DETAILED ACTION

Response to Arguments
Applicant's arguments filed January 6, 2021 have been fully considered but they are now moot in view of a new ground of rejection.
Claims 1-20 are pending. Claims 1, 13, and 17 were amended.
The rejection of claims 13-16 under 35 U.S.C. § 112(b) as being indefinite has been withdrawn in view of the amendments.
The Applicant’s arguments on pp. 8-10 regarding the 103 rejection has been considered but is now moot in view of a new ground of rejection. See Claim Rejections - 35 USC § 103 below for details.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention 

Claims 1-5, 7, and 9-18 are rejected under 35 U.S.C. 103 as being unpatentable over Sabanayagam (hereinafter, “Sabanayagam”), US 10,182,048 in view of Nair (hereinafter, “Nair”), US 2018/0176212 and in further view of Vashisht et al. (hereinafter, “Vashisht”), US 2019/0297119.
As per claim 1: Sabanayagam discloses: A method for providing cross-device access to a one-time password (systems and methods for automatically populating one-time password (OTP) input fields using a mobile application to relay an OTP in a short message service (SMS) message to a personal computer [Sabanayagam, col. 4, lines 11-22]), the method comprising: receiving, by a mobile computing device, an electronic message (a computing device 204 receives a message, wherein the message may be SMS, email, or multimedia-messaging-service (MMS) [Sabanayagam, col. 8, lines 18-29; Figs. 2 & 3(304)]); identifying a sender of the electronic message; (a message may be identified to contain a OTP in any suitable manner, such as identifying the sender of the message and matching a pattern [Sabanayagam, col. 8, lines 38-67]); determining that the electronic message comprises a one-time password (identify SMS message 216 includes OTP 214 [Sabanayagam, col. 8, lines 18-22; Figs. 2 & 3(304)]); and automatically transferring the one-time password to a target computing device (transmit the OTP from the computing device 204 to computing device 202 [Sabanayagam, col. 9, lines 1-6; Figs. 2 & 3(306)]), 
Sabanayagam does not disclose identifying the sender of the message from a “known list of one-time password senders”. However, Nair is directed to analogous art of multi-factor authentication [Nair, ¶2]. Nair discloses: determining that the sender of the electronic message matches an identity on a known list of one-time password senders (a database maintains a list of short code numbers that are known to be associated with a particular sender of an authentication code, wherein the short code number is an identifier (similar to a phone number) provided in a message containing the authentication code [Nair, ¶68]). Therefore, “based on the determination that the sender of the electronic message matches the identity on the known list of one-time password senders”, Sabanayagam in view of Nair would have disclosed using a list of known OTP senders to identify messages containing OTPs.
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement a list of known OTP senders, as disclosed in Nair, as one additional means of identifying a SMS message containing an OTP in Sabanayagam. As stated in [Sabanayagam, col. 8, lines 38-39], a message containing an OTP can be identified in any suitable manner. A list of common OTP providers would have been pre-defined, as in Nair, such that a simple and quick lookup operation can be used to determine if a message is from a known OTP sender.
Furthermore, Sabanayagam discloses computing devices 202 and 204 connected via network 208, which represents various types of communication medium or architecture, trust” that was “established between the mobile computing device and the target computing device.” However, establishing secure network connections between devices are well-known features in computer networks. For example, Vashisht is directed to analogous art of establishing collaboration sessions with devices located in the same physical location [Vashisht, ¶12]. Vashisht discloses: wherein a trust has been established between the mobile computing device and the target computing device (a cloud-based server is used to establish direct connections between devices, wherein various information are shared to establish the connections as authenticated and encrypted [Vashisht, ¶68]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to include secure connections in the network 208 of Sabanayagam. This would have enabled the OTP to be protected when transmitted from the computing device 204 to the computing device 202 and to prevent any man-in-the-middle or replay attacks.

As per claim 2: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 1. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: further comprising extracting the one-time password from the electronic message (transmitting module 108 of computing device 204 extracts the OTP from the message [Sabanayagam, col. 9, lines 24-30; Fig. 2]). 

As per claim 3: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 2. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein the one-time password is automatically sent wirelessly from the mobile computing device to the target computing device upon the one-time password being extracted from the electronic message (network 208 may be wireless [Sabanayagam, col. 6, lines 41-53]; automatically retrieving the OTP [Sabanayagam, col. 10, lines 6-11]). 

As per claim 4: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 3. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein the one-time password is sent from the mobile computing device to the target computing device via Bluetooth (establishing secure connections using Bluetooth addresses [Vashisht, ¶68]). 

As per claim 5: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 3. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein the one-time password is sent from the mobile computing device to an application on the target computing device via an API (the OTP is sent to a receiving module 110 of password manager 218, which is installed in computing device 202 [Sabanayagam, col. 5, line 64 – col. 6, line 12; Fig. 2]). 

As per claim 7: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 1. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein the electronic message comprises an SMS message and the one-time password is extracted directly from the SMS message (identifying SMS message 216 that include the OTP 214 [Sabanayagam, col. 8, 

As per claim 9: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 1. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein the electronic message comprises an SMS message (identifying SMS message 216 that include the OTP 214 [Sabanayagam, col. 8, lines 18-22; Fig. 3(304)]), and automatically transferring the one-time password to the target computing device comprises transferring the entirety of the SMS message to the target device (transferring all or a portion of the message [Sabanayagam, col. 9, lines 24-30]). 

As per claim 10: Sabanayagam in view of Nair and Vashisht discloses all limitations of claim 9. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: further comprising extracting, by the target device, the one-time password from the SMS message (the entirety of the message may be sent to computing device 202 [Sabanayagam, col. 9, lines 24-30]; as discussed in [Sabanayagam, col. 9, lines 24-30], the computing device 204 may extract the OTP before to sending it; however, in the scenario of where the SMS message is sent as a whole (e.g. the extraction is not performed by the computing device 204), then extraction would have to be completed  at the computing device 202 in order to obtain the OTP and auto-populate the input fields).

As per claim 11: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 1. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein determining that the electronic message comprises a one-time password comprises filtering a plurality of SMS messages for a sender corresponding to a target domain on the target device (using information of the message sender to identify the message includes the OTP [Sabanayagam, col. 8, lines 49-67]). 

As per claim 12: Sabanayagam in view of Nair and Vashisht discloses all limitations of claim 1. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein the established trust between the mobile computing device and the target computing device comprises at least one of: a Bluetooth trust; a public-private key trust; and a cloud-based application sign-in trust (sharing over a secure cloud connection: Bluetooth addresses, services/applications hosted by devices; using the shared information to established secure connections, including using public keys or secrets [Vashisht, ¶68]).

As per claim 13: Sabanayagam discloses: A system for providing cross-device access to a one-time password (systems and methods for automatically populating one-time password (OTP) input fields using a mobile application to relay an OTP in a short message service (SMS) message to a personal computer [Sabanayagam, col. 4, lines 11-22]), comprising: a memory for storing executable program code; and one or more processors, functionally coupled to the memory (the typical computing system is illustrated in [Sabanayagam, Fig. 5]), the one or more processors being responsive to computer-executable instructions contained in the program code and operative to: receive, at a target computing device, an indication to have a one-time password for a current domain sent to a mobile computing device,  (detecting at computing device 202 an input field that requests a OTP [Sabanayagam, col. 7, lines 11-15]); receive an electronic message (a computing device 204 receives a message, wherein the message may be SMS, email, or multimedia-messaging-service (MMS) [Sabanayagam, col. 8, lines 18-29; Figs. 2 & 3(304)]); identify a sender of the electronic message; (a message may be identified to contain a OTP in any suitable manner, such as identifying the sender of the message and matching a pattern [Sabanayagam, col. 8, lines 38-67]); determine that the electronic message comprises a one-time password (identify SMS message 216 includes OTP 214 [Sabanayagam, col. 8, lines 18-22; Figs. 2 & 3(304)]); and automatically insert the one-time password into a password field in the current domain (automatically populating, at the computing device 202, the input field with the OTP [Sabanayagam, col. 9, lines 36-40; Fig. 3(310)]).
Sabanayagam does not disclose identifying the sender of the message to a “known list of one-time password senders”. However, Nair is directed to analogous art of multi-factor authentication [Nair, ¶2]. Nair discloses: determine that the sender of the electronic message matches an identity on a known list of one-time password senders (a database maintains a list based on the determination that the sender of the electronic message matches the identity on the known list of one-time password senders”, Sabanayagam in view of Nair would have disclosed using a list of known OTP senders to identify messages containing OTPs.
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement a list of known OTP senders, as disclosed in Nair, as one additional means of identifying a SMS message containing an OTP in Sabanayagam. As stated in [Sabanayagam, col. 8, lines 38-39], a message containing an OTP can be identified in any suitable manner. A list of common OTP providers would have been pre-defined, as in Nair, such that a simple and quick lookup operation can be used to determine if a message is from a known OTP sender.
Furthermore, Sabanayagam discloses computing devices 202 and 204 connected via network 208, which represents various types of communication medium or architecture, including wired and wireless networks [Sabanayagam, col. 6, lines 41-53]. Sabanayagam does not explicitly disclose network 208 as having a “trust” that was “established between the mobile computing device and the target computing device.” However, establishing secure network connections between devices are well-known features in computer networks. For example, Vashisht is directed to analogous art of establishing collaboration sessions with devices located in the same physical location [Vashisht, ¶12]. Vashisht discloses: wherein a trust has been established between the mobile computing device and the target computing device (a cloud-based server is used to establish direct connections between devices, wherein various information are shared to establish the connections as authenticated and encrypted [Vashisht, ¶68]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effectively filing date of the claimed invention to include secure connections in the network 208 of Sabanayagam. This would have enabled the OTP to be protected when transmitted from the computing device 204 to the computing device 202 and to prevent any man-in-the-middle or replay attacks.

As per claim 14: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 13. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein the established trust between the mobile computing device and the target computing device comprises a Bluetooth trust (sharing Bluetooth addresses to establish secure connections [Vashisht, ¶68]), and wherein the one-time password is received from the mobile computing device by the target computing device via a Bluetooth connection (in view of Vashisht, the network 208 in Sabanayagam would have secure Bluetooth connections for secure wireless data transmissions). 

As per claim 15: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 13. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein the one-time password is incorporated in an SMS message form in which it was received by the mobile computing device (identifying SMS message 216 that include the OTP 214 [Sabanayagam, col. 8, lines 18-22; Fig. 3(304)]). 

As per claim 16: Claim 16 incorporates all limitations of claim 15. Claim 16 is directed to a system comprising instructions corresponding to the method of claim 11. Thus, the response provided to claims 11 and 15 are equally applicable to claim 16.

As per claim 17: Claim 17 is different in overall scope from claims 1 and 2 but recites substantially similar subject matter as claims 1 and 2. Claim 17 is directed to a computer-readable storage device comprising executable instructions corresponding to the method of claims 1 and 2. Thus, the response provided above for claims 1 and 2 are equally applicable to claim 17.

As per claim 18: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 17. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein the established trust between the first computing device and the second computing device comprises a Bluetooth trust (sharing Bluetooth addresses to establish secure connections [Vashisht, ¶68]), and wherein the one-time password is transferred from the first computing device to the second computing device via a Bluetooth connection (in view of Vashisht, the network 208 in Sabanayagam would have secure Bluetooth connections for secure wireless data transmissions). 

s 6 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sabanayagam in view of Nair and Vashisht and in further view of Ferrara et al. (hereinafter, “Ferrara”), US 2017/0300816.
As per claim 6: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 1. Furthermore, Sabanayagam in view of Nair and Vashisht disclose: wherein determining that the electronic message comprises a one-time password comprises applying one of: a one-time password pattern recognition model to the electronic message (identifying a message containing an OTP by matching a pattern [Sabanayagam, col. 8, lines 49-67]); .
Sabanayagam does not specify the use of machine learning models for recognizing the pattern. However, pattern recognition is often observed as a complement with machine learning. For example, in the background portion of [Ferrara, ¶¶1-2]: “…machine learning is a subfield of computer science that evolved from the study of pattern recognition.” Machine learning and pattern recognition can be viewed as two facets of the same field.
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to include the utilization of machine learning models and algorithms for recognizing OTPs in the SMS messages of Sabanayagam. A machine learning model would have provided a dynamic means of pattern recognition over a strictly static means of pattern recognition, such as regular expression, since not all SMS messages may be constructed the same.

As per claim 20: Claim 20 incorporates all limitations of claim 17. Claim 20 is directed to a computer-readable storage device comprising instructions corresponding to the method of claim 6. Thus, the response provided to claims 6 and 17 are equally applicable to claim 20.

Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sabanayagam in view of Nair and Vashisht and in further view of Daly et al. (hereinafter, “Daly”), US 2018/0157824.
As per claim 8: Sabanayagam in view of Nair and Vashisht disclose all limitations of claim 1. Sabanayagam in view of Nair and Vashisht do not disclose the limitations of claim 8. However, Daly is directed to storing passwords using steganography [Daly, ¶1]. Therefore, Sabanayagam in view of Nair, Vashisht, and Daly disclose: wherein the electronic message comprises an SMS message and the one-time password is extracted from an image of a notification corresponding to the SMS message (a password is encoded in a stenographic image [Daly, ¶56], wherein the password can be extracted and provided as a credential to an online service [Daly, ¶68]). 
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the text-based OTP in the SMS message of Sabanayagam to a stenographic image embedded with the OTP as suggested in Daly. This modification would have prevented a human from obtaining the OTP if the SMS messages were compromised or intercepted by a malicious actor. Steganography is a well-known practice of concealing information within other information.

As per claim 19: Claim 19 incorporates all limitations of claim 18. Claim 19 is directed to a computer-readable storage device comprising instructions corresponding to the method of claim 8. Thus, the response provided to claims 8 and 18 are equally applicable to claim 19.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2019/0026446: Discloses extracting a one-time password from an image.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        3-12-2021