DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
2.	This action is responsive to the following communication:  Original claims filed 12/30/20.  This action is made non-final.
3.	Claims 1-20 are pending in the case.  Claims 1, 14 and 19 are independent claims.

35 USC § 112
4.	The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph: 
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

5.      With regard to claim 19, claim limitations “means for causing”, “means for accepting" , “means for receiving” and “means for responsive” have been interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.  Use of the word “means” (or “step for”) in a claim with functional language creates a rebuttable presumption that the claim element is to be treated in accordance with 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph).  The presumption that 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph) is invoked is rebutted 
Absence of the word “means” (or “step for”) in a claim creates a rebuttable presumption that the claim element is not to be treated in accordance with 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph).  The presumption that 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph) is not invoked is rebutted when the claim element recites function but fails to recite sufficiently definite structure, material or acts to perform that function. 
Claim elements in this application that use the word “means” (or “step for”) are presumed to invoke 35 U.S.C. 112(f) except as otherwise indicated in an Office action.  Similarly, claim elements that do not use the word “means” (or “step for”) are presumed not to invoke 35 U.S.C. 112(f) except as otherwise indicated in an Office action.
Since the claim limitation(s) invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claim 20 have been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.  
If applicant wishes to provide further explanation or dispute the examiner’s interpretation of the corresponding structure, applicant must identify the corresponding structure with reference to the specification by page and line number, and to the drawing, if any, by reference characters in response to this Office action. 
If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112 , sixth paragraph, applicant may amend the claim(s) so that it/they will clearly not invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites/recite sufficient structure, material, or acts for 
For more information, see MPEP § 2173 et seq. and Supplementary Examination Guidelines for Determining Compliance With 35 U.S.C. 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9, 2011).

Claim Objections
6.	Claims 4, 5, 9, 17 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
7.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

8.	Claim 1 are rejected under 35 U.S.C. 103(a) as being unpatentable over McClintock (US 9606983) in view of Sugiyama (US 20140165175).
Regarding claim 1, McClintock discloses a device for authenticating access to an access-controlled resource, the device comprising:

a memory, stating instructions, which when executed, cause the one or more hardware processors to perform operations comprising (FIG. 10, computing device):
causing a graphical user interface (GUI) to be displayed requesting an authentication credential to access the access-controlled resource (FIG. 7, interface for receiving a password and token), the GUI comprising an input field for accepting the requested authentication credential from an input device in the form of a set of characters, the GUI requiring the set of characters to include at least one character in addition to characters in a stored credential (FIG. 7, to fully authenticate a user must provide both a password and a token field from a OTP);
accepting the set of characters from the input field upon receipt of an input to the GUI that the set of characters is complete, the set of characters including more characters than the stored credential, and including no subset of the set of characters that exactly matches the stored credential in entirety (FIG. 7-9, the characters are input into the respective fields wherein the password must match the password and the token must match the token field respectively).
McClintock does not necessarily disclose wherein receiving an indication that the set of characters includes a first subset of characters that match a portion of the stored credential, the matched portion of the stored credential having fewer characters than the stored credential and in a same order; and responsive to receiving the indication, displaying on the GUI that access has been granted to the access-controlled resource. 
However, Sugiyama discloses wherein in at least FIG. 6 a user submits a token and a password authentication to gain entry to a post-login screen.  Further, when a user of the 
The combination of McClintock and Sugiyama results in the password authentication system of McClintock to further incorporate Sugiyama’s teachings of utilizing entry to said further information.  One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
Regarding claim 14, McClintock discloses a method for authenticating access to an access-controlled resource, the method comprising: using one or more hardware processors: causing a graphical user interface (GUI) to be displayed requesting an authentication credential to access the access-controlled resource (FIG. 7, interface for receiving a password and token), the GUI comprising an input field for accepting the requested authentication credential from an input device in the form of a set of characters, the GUI requiring the set of characters to include at least one character in addition to characters in a stored credential (FIG. 7, to fully authenticate a user must provide both a password and a token field from a OTP);
accepting the set of characters from the input field upon receipt of an input to the GUI that the set of characters is complete, the set of characters including more characters than the stored credential, and including no subset of the set of characters that exactly matches the stored credential in entirety (FIG. 7-9, the characters are input into the respective fields wherein the password must match the password and the token must match the token field respectively).
McClintock does not necessarily disclose wherein receiving an indication that the set of characters includes a first subset of characters that match a portion of the stored credential, the matched portion of the stored credential having fewer characters than the stored credential and in a same order; and responsive to receiving the indication, displaying on the GUI that access has been granted to the access-controlled resource. 
However, Sugiyama discloses wherein in at least FIG. 6 a user submits a token and a password authentication to gain entry to a post-login screen.  Further, when a user of the terminal device 30 inputs a user ID and a password into the user ID input field 71 and the password input field 72 of the login screen 70, respectively, and presses the login button 73, the process for converting the token defined in the script section 62 of the login screen data 60 may be performed, and the converted token may be sent to the server device 10 along with the inputted user ID and password (paragraph 0037).  Moreover, the credentials sent to the server will contain characters that are fewer than the saved password as the credentials will send more characters than just the password (password + token are sent to the server).
The combination of McClintock and Sugiyama results in the password authentication system of McClintock to further incorporate Sugiyama’s teachings of utilizing entry to said further information.  One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
 Regarding claim 19, McClintock discloses a device for authenticating access to an access-controlled resource, the device comprising:
means for causing a graphical user interface (GUI) to be displayed requesting an authentication credential to access the access-controlled resource (FIG. 7, interface for receiving a password and token), the GUI comprising an input field for accepting the requested authentication credential from an input device in the form of a set of characters, the GUI requiring the set of characters to include at least one character in addition to characters in a stored credential (FIG. 7, to fully authenticate a user must provide both a password and a token field from a OTP);
means for accepting the set of characters from the input field upon receipt of an input to the GUI that the set of characters is complete, the set of characters including more characters than the stored credential, and including no subset of the set of characters that exactly matches the stored credential in entirety (FIG. 7-9, the characters are input into the respective fields wherein the password must match the password and the token must match the token field respectively).
McClintock does not necessarily disclose wherein means for receiving an indication that the set of characters includes a first subset of characters that match a portion of the stored credential, the matched portion of the stored credential having fewer characters than the stored credential and in a same order; and means for responsive to receiving the indication, displaying on the GUI that access has been granted to the access-controlled resource. 
However, Sugiyama discloses wherein in at least FIG. 6 a user submits a token and a password authentication to gain entry to a post-login screen.  Further, when a user of the terminal device 30 inputs a user ID and a password into the user ID input field 71 and the password input field 72 of the login screen 70, respectively, and presses the login button 73, the process for converting the token defined in the script section 62 of the login screen data 60 may be performed, and the converted token may be sent to the server device 10 along with the inputted user ID and password (paragraph 0037).  Moreover, the credentials sent to the server will contain characters that are fewer than the saved password as the credentials will send more characters than just the password (password + token are sent to the server).
The combination of McClintock and Sugiyama results in the password authentication system of McClintock to further incorporate Sugiyama’s teachings of utilizing entry to said further information.  One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
9.	Claim 2, 3, 6, 15, 16 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over McClintock-Sugiyama in further view of Qian (US 20150324579). 
Regarding claim 2, McClintock does not disclose wherein the set of characters of the input to the GUI are required to have a number of characters of a predetermined length. 
However, Qian discloses wherein for example, the special registration module 125 of the user management device 100 can be further configured to determine whether the login password associated with the registration request of the current user (e.g., the second user (Tony)) matches a predetermined length rule. In the event that the login password associated with the registration request of the current user does match the predetermined length rule, then the user registration can be deemed successful (e.g., assuming other registration criteria is satisfied). In the event that the login password associated with the registration request of the current user does not match the predetermined length rule, then, on the current page, in a dialog box, or the like, the current user (Tony) can be prompted to re-input a login password that complies with the predetermined length rule, wherein the length of the conflicting old user login password does not comply with the predetermined length rule (paragraph 0065).
The combination of McClintock and Qian results in the password authentication system of McClintock to further incorporate Qian’s teachings of requiring character limits for a password. One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
Regarding claim 15, McClintock does not disclose wherein the set of characters of the input to the GUI are required to have a number of characters of a predetermined length. 
However, Qian discloses wherein for example, the special registration module 125 of the user management device 100 can be further configured to determine whether the login password associated with the registration request of the current user (e.g., the second user (Tony)) matches a predetermined length rule. In the event that the login password associated with the registration request of the current user does match the predetermined length rule, then the user registration can be deemed successful (e.g., assuming other registration criteria is satisfied). In the event that the login password associated with the registration request of the current user does not match the predetermined length rule, then, on the current page, in a dialog box, or the like, the current user (Tony) can be prompted to re-input a login password that complies with the predetermined length rule, wherein the length of the conflicting old user login password does not comply with the predetermined length rule (paragraph 0065).
The combination of McClintock and Qian results in the password authentication system of McClintock to further incorporate Qian’s teachings of requiring character limits for a password. One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
Regarding claim 20, McClintock does not disclose wherein the set of characters of the input to the GUI are required to have a number of characters of a predetermined length.
However, Qian discloses wherein for example, the special registration module 125 of the user management device 100 can be further configured to determine whether the login password associated with the registration request of the current user (e.g., the second user (Tony)) matches a predetermined length rule. In the event that the login password associated with the registration request of the current user does match the predetermined length rule, then the user registration can be deemed successful (e.g., assuming other registration criteria is satisfied). In the event that the login password associated with the registration request of the current user does not match the predetermined length rule, then, on the current page, in a dialog box, or the like, the current user (Tony) can be prompted to re-input a login password that complies with the predetermined length rule, wherein the length of the conflicting old user login password does not comply with the predetermined length rule (paragraph 0065).
The combination of McClintock and Qian results in the password authentication system of McClintock to further incorporate Qian’s teachings of requiring character limits for a password. One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
Regarding claim 3, McClintock does not disclose wherein access to the access-controlled resource is rejected based on a determination that the matched portion of the set of characters equals the first set of characters in entirety. 

Regarding claim 16, McClintock does not disclose wherein access to the access-controlled resource is rejected based on a determination that the matched portion of the set of characters equals the first set of characters in entirety. 
However, Qian discloses wherein for example, the special registration module 125 of the user management device 100 can be further configured to determine whether the login password associated with the registration request of the current user (e.g., the second user (Tony)) matches a predetermined length rule. In the event that the login password associated with the registration request of the current user does match the predetermined length rule, then the user registration can be deemed successful (e.g., assuming other registration criteria is satisfied). In the event that the login password associated with the registration request of the current user does not match the predetermined length rule, then, on the current page, in a dialog box, or the like, the current user (Tony) can be prompted to re-input a login password that complies with the predetermined length rule, wherein the length of the conflicting old user login password does not comply with the predetermined length rule (paragraph 0065).
The combination of McClintock and Qian results in the password authentication system of McClintock to further incorporate Qian’s teachings of requiring character limits for a password. One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
Regarding claim 6, McClintock does not disclose wherein the operations of displaying the indication that access has been granted to the access-controlled resource includes determining that the first subset of characters includes a minimum number of characters corresponding to the stored credential. 
However, Qian discloses wherein for example, the special registration module 125 of the user management device 100 can be further configured to determine whether the login password associated with the registration request of the current user (e.g., the second user (Tony)) matches a predetermined length rule. In the event that the login password associated 
The combination of McClintock and Qian results in the password authentication system of McClintock to further incorporate Qian’s teachings of requiring character limits for a password. One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
10.	Claims 7 and 8 are rejected under 35 U.S.C. 103(a) as being unpatentable over McClintock-Sugiyama in view of Eluard (US 20140317705).  
Regarding claim 7, McClintock does not disclose, wherein the first subset of characters are determined to match the portion of the stored credential based on a distance function and a maximum distance threshold
However, Eluard discloses wherein the user has a group of at least one password that is accepted as correct passwords by an authentication server, the group comprising one primary password and zero or more secondary passwords; the message is further indicative of whether the hash value corresponds to the primary password or one of the secondary passwords; and the processor uses the distance function and sends hash values for password proposals for which the distance value is lower than or equal to a threshold value only in case the message indicates that the hash value corresponds to the primary password (paragraph 0018).
The combination of McClintock and Eluard results in the password authentication system of McClintock to further incorporate Eluard’s teachings of requiring a distance function to a password. One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
Regarding claim 8, McClintock does not disclose wherein the operations of displaying the indication that access has been granted to the access-controlled resource includes determining that the first subset of characters are a distance from the portion of the stored 
However, Eluard discloses wherein the user has a group of at least one password that is accepted as correct passwords by an authentication server, the group comprising one primary password and zero or more secondary passwords; the message is further indicative of whether the hash value corresponds to the primary password or one of the secondary passwords; and the processor uses the distance function and sends hash values for password proposals for which the distance value is lower than or equal to a threshold value only in case the message indicates that the hash value corresponds to the primary password (paragraph 0018).
The combination of McClintock and Eluard results in the password authentication system of McClintock to further incorporate Eluard’s teachings of requiring a distance function to a password. One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
11.	Claim 10 and 11 are rejected under 35 U.S.C. 103(a) as being unpatentable over McClintock-Sugiyama in view of Ramalingam (US 9946867). 
Regarding claim 10, McClintock does not disclose further comprising operations of: monitoring entry of a second set of characters as they are entered; determining that the second set of characters does not include a second subset of characters interleaved with the first subset; and displaying an indication to enter the second subset prior to completion of entry of the second set of characters. 
However, Ramalingam discloses wherein in addition, this particular example enables the user to determine exactly where in the password the error was made. For instance, if the n.sup.th character in the representation of the complete password (n a positive integer) was different than expected, the user would know that there was an error in the n.sup.th character of the password. In many implementations, the user can use this knowledge to delete the erroneous character and replace it with another character. From the perspective of that which 
The combination of McClintock and Ramalingam results in the password authentication system of McClintock to further incorporate Ramalingam’s teachings of incorporating further password implementations to match the required access.  One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
Regarding claim 11, McClintock does not disclose further comprising operations of: monitoring entry of a second set of characters as they are entered; determining that the second set of characters includes the stored credential in its entirety; and displaying an indication to remove at least one character from the second set of characters corresponding to the stored credential prior to completion of entry of the second set of characters. 
However, Ramalingam discloses wherein in addition, this particular example enables the user to determine exactly where in the password the error was made. For instance, if the n.sup.th character in the representation of the complete password (n a positive integer) was different than expected, the user would know that there was an error in the n.sup.th character of the password. In many implementations, the user can use this knowledge to delete the erroneous character and replace it with another character. From the perspective of that which is displayed, correction of an entered password may appear as if the symbolic representation of the password is being corrected. For example, if the nth character in the symbolic representation is deleted, the nth character of the symbolic representation disappears from the 
The combination of McClintock and Ramalingam results in the password authentication system of McClintock to further incorporate Ramalingam’s teachings of incorporating further password implementations to match the required access.  One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
12.	Claim 12 and 13 are rejected under 35 U.S.C. 103(a) as being unpatentable over McClintock-Sugiyama in view of Buck (US 20140165169). 
Regarding claim 12, McClintock does not disclose wherein the GUI requires the set of characters to not include the stored credential in its entirety. 
However, Buck discloses wherein according to an embodiment, the password validation system 200 described above allows for certain substitution errors when entering the password. In particular, when a non-matching character of the entered password 422 is substituted with an alternative character 205 that matches the corresponding character of the defined password 420, the substitution error is forgiven. In an embodiment, the password validation system 200 can also be configured to forgive other types of errors, such as transposition, insertion and deletion errors. A transposition error is one in which two characters that occur next to each other in the entered password 422 are switched in position. For example, if "abcde" is the defined password 420 and "abdce" is the entered password 422, the entered password 422 has a transposition error between the "c" and "d". A deletion error is one in which a character of the defined password 420 is omitted, whereas an insertion error is one in which an additional character has been inserted into the entered password, e.g., when "abcde" is the defined 
The combination of McClintock and Buck results in the password authentication system of McClintock to further incorporate Buck’s teachings of error correcting passwords that are inputted. One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 
Regarding claim 13, McClintock does not disclose The device of claim 1, wherein the set of characters is indicated to include a second subset of characters that are not specified for the access-controlled resource and are interleaved with the first subset of characters in an order that is not specified. 
However, Buck discloses wherein according to an embodiment, the password validation system 200 described above allows for certain substitution errors when entering the password. In particular, when a non-matching character of the entered password 422 is substituted with an alternative character 205 that matches the corresponding character of the defined password 420, the substitution error is forgiven. In an embodiment, the password validation system 200 can also be configured to forgive other types of errors, such as transposition, insertion and deletion errors. A transposition error is one in which two characters that occur next to each other in the entered password 422 are switched in position. For example, if "abcde" is the defined password 420 and "abdce" is the entered password 422, the entered password 422 has a transposition error between the "c" and "d". A deletion error is one in which a character of the defined password 420 is omitted, whereas an insertion error is one in which an additional character has been inserted into the entered password, e.g., when "abcde" is the defined password 420 and "abcxde" is the entered password 422, the entered password 422 has an insertion error, inserting an additional character "x" into the password (paragraph 0057).
The combination of McClintock and Buck results in the password authentication system of McClintock to further incorporate Buck’s teachings of error correcting passwords that are inputted. One would have been motivated to have combined the teachings because a user in McClintock would have benefited from utilizing said authentication to further enable a user to access previously locked systems.  Therefore, it would have been obvious to have combined the teachings as the combination of teachings would have been an obvious result of predictable inventions. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID E CHOI whose telephone number is (571)270-3780.  The examiner can normally be reached on M-F: 7-2, 7-10 (PST). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dennis Chow can be reached on (571) 272-7767.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DAVID E CHOI/Primary Examiner, Art Unit 2174