DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Requested for Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/28/2021 has been entered.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Christopher King on 02/17/2021.
The application has been amended as follows: 
 1.	(Currently Amended) A computer-implemented method performed by an online system, comprising:

receiving, from an accessing user, a request to login to the account, the request including a value of the first credential type;
based at least in part on the value, determining that the request is likely unauthorized;
responsive to determining that the request is likely unauthorized:
determining that the accessing user must provide the second credential type before the first credential type in order to obtain access to the account;
requesting the second credential type from the accessing user; [[and]]
responsive to receiving the second credential type from the accessing user, requesting the first credential type from the accessing user; and
responsive to the first credential type and the second credential type being correct, allowing access to the account.
8.	(Canceled)
9.	(New) A non-transitory computer-readable storage medium storing instructions that when executed by a computer processor perform actions comprising:
determining, for an account of a user of an online system, that the user must provide a first credential type before a second credential type in order to obtain access to the account;

based at least in part on the value, determining that the request is likely unauthorized;
responsive to determining that the request is likely unauthorized:
determining that the accessing user must provide the second credential type before the first credential type in order to obtain access to the account;
requesting the second credential type from the accessing user;
responsive to receiving the second credential type from the accessing user, requesting the first credential type from the accessing user; and
responsive to the first credential type and the second credential type being correct, allowing access to the account.
10.	(New) The non-transitory computer-readable storage medium of claim 9, the instructions further comprising:
determining that requests from a second accessing user to login to an account of a second user of the online system are likely unauthorized; and
responsive to determining that the requests are likely unauthorized:
continuing to accept requests to login from the second accessing user, such that login to the account of the second is denied regardless of whether values of credentials provided in the requests are correct.
11.	(New) The non-transitory computer-readable storage medium of claim 9, the instructions further comprising:

responsive to determining that the requests are likely unauthorized:
logging information about the requests to login.
12.	(New) The non-transitory computer-readable storage medium of claim 11, wherein the information comprises one or more of IP addresses of the requests, time of the requests, frequency of the requests, and whether the request was submitted via an API or a graphical user interface, the computer-implemented method further comprising:
training a model by providing the information as feature input to a supervised machine learning algorithm, the model when applied to feature input of login requests indicating whether the login requests are likely unauthorized.
13.	(New) The non-transitory computer-readable storage medium of claim 11, wherein the information comprises credential values submitted along with the requests, the computer-implemented method further comprising:
identifying, as common credential values, ones of the credential values submitted with at least a threshold frequency; 
receiving a request from a user to change a credential value of the user to one of the identified common credential values; and
rejecting the request of the user to change the credential value of the user to the one of the identified common credential values.

identifying users to whose accounts login was requested using one of the identified common credential values;
determining, based on the identified users, properties defining a user group being attacked; and
implementing a defensive policy measure to accounts of users of the user group.
15.	(New) The non-transitory computer-readable storage medium of claim 14, wherein the defensive policy measure comprises altering, for the accounts, at least one of: a number of failed login requests permitted before account locking, and a time of automatic unlocking after account locking.
16.	(New) An online system comprising:
a computer processor; and
a non-transitory computer-readable storage medium storing instructions that when executed by a computer processor perform actions comprising:
determining, for an account of a user of the online system, that the user must provide a first credential type before a second credential type in order to obtain access to the account;
receiving, from an accessing user, a request to login to the account, the request including a value of the first credential type;
based at least in part on the value, determining that the request is likely unauthorized;

determining that the accessing user must provide the second credential type before the first credential type in order to obtain access to the account;
requesting the second credential type from the accessing user;
responsive to receiving the second credential type from the accessing user, requesting the first credential type from the accessing user; and
responsive to the first credential type and the second credential type being correct, allowing access to the account.
17.	(New) The online system of claim 16, the instructions further comprising:
determining that requests from a second accessing user to login to an account of a second user of the online system are likely unauthorized; and
responsive to determining that the requests are likely unauthorized:
continuing to accept requests to login from the second accessing user, such that login to the account of the second is denied regardless of whether values of credentials provided in the requests are correct.
18.	(New) The online system of claim 16, the instructions further comprising:
determining that requests from a second accessing user to login to an account of a second user of the online system are likely unauthorized; and
responsive to determining that the requests are likely unauthorized:
logging information about the requests to login.

training a model by providing the information as feature input to a supervised machine learning algorithm, the model when applied to feature input of login requests indicating whether the login requests are likely unauthorized.
20.	(New) The online system of claim 18, wherein the information comprises credential values submitted along with the requests, the computer-implemented method further comprising:
identifying, as common credential values, ones of the credential values submitted with at least a threshold frequency; 
receiving a request from a user to change a credential value of the user to one of the identified common credential values; and
rejecting the request of the user to change the credential value of the user to the one of the identified common credential values.
21.	(New) The online system of claim 20, the instructions further comprising:
identifying users to whose accounts login was requested using one of the identified common credential values;
determining, based on the identified users, properties defining a user group being attacked; and
implementing a defensive policy measure to accounts of users of the user group.
Response to Amendment
Claims 1-7 and 9-21 are pending. Claim 1 is currently amended.  Claim 8 is cancelled. Claims 9-21 are newly added.   
Applicant’s amendments to the claims will overcome each and every 112(a) and 103 rejection previously set forth in the Final Office Action mailed 12/05/2020.
Response to Arguments
Applicant's arguments, see pages 6-9, filed 01/28/2021, with respect to 112(a) and 103 rejections have been fully considered and are persuasive.  The 112(a) and 103 rejections of claims 1-8 has been withdrawn.

Allowable Subject Matter
Claims 1-7 and 9-21 are allowed.
Examiner’s Statement for Indicating Allowable Subject Matter
The following is an examiner' s statement of reasons for allowance: After further search and consideration and applicant remarks put forth in the Remarks of 01/28/20201 on pages 7-9, the prior art either taken alone or in combination neither anticipates nor render obvious to the claimed subject matter of the instant application. The prior art Popoveniue et al. (US Pub No. 2016/0173485) discloses a threshold value may be a number predefined by an administrator of provisioned computing resources environment 104 to determine whether the attempted user credentials that are being received are from a bona fide user that may be entering the user credentials incorrectly or by a malicious entity trying to guess the password to gain unauthorized access to provisioned computing resources environment 104. When a certain Popoveniue, page 4, paragraph 0032), Algie (US Patent No. 10,713,374) discloses an access anomaly of an access request is detected, and the access request is queued for processing in response. An anomaly detection indicator is issued to a plurality of other storage units. A secondary authentication process is initiated with the requestor, and a secondary authentication response from the requestor. The access request is processed when the secondary authentication response is favorable (Algie, Abstract), Canavor et al. (US Patent No. 8,904,506) discloses user account may be throttled to restrict access once aberrant behavior is detected. Upon receiving a request to access the user account, a determination of whether the user account is in a throttled state may be made. In some aspects, when the user account is not in a throttled state, user account access may be determined based at least in part on an access credential. Further, in some aspects, when the user account is in a throttled state, user account access may be determined based at least in part on an access credential and other client information associated with the user account (Canavor, Abstract), Ting et al. (US Pub No. 2007/0136792) discloses user authentication requests to computer systems are accelerated by selectively comparing user-provided biometric authentication credentials to a subset of credentials.  If the user-supplied credential is not recognized, an alternate form of authentication is requested.  Valid login events are used Ting, Abstract), Zheng (US Patent No. 8,286,227) disclose performing multi-factor authentication.  In one aspect, a method includes determining that the identity of a user has been successfully proven using a first of two or more authentication factors, allowing updates or requests for updates to be initiated after the identity of the user has been successfully proven using the first authentication factor, logging the updates or requests for updates that are initiated after the identity of the user has been successfully proven using the first authentication factor, determining that the identity of the user has not been successfully proven using a second of the two or more authentication factors, and reverting the updates, or discarding the requests for updates, based on determining that the identity of the user has not been successfully proven using the second authentication factor (Zheng, Abstract), Ballard et al. (US Patent No. 10,824,705) discloses changing a required authentication type based on a request for a particular type of information. For example, consider a situation where a user has asked a virtual assistant "who owns this device?" By default, the device may allow biometric authentication to unlock. In response to identification of the owner by the virtual assistant, however, the device may require one or more other types of authentication (e.g., manual entry of a passcode) to unlock the device. In various embodiments, the disclosed techniques may increase the security of the device by making it more difficult for malicious entities to obtain the sensitive information or to access device functionality once the sensitive information has been disclosed (Ballard, Abstract), and Mohamed (US Pub No. 2017/0244683) discloses accessing a user account by a user with a first password, and then changing the first password to a second password in response to a request from the user without compromising the second Mohamed, Abstract), however, the prior art taken alone or in combination fails to teach or suggest, “responsive to determining that the request is likely unauthorized: 4determining that the accessing user must provide the second credential type before the first credential type in order to obtain access to the account; requesting the second credential type from the accessing user; responsive to receiving the second credential type, requesting the first credential type and responsive to the first credential type and the second credential type being correct, allowing access to the account” (as recited in claims 1, 9 and 16). The claims are allowed in light of the above claim limitations when in combination with the remaining claim limitations. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAQUEAL D WADE whose telephone number is (571)270-0357.  The examiner can normally be reached on M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SHAQUEAL D WADE/Examiner, Art Unit 2437   

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437