PHANTOM TECHNOLOGIES, INC.Download PDFPatent Trials and Appeals BoardMay 4, 20202018006387 (P.T.A.B. May. 4, 2020) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/857,714 04/05/2013 Paul Michael Martini 38097-0014001 8330 20985 7590 05/04/2020 FISH & RICHARDSON P.C. (SD) P.O. BOX 1022 MINNEAPOLIS, MN 55440-1022 EXAMINER POPHAM, JEFFREY D ART UNIT PAPER NUMBER 2432 NOTIFICATION DATE DELIVERY MODE 05/04/2020 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): PATDOCTC@fr.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte PAUL MICHAEL MARTINI Appeal 2018-006387 Application 13/857,714 Technology Center 2400 Before JEREMY J. CURCURI, AARON W. MOORE, and RUSSELL E. CASS, Administrative Patent Judges. CASS, Administrative Patent Judge. DECISION ON APPEAL Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1–9 and 31. Appeal Br. 4, 11–13.2 Claims 10–30 have been cancelled. Id. at 13. An oral hearing was held on February 7, 2020. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real party in interest as iboss, Inc. Appeal Brief filed July 18, 2017 (“Appeal Br.”) 1. 2 Throughout this Opinion, we refer to the above-noted Appeal Brief, as well as the following documents for their respective details: the Non-Final Action mailed February 21, 2017 (“Non-Final Act.”); and the Examiner’s Answer mailed April 6, 2018 (“Ans.”). Appeal 2018-006387 Application 13/857,714 2 I. BACKGROUND The present invention relates to methods and systems for providing device-specific authentication. Spec., Abstr. As background, Appellant’s Specification explains that users may be required to authenticate to a proxy server prior to accessing the Internet, for example, using Hyper-Text Transfer Protocol (HTTP) and Basic Authentication (Basic Auth.). Spec. ¶ 2. In such a system, a client may send its username and password in unencrypted plaintext to a server, which authenticates the client and subsequently allows the client access to the Internet. Id. However, using this system, an attacker can monitor network packets to obtain the client’s username and password, potentially compromising the security of the network. Id. The Specification describes a system in accordance with the invention that generates device-specific credentials, associates the device-specific credentials with a device, and authenticates the device based on the device- specific credentials. Id. ¶ 3. The system may then authenticate a user of the device based on user-specific credentials that are different than the device- specific credentials. Id. The Specification further explains that many network owners have adopted a Bring Your Own Device (BYOD) approach allowing users to access internal networks using their own personal devices, in addition to using shared devices provided by the network owner. Id. ¶ 14. In such a system, different Internet policies can be applied to the different categories of devices. Id. For example, a policy for a shared device may require that a user be logged out after a certain amount of time to allow other users access to the shared device, while a single user device may not require such a policy. Id. Appeal 2018-006387 Application 13/857,714 3 Claim 1 is illustrative of the claims at issue: 1. A method performed by one or more data processing apparatuses, the method comprising: generating, by the one or more data processing apparatuses connected to a first network, device-specific credentials, wherein the device-specific credentials are configured to be used more than one time by an associated device; associating, by the one or more data processing apparatuses connected to the first network, the generated device-specific credentials with a device, including providing the generated device-specific credentials to the device over a network as part of a configuration of the device’s network settings, wherein the generated device- specific credentials have not been previously provided to the device; associating, by the one or more data processing apparatuses connected to the first network, a particular user of the device with user-specific credentials separate from and different than the device-specific credentials; after generating the device-specific credentials, associating the device-specific credentials with the device, and associating the particular user with the user- specific credentials, authenticating, by the one or more data processing apparatuses connected to the first network, the device based on the device-specific credentials, wherein the authentication occurs within the first network; after authenticating the device: permitting the device to access a second network different than the first network; and authenticating, by a data processing apparatus connected to the second network, the particular user of the device based on the user-specific credentials; and Appeal 2018-006387 Application 13/857,714 4 applying one or more usage policies to the device based both on the device-specific credentials and on the user- specific credentials. Appeal Br. 11–12 (Claims App.). II. THE EXAMINER’S REJECTIONS The prior art relied upon by the Examiner is set forth in the following table: Name Reference Date Reed US 2005/0154785 A1 July 14, 2005 Chen US 2006/0225130 A1 Oct. 5, 2006 Schmelzer US 2012/0215328 A1 Aug. 23, 2012 Grajek US 2014/0082715 A1 Mar. 20, 2014 Hitchcock US 9,282,098 B1 Mar. 8, 2016 Non-Final Act. 21–29. In the Non-Final Office Action, the Examiner rejected independent claim 1 and dependent claims 4, 6, and 7 as being anticipated by Grajek. Id. at 21. The Examiner also rejected remaining claims 2, 3, 5, 8, 9, and 31, which depend from claim 1, as obvious over Grajek in view of Chen, Reed, Schmelzer, or Hitchcock. Id. at 25–29. Appellant disputes the anticipation rejection of claim 1, and does not separately argue the patentability of the dependent claims. Appeal Br. 4–10. III. ANALYSIS A. “Associating . . . a particular user of the device with user-specific credentials separate from and different than the device-specific credentials” Appellant argues that Grajek does not disclose the limitation of claim 1 requiring “associating, by the one or more data processing apparatuses connected to the first network, a particular user of the device with user- Appeal 2018-006387 Application 13/857,714 5 specific credentials separate from and different than the device-specific credentials” used to authenticate the device. Appeal Br. 6. We disagree. The portions of Grajek cited by the Examiner disclose “a single sign-on process in which mobile applications authenticate through interactions with a browser that runs on the mobile device, and through the use of a persistent token or credential stored on the browser.” Grajek ¶ 23, cited in Non-Final Act. 21. Using this system, “native mobile applications (‘client apps’) without integrated web browsers . . . leverage web or non-web single sign-on technology to perform authentication and authorization for a single identity.” Id. Grajek discloses that, when the client app on the mobile device contacts an authentication server, “such a server may negotiate the method of authentication which can involve the browser sending a user’s or mobile device’s credentials to the server” for authentication. Id. ¶ 27 (emphasis added), cited in Non-Final Act. 21–22; Ans. 22. Grajek further discloses that, after verification, the server may send a persistent identity token or credential back to the browser which “can be presented to the authentication server to verify a previous authentication by the user or mobile device.” Id. ¶ 28 (emphasis added), cited in Non-Final Act. 21–22; Ans. 22. We agree with the Examiner that the “mobile device’s credentials” disclosed in Grajek are “device-specific credentials,” and that Grajek therefore discloses “associating . . . device-specific credentials with a device,” as recited in claim 1. See Final Act. 21–22; Ans. 22. Appellant argues that Grajek “nowhere mentions that the persistent token 605 includes device-specific credentials corresponding to the device being authenticated.” Appeal Br. 7 (emphasis omitted). We do not find this argument persuasive. The portions of Grajek cited above expressly state that the persistent identity token can be used to authenticate credentials of “a user Appeal 2018-006387 Application 13/857,714 6 or mobile device,” thereby teaching that the credentials can be “device- specific” and correspond to the device being authenticated. See Grajek ¶¶ 27–28. Additionally, Grajek discloses the use of “[a]nother identity token” which “is a client app identity,” and that “[s]uch a client app identity may comprise a user’s identity.” Grajek ¶ 29, cited in Non-Final Act. 21–22. Grajek discloses that the system may use this “client app identity” to “determine if the client app’s user may access the services provide via authorization based on the enterprise data store or other on-premise or off premise resource.” Id. Thus, “[a]fter a successful authentication process, the authentication appliance 102 may create two tokens: a browser- accessible token (persistent, or session based, or both a persistent token and a session based token) 605 and a client app identity 607.” Id. ¶ 67. We find that this disclosure teaches “associating . . . a particular user of the device with user-specific credentials separate from and different than the device- specific credentials,” as recited in claim 1. We find, therefore, that this limitation is disclosed by Grajek. B. “Applying one or more usage policies to the device based both on the device-specific credentials and on the user-specific credentials” Appellant next argues that Grajek fails to disclose “[a]pplying one or more usage policies to the device based both on the device-specific credentials and on the user-specific credentials,” as recited in claim 1. Non- Final Act. 7. We disagree. Grajek discloses that “the authentication appliance may determine whether a user’s profile received from the identity database contains data indicating that the user is a member of a specific group authorized to user a service that the client app is attempting to access.” Grajek ¶ 66 Appeal 2018-006387 Application 13/857,714 7 (emphasis added). Grajek further discloses that “the authentication appliance may request from a different server or database than the identity database whether a specific user or mobile device 110a has access.” Id. (emphasis added). Additionally, Grajek states that: [T]he authentication appliance can accept the browser-based persistent token, translate that token into an identity already authenticated with the authentication appliance, and then check a policy or configuration that may trigger a step-up or stronger authentication of any type that is specified by the authentication appliance 102 or identity database 104n. Id.3 We find that Grajek’s above disclosures of allowing access to particular resources, applications, or services based on credentials qualify as “usage policies” as recited in claim 1. We further determine that the above- cited portions of Grajek disclose that these “usage policies” can be based on the device-specific credentials (the information on whether the mobile 3 See also Grajek ¶¶ 29 (based on authentication, the user “may access the services provided via authorization based on the enterprise data store or other on-premise or off premise resource”), 46 (explaining that the authentication appliance “allows users and/or devices to authenticate prior to gaining access to network servers, such as those provided by enterprise service serves 103a to 103n”), 56 (based on authentication, system can “enable users to access multiple webservers and/or mobile apps with a single-sign-on”), 79 (based on credentials, system may allow access to “any local feature or network service that accepts/uses the client app identity”), 86 (authentication appliance may “determin[e] whether a user’s authentication rights or authentication for a particular application has been revoked” by “consulting revocation related user[’]s attributes within an identity database 104n, such as a max credential count or credential validity start and end times”), 90 (authentication appliance may determine that “multiple types of authentication” are required to access certain applications “depending on configuration of policies on the authentication appliance 102, or in consultation with the identity database’s 104n configuration or policies”). Appeal 2018-006387 Application 13/857,714 8 device 110a has access) and user-specific credentials (the user’s profile), as required by claim 1. We also agree with the Examiner that the broadest reasonable interpretation of the term “usage policy” covers: [L]ogging in the user and allowing access to a resource, requiring logout through a set policy, performing authorization for particular resources, globally logging the user out of all resources . . . , all of which are based on the identity, authentication, and/or authorization of each of the device credentials and user credentials, since resource access is only granted based on both credentials. Non-Final Act. 23–24; Ans. 23. We agree with and adopt as our own the Examiner’s finding that Grajek discloses this limitation of claim 1. C. Appellant’s argument that the Examiner’s rejection mixes together multiple embodiments of Grajek Appellant next argues that the Examiner’s rejection improperly “mixes together multiple different embodiments disclosed in Grajek.” Appeal Br. 8. In support of this argument, Appellant argues that “the term embodiment’ appears 26 times” in the paragraphs of Grajek cited by the Examiner, and that these paragraphs span at least five different example implementations, including a “‘Client App Authentication Example’ at [0052]-[0080]; ‘Client App Re-Authentication Example’ at [0081]-[0087]; ‘Second Client App Authentication Example’ at [0088]-[0095]; ‘Second Client App Re-Authentication Example’ at [0096]-[0099]; and ‘Other Client Application Flowcharts’ at [0100]-[0105].” Appeal Br. 8–9. We do not agree that these portions of Grajek are separate and distinct embodiments rather than features that can be selectively incorporated into a single embodiment. For example, the “Client App Authentication Example” at paragraphs 52–82 describes “interactions between a client app, authentication appliance 102, and identity database 104n to allow a client Appeal 2018-006387 Application 13/857,714 9 app 111a to authenticate and gain access to a desired service provided by an enterprise 103n,” and the “Client App Re-Authentication Example” describes an “authentication process that may take place after client app 111a has previously authenticated and received a client app identity for the desired network-based application service from the authentication appliance.” Grajek ¶¶ 52, 82. We find that these features may be used in the same embodiment. The same is true of the “Second Client App Authentication Example” and “Second Client App Re-Authentication Example,” which disclose authentication by a “second client app 112” which “may also seek to use the same or a different enterprise service server 103n as client app 111a.” Id. ¶¶ 88, 96. Appellant, therefore, has not persuaded us that the portions of Grajek relied on by the Examiner are separate and distinct embodiments rather than different features that can be combined into a single embodiment. D. “Providing device-specific credentials to the device over a network as part of a configuration of the device’s network settings.” Finally, Appellant argues that Grajek does not disclose “providing device-specific credentials to the device over a network as part of a configuration of the device’s network settings.” Appeal Br. 9 (emphasis omitted). “Instead,” Appellant argues, “Grajek specifies that ‘[w]hen the first client app uses the browser to authenticate, the browser stores a persistent token associated with that authentication,’” and “[a]uthentication of a browser is different than a ‘part of a configuration of [a] device’s network settings.” Id. at 10. For this limitation, the Examiner points to Grajek’s disclosure of “associating [the] persistent token and/or session token with [the] device, which is performed during a configuration of network settings of the device Appeal 2018-006387 Application 13/857,714 10 (e.g., initial logon/configuration of the device, setting[] up of the token itself being a configuration of device network settings, etc.), for example.” Non- Final Act. 21–22. We agree with the Examiner that Grajek discloses this limitation. At oral argument, Appellant’s counsel pointed to paragraph 18 of Appellant’s Specification as support for this limitation, which states that “proxy settings may include device-specific credentials associated with each device 130a-c” connected to the internal network 100, and that “[t]he devices 130a-c, in turn may use the device-specific credentials to authenticate to the proxy server.” Spec. ¶ 18, referenced in Oral Argument Transcript (“Tr.”) 21–22. Based on paragraph 18 of the Specification, we determine that device-specific credentials that are used for authentication to a network meet this claim limitation. Based on this understanding of the claim language, we agree with the Examiner that Grajek discloses this limitation. Grajek discloses “a persistent identity token or credential sent to the [user’s] browser, such as a browser cookie, to be stored by the browser on the mobile device,” and that “[t]his identity token can be presented to the authentication server to verify a previous authentication by the user or mobile device.” Grajek ¶¶ 27–28. As discussed previously, by stating that the token can be used to authenticate the “mobile device,” it provides “device-specific credentials.” See id. Therefore, Grajek discloses providing to the device the device-specific credentials that are used for authentication to a network, as the claim requires. We, therefore, sustain the Examiner’s anticipation rejection of claim 1, and of claims 4, 6, and 7, which are dependent on claim 1 and not Appeal 2018-006387 Application 13/857,714 11 separately argued. We also sustain the Examiner’s obviousness rejections of claims 2, 3, 5, 8, 9, and 31, for which Appellant does not present arguments. DECISION We affirm the Examiner’s rejection of claims 1–9 and 31. CONCLUSION In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1, 4, 6, 7 102(a)(2) Grajek 1, 4, 6, 7 2, 3 103 Grajek, Chen 2, 3 5 103 Grajek, Reed 5 8, 9 103 Grajek, Schmelzer 8, 9 31 103 Grajek, Hitchcock 31 Overall Outcome 1–9, 31 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation