the session token and a second value that is associated with a reference computer; process the second request based in part on the measure of acceptance; and send, to the client, an updated session token including an updated first value, the updated first value differing from the second value by an amount based at least in part on the measure of acceptance. Appeal Br. 12 (Claims App'x). Re} ections and References The Examiner rejected claims 1, 8, and 15 on the ground of nonstatutory double patenting over claims 1, 8, and 15 of U.S. Patent No. 9,571,488. Final Act. 3-8. The Examiner rejected claims 1, 8, and 15 on the ground of nonstatutory double patenting over claims 1, 5, and 20 of U.S. Patent No. 9,203,818. Id. at 8-13. The Examiner rejected claims 1, 3-8, 10-15, and 17-20 under 35 U.S.C. Â§ 103 as unpatentable over Baca et al. (US 2014/0250490 Al; Sept. 4, 2014) ("Baca"), Pollutro et al. (US 2009/0328186 Al; Dec. 31, 2009) ("Pollutro"), and Radhakrishnan (US 2013/0047263 Al; Feb. 21, 2013). Id. at 13-18; see also Ans. 3-9. The Examiner rejected claims 2, 9, and 16 under 35 U.S.C. Â§ 103 as unpatentable over Baca, Pollutro, Radhakrishnan, and Brebner et al. (US 3 Appeal 2018-007 660 Application 15/409,120 2004/0083394 Al; Apr. 29, 2004) ("Brebner"). Final Act. 19--20; see also Ans. 9. Nonstatutory Double Patenting Appellants do not contest the rejections of claims 1, 8, and 15 based on nonstatutory double patenting. See Appeal Br. 4 (Grounds of Rejection to be Reviewed on Appeal). Accordingly, we summarily sustain these rejections. 37 C.F.R. Â§ 4I.37(c)(l)(iv) (2017). TheÂ§ 103 Rejections For theÂ§ 103 rejections, Appellants argue error in the rejection of claims 2-20 based on the arguments presented for claim 1, which therefore is representative of all claims for these rejections. Appeal Br. 9--1 O; 37 C.F.R. Â§ 4I.37(c)(l)(iv). Appellants contend the Examiner's proposed combination of Baca, Pollutro, and Radhakrishnan is improper. Appeal Br. 5-10. In particular, Appellants argue "Baca teaches away from both pre-authentication by the user and also utilizing tokens generated by a private network." Id. at 8; Reply Br. 6-7. Appellants argue Baca's invention "addresses the problem of users remembering passwords and separate authentication information ... by having the client device generate tokens so that '[t]he user may not be required to remember an often changed password for accessing private network 104,"' whereas Radhakrishnan describes a user using a device "to provide authentication such as 'a user ID and/or a password."' Appeal Br. 8-9; Reply Br. 7. Thus, according to Appellants, "Radhakrishnan describes authentication using precisely the methods Baca describes as being problematic, namely the security and inconvenience of transmitting user names or passwords." Appeal Br. 9; Reply Br. 7. 4 Appeal 2018-007 660 Application 15/409,120 Appellants further argue "[t]he proposed combination of Baca, Pollutro, and Radhakrishnan changes the principle of operation of Baca and therefore is an improper combination under established judicial precedent." Appeal Br. 7. According to Appellants, the two references are "directed to different, incompatible principles of operation" (id.) because Baca describes a method with a principle of operation "that reduces or limits manual user authentication and specifically identifies problems associated with manual user authentication" (id.; Reply Br. 6), whereas Radhakrishnan "describes a method ... with multiple manual authentication steps" (Appeal Br. 7). The Examiner responds by pointing to Baca's various disclosures of manual authentication by the user of the client device. Ans. 4--5, 7-8. In particular, the Examiner points out that at the start of Baca's authentication process, "a user authenticates itself to the client device by providing a user credential," and that Baca teaches using manual user authentication "if the received [ one time password ("OTP")] session does not exist at the authenticator (private network)." Id. at 4--5 (citing Baca ,r,r 26, 35, 36). The Examiner explains that "Baca does not teach away from the proposed modification," but instead "[t]he proposed modification of Baca with the teaching of Radhakrishnan would only shift the token generation based on the user's device characteristics from the client device to the server system." Id. at 8. Appellants reply that "Baca teaches away from both pre- authentication by the user and ... utilizing tokens generated by a private network" because "Baca makes it clear that such an approach is not a preferred method of utilizing the system." Reply Br. 7. Appellants contend that the "mere indication that Baca can also function within an environment 5 Appeal 2018-007 660 Application 15/409,120 where manual authentication is utilized does not change the fact that the proposed solution and preferred embodiments do not include manual authentication." Id.; see also id. at 6 ("merely because Baca describes a technique where an alternative manual authorization method is utilized does not mean that the primary purpose of Baca is not to eliminate such authorization methods"). Appellants additionally assert that in Baca, "there is no manual authentication described with respect to access to the private network 104, as contended in the Examiner's Answer. At most, authentication to the client device 102 is described." Id. at 4. Appellants also disagree with the Examiner's response that "'low levels or layers of authentication' describe manual log in" because "Baca explicitly describes using OTPs for second authentications." Id. ( citing Ans. 4 (recasting (i.e., not quoting) the Examiner's response). Appellants' arguments are unpersuasive. The Federal Circuit has held "[a] reference may be said to teach away when a person of ordinary skill, upon reading the reference, would be discouraged from following the path set out in the reference, or would be led in a direction divergent from the path that was taken by the applicant." In re Kahn, 441 F.3d 977, 990 (Fed. Cir. 2006) (quoting In re Gurley, 27 F.3d 551, 553 (Fed. Cir. 1994)). A teaching away requires a reference to actually criticize, discredit, or otherwise discourage the claimed solution. See In re Fulton, 391 F.3d 1195, 1201 (Fed. Cir. 2004). Here, we note that Appellants' argument that the proposed combination of references would change the principle of operation or render one of the references unsuitable for its intended purpose is 6 Appeal 2018-007 660 Application 15/409,120 essentially another teaching away argument. 2 Tee Air, Inc. v. Denso Mfg. Michigan Inc., 192 F.3d 1353, 1360 (Fed. Cir. 1999) ("If when combined, the references 'would produce a seemingly inoperative device,' then they teach away from their combination.") (quoting In re Sponnoble, 405 F.2d 578, 587 (CCPA 1969); also citing In re Gordon, 733 F.2d 900,902 (Fed. Cir. 1984) (where the court concluded that, essentially, "French teaches away from the board's proposed modification" because "if the French apparatus were turned upside down, it would be rendered inoperable for its intended purpose")). Baca does not teach away from the proposed modification because it does not criticize, discredit, or otherwise discourage the use of manual user authentication or the concepts of pre-authentication by the user and utilizing tokens generated by a private network. Although Baca teaches the use of automated authentication procedures such as using OTPs, as the Examiner responds, and we agree, Baca also discloses that manual user authentication may be used in its process. Ans. 4--5 (citing Baca ,r,r 26, 35, 36). Instead, Baca merely states a preference to automate at least part of the user authentication process using OTPs, which is insufficient to teach away from the claimed invention. See Meiresonne v. Google, Inc., 849 F.3d 1379, 1382 2 "If references taken in combination would produce a 'seemingly inoperative device,' ... such references teach away from the combination and thus cannot serve as predicates for a prima facie case of obviousness." McGinley v. Franklin Sports, Inc., 262 F.3d 1339, 1354 (Fed. Cir. 2001) ( citation omitted); see also In re ICON Health & Fitness, Inc., 496 F .3d 1374, 1382 (Fed. Cir. 2007) ("a reference teaches away from a combination when using it in that combination would produce an inoperative result," but the obviousness analysis must account for "modifications that one skilled in the art would make to a device borrowed from the prior art"). 7 Appeal 2018-007 660 Application 15/409,120 (Fed. Cir. 2017); see also DePuy Spine, Inc. v. Medtronic Sofamor Danek, Inc., 567 F.3d 1314, 1327 (Fed. Cir. 2009) ("A reference does not teach away ... if it merely expresses a general preference for an alternative invention."); Fulton, 391 F.3d at 1201 ("mere disclosure of alternative designs does not teach away"). We also agree with the Examiner that modifying Baca's client authentication tool such that the session token is generated by a system (as taught by Radhakrishnan), rather than a client device, would not change Baca's principle of operation. Here, the Examiner relies on Baca for teaching the entirety of claim 1 except for "the updated session token including an updated first value," for which the Examiner cites Pollutro, and "the session token ... generated by the system," for which the Examiner cites Radhakrishnan. Final Act. 13-16 (citing Baca, Fig. 1 (items 102, 110, 112, 114), ,r,r 12-14, 29-32, 38--40; Pollutro ,r,r 6, 134--38, 189-94; Radhakrishnan, Fig. 1, ,r,r 4, 78, 107, 124--27); see also Ans. 5-8 (additionally citing Baca ,r,r 26, 35, 36; Radhakrishnan ,r,r 105-106, 147, 150). As mentioned supra, "[t]he proposed modification of Baca with the teaching of Radhakrishnan would only shift the token generation based on the user's device characteristics from the client device to the server system." Ans. 8. The disclosures of Baca and Radhakrishnan are not incompatible. As Appellants acknowledge, Baca and Radhakrishnan disclose embodiments that incorporate some level of manual user authentication during initial login. See Appeal Br. 7. The authentication steps in Radhakrishnan that Appellants assert are manual are not disclosed as being manual, because it is Radhakrishnan's TBAC module that automatically retrieves the extra 8 Appeal 2018-007 660 Application 15/409,120 authentication infonnation----e.g., attributes associated with the user-from one or more repositories. See id. ( citing Radhakrishnan ,r 115); see also Radhakrishnan ,r 298 ( disclosing an embodiment in which extra authentication could be provided by biometric authentication using the device). Appellants do not direct us to a disclosure in Radhakrishnan that requires the extra authentication information to be entered manually by the user. Appellants do not persuade us of Examiner error in the determination that skilled artisans would have understood Baca's session authentication techniques can be compatible with Radhakrishnan's session authentication system. Compare, e.g., Baca, Fig. 2 (items 202,208,210), ,r 35, with Radhakrishnan ,r,r 115,298; see Ans. 4--7. Thus, the Examiner's proposed modification of Baca with the teachings of Radhakrishnan would not change Baca's principle of operation. In addition, we note that Appellants provide no persuasive evidence to show that the proposed modification would have been "uniquely challenging or difficult for one of ordinary skill in the art." See Leapfrog Enters. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007) (citing KSR Int'! Co. v. Teleflex, Inc., 550 U.S. 398,419 (2007)). Accordingly, we sustain the Â§ 103 rejection of claim 1. In doing so, we adopt as our own the findings and reasoning of the Examiner as set forth in the final rejection and in the Answer. We also, accordingly, sustain the Â§ 103 rejections of claims 2-20. DECISION We summarily affirm the rejections of claims 1, 8, and 15 on the ground of nonstatutory double patenting. We affirm the rejections of claims 1-20 under 35 U.S.C. Â§ 103. 9 Appeal 2018-007 660 Application 15/409,120 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a)(l)(iv). AFFIRMED 10