DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The use of the trademarks WIFI [page 21], AMAZON, GOOGLE, MICROSOFT [page 19], VMWARE [page 20], and DELL [page 22], have been noted in this application.  They should be capitalized wherever they appear and be accompanied by the generic terminology. 
Although the use of trademarks is permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as trademarks.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 17-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter because Claims 17-20 are drawn to a “tangible machine-readable storage medium” which could include a digital signal. The specification fails to definitively describe what the computer readable medium includes Claims 17-20 to overcome the rejection under 35 USC 101.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of 
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 
Claims 1, 3, 4, 7-12, 15 and 17 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1-3, 5-9, 12-13, and 17 of copending Application No. 16/264,897 and Claims 1, 3-4, 7, 13, and 18 of copending Application No. 16/264,925. Although the claims at issue are not identical, they are not patentably distinct from each other because aside from a few minor differences, these claims contain the same limitations and perform the same functions.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-4, 6, 10, 12, 14, 16-17, and 19-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Girdhar et al., (US 20190306153 A1) hereinafter referred to as Girdhar.
Regarding Claims 1, 12, and 17, Girdhar discloses A method, comprising: in response to a first authentication of a client by a server using a given shared secret, [paragraph 0034, the authentication server 112 may increment its counter each time a successful login occurs] 
updating, using at least one processing device of the client, the given shared secret to generate an updated shared secret [paragraph 0034, the mobile device 102, smart card 104, key fob 106, and authentication server 112 may obtain the current time from an internal or external clock and use arbitrary time intervals (e.g., a second, a minute, several minutes, etc.) to increment the seed value] 
and storing the updated shared secret with the server; [paragraph 0033, The keys of the mobile device 102, smart card 104, and key fob 106 may be long (e.g., 40) encoded in their respective hardware or software and must be shared with the authentication server 112. The seed values also are shared] 
and submitting the updated shared secret to the server as part of a second authentication of the client. [paragraph 0039, If the OTP generated by the client-side device (e.g., the mobile device 102, smart card 104, or key fob 106) falls outside of the authentication window but within the within the synchronization window, the user will be prompted to synchronize the seed key of the client-side device (e.g., the mobile device 102, smart card 104, or key fob 106) with the seed key of the authentication server 112, such as by proving two consecutive OTPs to ensure the user is actually in possession of the within the client-side device (e.g., the mobile device 102, smart card 104, or key fob 106)]
Regarding Claim 2, Girdhar discloses wherein the given shared secret is updated using information from the first authentication as part of a secret update protocol to generate the updated shared secret. [paragraph 0034, the mobile device 102, smart card 104, key fob 106, and authentication server 112 may obtain the current time from an internal or external clock and use arbitrary time intervals (e.g., a second, a minute, several minutes, etc.) to increment the seed value – the seed value is the information that is a part of the first authentication that is being updated]
Regarding Claim 3, Girdhar discloses wherein the information from the first authentication comprises one or more of a timestamp of the first authentication, a random value used in the first authentication, and a substantially unique value used in the first authentication. [paragraph 0034, the mobile device 102, smart card 104, key fob 106, and authentication server 112 may obtain the current time from an internal or external clock and use arbitrary time intervals (e.g., a second, a minute, several minutes, etc.) to increment the seed value]
Regarding Claim 4, Girdhar discloses wherein the given shared secret comprises one or more of a password, a cryptographic key, a cryptographic symmetric key, a personal identification number, and a shared secret seed used to derive one-time passcodes. [paragraph 0032, The function f is a cryptographic algorithm that creates a unique OTP using the key and seed value]
Regarding Claims 6, 14, and 19, Girdhar discloses wherein the server evaluates whether the client stores the updated shared secret with the server in connection with the first authentication and implements one or more predefined steps when the updated shared secret is not stored with the server. [paragraph 0033, The seed values generated by the mobile device 102, smart card 104, and key fob 106 therefore need to be synchronized with the seed values generated by the authentication server 112, which adds additional security to the authentication methodology – the synchronization compares the values from the device and the server to ensure that the value saved on the server is the same as the value saved on the device] [paragraph 0036, And when two devices are out of sync, their OTPs will not match, and access will be denied – if these values do not match, then the step taken is that access is denied]
Regarding Claims 10, 16, and 20, Girdhar discloses wherein the update comprises one or more of: (i) one or more of an exclusive OR (XOR) operation and a hash operation applied to the given shared secret and information from the first authentication; and (ii) the client randomly selecting the updated shared secret. [paragraph 0034, the mobile device 102, smart card 104, key fob 106, and authentication server 112 may obtain the current time from an internal or external clock and use arbitrary time intervals (e.g., a second, a minute, several minutes, etc.) to increment the seed value – this is the random selection of the updated secret]

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 5, 13, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Girdhar, as applied to Claims 1, 12, and 17, respectively, above, in view of Brown et al., (US 20140298432 A1) hereinafter referred to as Brown.
Regarding Claims 5, 13, and 18, Girdhar does not explicitly teach wherein the updating is performed by one or more of a password vault and a browser extension.
Brown teaches wherein the updating is performed by one or more of a password vault and a browser extension. [paragraph 0049, a password vault may be programmed or instructed to update/change all or selected credentials (e.g., passwords) on a manual or periodic/scheduled basis. The vault would automatically connect to the corresponding systems (e.g., through interface logic on a trusted computing device, if necessary), update the passwords (e.g., through learned or programmed behavior), and store the new passwords (which may or may not be displayed for the user)] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Brown with the disclosure of Girdhar. The motivation or suggestion would have been “for protecting security credentials.” (Abstract)

Claims 7-8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Girdhar, as applied to Claims 1 and 12, respectively, above, in view of Chen et al., (US 20050239440 A1) hereinafter referred to as Chen.
Regarding Claims 7 and 15, Girdhar does not explicitly teach wherein an anomaly is detected when the client attempts the second authentication using a particular shared secret and the server determines that the particular shared secret was previously used for an authentication.
Chen teaches wherein an anomaly is detected when the client attempts the second authentication using a particular shared secret and the server determines that the particular shared secret was previously used for an authentication. [paragraph 0089, The service provider, detecting use of a previously used OTP entry, would challenge the user, and the user would fail to authenticate, so the existing OTP table would be disabled] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Chen with the disclosure of Girdhar. The motivation or suggestion would have been “to detect the fraud.” (Abstract)
Regarding Claim 8, Girdhar does not explicitly teach wherein, in response to the anomaly being detected, the server initiates a predefined recovery workflow.
Chen teaches wherein, in response to the anomaly being detected, the server initiates a predefined recovery workflow. [paragraph 0089, The service provider, detecting use of a previously used OTP entry, would challenge the user, and the user would fail to authenticate, so the existing OTP table would be disabled. On the next attempted use of the authentic device by the legitimate user, the process of FIG. 6 would be followed, during which the user would successfully respond to the challenge, followed by the authentic device being reconfigured to use a new, secure OTP table] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Chen with the disclosure of Girdhar. The motivation or suggestion would have been “to detect the fraud.” (Abstract)

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Girdhar in view of Chen, as applied to Claim 7, above, and further in view of Holland et al., (US 20130024947 A1) hereinafter referred to as Holland.
Regarding Claim 9, the combination of Girdhar and Chen does not explicitly teach wherein the server detects a breach of shared secrets of multiple users by monitoring a number of said detected anomalies across a user population.
Holland teaches wherein the server detects a breach of shared secrets of multiple users by monitoring a number of said detected anomalies across a user population. [paragraph 0025, The AC system 14 may also be configured to detect security breaches in which at least one shared secret stored therein has been obtained by an unauthorized user] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Holland with the disclosures of Girdhar and Chen. The motivation or suggestion would have been “for securely replacing shared secrets stored in computer systems over networks after discovering that a security breach might have occurred or has occurred.” (paragraph 0001)

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Girdhar, as applied to Claim 1, above, in view of Qiao et al., (US 20060236101 A1) hereinafter referred to as Qiao.
Regarding Claim 11, Girdhar does not explicitly teach wherein the client receives a notification, from the server, of one or more of that the first authentication succeeded and that the given shared secret needs to be updated.
Qiao teaches wherein the client receives a notification, from the server, of one or more of that the first authentication succeeded and that the given shared secret needs to be updated. [paragraph 0014, Preferably, the lifetime of said shared key is time, or the number of times said shared key can be used for authentication – the number of times a shared key can be used could be a single time after which it would be expired] [paragraph 0011, the step of updating said shared key further comprises: sending a notification command from said Media Gateway to said Media Gateway Controller, requesting said Media Gateway Controller to generate a new shared key, wherein said notification command has a parameter for generating a shared key and a digital signature generated by an initial key; generating a new shared key and setting up a lifetime of said shared key after said Media Gateway Controller has validated said Media Gateway with said initial key – although Qiao teaches sending a notification to a “media gateway controller”, the notification could be send to the use as taught by Kito (paragraph 0265, when these values are not equal, the first verification unit 64 notifies, for example, a user that these MAC values are not equal to each other. The first verification unit 64 is thus enabled to facilitate update of shared-key data – the user is notified that the values are not equal which indicates that the shared-key needs to be and will be updated)] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Qiao with the disclosure of Girdhar. The motivation or suggestion would have been for robust and up to date authentication. (Abstract and throughout)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW J STEINLE whose telephone number is (571)272-9923.  The examiner can normally be reached on M-F 10am-6pm CT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ANDREW J STEINLE/Primary Examiner, Art Unit 2497