DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 13, 24, 32 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 13 recites the limitation "said second client device" in lines 2-3.  There is insufficient antecedent basis for this limitation in the claim.
Claim 13 recites the limitation "said first client device" in line 3.  There is insufficient antecedent basis for this limitation in the claim.
Claim 24 recites the limitation "said second client device" in lines 2-3.  There is insufficient antecedent basis for this limitation in the claim.
Claim 24 recites the limitation "said first client device" in line 3.  There is insufficient antecedent basis for this limitation in the claim.
Claim 32 recites the limitation "said second client device" in line 3.  There is insufficient antecedent basis for this limitation in the claim.
Claim 32 recites the limitation "said first client device" in line 3.  There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-3, 6-9, 18-20, 26-28, 34 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ganesan, U.S. Publication No. 2007/0033642. Referring to claims 1, 26, Ganesan discloses a man-in-the-middle phishing attack protection system ([0094]-[0095]) wherein a authenticating entity network device receives a .
Referring to claim 2, Ganesan discloses that the protection system provides protection against man-in-the-middle phishing attacks such proxy attacks ([0094]-[0095]), which meets the limitation of wherein said on-line phishing attack comprises a proxy phishing attack.
Referring to claim 3, Ganesan discloses that the authenticating entity network device receives a log-in request from a user network device ([0135]) such that the authenticating entity network device initiates a challenge response procedure in response to receiving the log-in request ([0136]-[0142]: challenge response procedure results in the authentication of the user and would be considered the claimed authentication session), which meets the limitation of wherein said initiating said electronic authentication process comprises electronically transforming said login request into an authentication session.
Referring to claim 6, Ganesan discloses that the authentication process is implemented by a browser and an ID tool invoked by the browser on the client side ([0134]-[0142]), which meets the limitation of wherein said electronic authentication process is implemented via two client programs.
Referring to claims 7, 27, Ganesan discloses that the log-in request transmitted the user’s network device includes a user identifier ([0135]: “Alice wants to log in.” where “Alice” would be considered a user identifier and would also corresponding to a user credential or part thereof), which meets the limitation of wherein said login request comprises a user credential or a part thereof.
Referring to claim 8, Ganesan discloses that the user’s identifier (e.g., Alice) was not entered by the user ([0135]: because the identifier “Alice” is not described as being input by the user of the user’s network device, the identifier “Alice” can be said to have selected without user input), which meets the limitation of wherein said user credential is selected without user input.
Referring to claims 9, 28, Ganesan discloses that the log-in request includes a user identifier ([0135]: Alice would be considered a user identifier and would map to the claimed user credential) such that the received log-in request initiates a challenge response procedure that results in the authentication of the user ([0136]-[0142]) to a service such as PayPal ([0025]), which meets the limitation of wherein said user credential is associated with a service because the user identifier (“Alice”) is part of the procedure that results in the user’s authenticated access to the service. Therefore, the user identifier (“Alice”) can be said to be “associated” with the service as claimed to the extent that the user identifier is utilized to access the service.
Referring to claim 18, Ganesan discloses a man-in-the-middle phishing attack protection system ([0094]-[0095]) wherein a authenticating entity network device receives a log-in request from a user network device ([0135]), which meets the limitation of electronically receiving a login request. The user network device receives a random challenge from the authenticating entity network device such that the user network device executes an ID Tool to create a digital signature that is transmitted back to the authenticating entity network device ([0136]-[0137]: challenge response scenario represents the initiation of the authentication process), which meets the limitation of initiate an electronic authentication process based, at least in part, on said login request. The authenticating entity network device ([0075]-[0076]) includes a modem (Figure 5, 560), which meets the limitation of a communication interface to communicate with an electronic communications network. The authenticating entity network device ([0075]-[0076]) includes a processor (Figure 5, 500) coupled to EPROM memory (Figure 5, 522) and RAM (Figure 5, 523), which meets the limitation of one or more processors coupled to a memory and to the communication interface.
Referring to claim 19, Ganesan discloses that the log-in request transmitted the user’s network device includes a user identifier ([0135]: “Alice wants to log in.” where “Alice” would be considered a user identifier and would also corresponding to a user credential or part thereof), which meets the limitation of wherein said login request comprises a user credential or a part thereof.
Referring to claim 20, Ganesan discloses that the log-in request includes a user identifier ([0135]: Alice would be considered a user identifier and would map to the claimed user credential) such that the received log-in request initiates a challenge response procedure that results in the authentication of the user ([0136]-[0142]) to a service such as PayPal ([0025]), which meets the limitation of wherein said user credential is to be associated with a service because the user identifier (“Alice”) is part of the procedure that results in the user’s authenticated access to the service. Therefore, the user identifier (“Alice”) can be said to be “associated” with the service as claimed to the extent that the user identifier is utilized to access the service.
Referring to claim 34, Ganesan discloses a man-in-the-middle phishing attack protection system ([0094]-[0095]) that includes a user network device that communicates with a relying party network device (Figure 6: user network device reads on the claimed client device and the relying party network device reads on the claimed authenticator), which meets the limitation of at least one client device communicatively coupled to at least one authenticator. The user network device also communicates with a authentication entity network device (Figure 6, 610) that provides services such as merchant services that are accessible to the user of the user network device ([0095]: authenticating entity can be a merchant server), which meets the limitation of at least one service communicatively coupled to the at least one client device, wherein the at least one service is accessed by the at least one client device. The relying party network device receives communications indirectly from the authenticating entity network device ([0143]: authenticating entity network device transmits SSL hash to user network device which transmits the SSL hash to the relying party network device), which meets the limitation of wherein the at least one service is communicatively coupled to the at least one authenticator. The user of the user network device is associated with a asymmetric key pair having a public key and a private key ([0100]: paragraph references US Application No. 11/055,987, which corresponds with US Publication No. 20060182283, for details regarding the asymmetric cryptography specifics) such that the referenced ‘987 application describes the asymmetric key pair being generated by the user device (US Publication No. 20060182283: [0077]), which meets the limitation of wherein the at least one client device is programmed with instructions to generate a user credential to comprise at least one asymmetric key pair for authentication, wherein the at least one asymmetric key pair further comprises a user credential private key and a user credential public key. The merchant has access to the second portion of the user private key ([0101]: relying party network entity is the merchant [0130]), which meets the limitation of associated the user credential with the at least one service. The authenticating entity network device issues a challenge to the user’s network device that includes a large random number and a request to digitally sign the random number([0136]: The request instructions to digitally sign the random number would read on the claimed additional information provided by the service), which meets the limitation of wherein the service is programmed to authenticate the user by issuing a challenge, wherein the challenge comprises a large random number and additional information provided by the service. The authenticating entity network device receives a digital signature from the user network device ([0137]) and decrypts the received signature to recover the original random number concatenated with a second random number such that the original random numbers are compared in order to obtain the second random number ([0138]), which meets the limitation of check that the challenge response is a digital signature of the challenge by the user credential private key. Decryption of the digital signature requires the public key that corresponds to the private key utilized to generate the digital signature ([0143]), which meets the limitation of a digital signature that is verifiable with the user credential public key. Examiner notes that the claim does not specifically require actual verification of the digital signature using the public key. Instead, the claims merely require that the digital signature be “verifiable” using a public key. This limitation is met by paragraph [0143] of Ganesan because paragraph [0143] discloses that digital signatures are “verifiable” using the corresponding public key.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 4, 5 are rejected under 35 U.S.C. 103 as being unpatentable over Ganesan, U.S. Publication No. 2007/0033642, in view of Ruthfield, U.S. Publication No. 2005/0010871. Referring to claims 4, 5, Ganesan discloses that the authentication process is implemented by a browser and an ID tool invoked by the browser on the client side ([0134]-[0142]: ID tool would read on the claimed authenticator), which meets the limitation of [wherein said single client program] comprises a browser and an authenticator. 
Ganesan does not specify that the browser and ID tool are incorporated into a single client program. Ruthfield discloses the incorporation of a browser and other applications into a single application ([0063]), which meets the limitation of wherein said electronic authentication process is implemented via a single client program. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the browser and ID tool of Ganesan to have been incorporated into a single application in order to provide the functional of the browser and ID tool into a single navigable structure as suggested by Ruthfield ([0063]).
Claims 10, 11, 21, 22, 29, 30 are rejected under 35 U.S.C. 103 as being unpatentable over Ganesan, U.S. Publication No. 2007/0033642, in view of Hansen, U.S. Publication No. 2007/0005776. Referring to claims 10, 21, 29, Ganesan discloses that the user provides log-in information to access web services through a web browser ([0021]-[0022] & [0025]) such that the web service access can include user initiated transactions ([0022]-[0023]: transaction information would read on the claimed service parameter and the website/web service would read on the claimed protected resource), which meets the limitation of electronically communicating a service parameter for accessing a protected resource [in the same instance of a client program].
However, Ganesan does not specify that service parameters for the web services are provided through the same browser instance. Hansen discloses that webpage navigation from a first webpage to a second webpage can occur within the same browser instance or a new browser instance ([0075]-[0076]), which meets the limitation of access a protected resource in the same instance of a client program. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the authenticated web service access of Ganesan to have been provided through the same browser instance because Hansen describes that utilization of the same browser instance is one of a finite number of possible embodiments that could be implemented by one of ordinary skill in the art with a reasonable expectation of success.
Referring to claims 11, 22, 30, Ganesan discloses that the user provides log-in information to access web services through a web browser ([0021]-[0022] & [0025]) such that the web service access can include user initiated transactions ([0022]-[0023]: transaction information would read on the claimed service parameter and the website/web service would read on the claimed protected resource), which meets the limitation of electronically communicating a service parameter for accessing a protected resource [in a new instance of a client program].
However, Ganesan does not specify that service parameters for the web services are provided through the same browser instance. Hansen discloses that webpage navigation from a first webpage to a second webpage can occur within the same browser instance or a new browser instance ([0075]-[0076]), which meets the limitation of access a protected resource in a new instance of a client program. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the authenticated web service access of Ganesan to have been provided through a new browser instance because Hansen describes that utilization of the same browser instance is one of a finite number of possible embodiments that could be implemented by one of ordinary skill in the art with a reasonable expectation of success.
Claims 12, 13, 23, 24, 31, 32 are rejected under 35 U.S.C. 103 as being unpatentable over Ganesan, U.S. Publication No. 2007/0033642, in view of Hansen, U.S. Publication No. 2007/0005776, and further in view of Beiter, U.S. Publication No. 2017/0244555. Referring to claims 12, 23, 31, Ganesan discloses a man-in-the-middle phishing attack protection system ([0094]-[0095]) wherein a authenticating entity network device receives a log-in request from a user network device ([0135]: user network device reads on the claimed first client device), which meets the limitation of wherein said login request is initiated via a first client device.
Ganesan, as modified in view of Hansen above, does not disclose that the authenticated service access is performed on a second device. Beiter discloses an authenticated session transfer system wherein a user provides login credentials at a mobile device such that the mobile device transmits the login credentials to a server for authentication ([0031]), which meets the limitation of wherein said login request is initiated via a first client device. Upon authentication, the authentication server transmits an authentication token to the mobile device ([0037]-[0038]) such that mobile device sends the authentication token and the id of a second device to the authentication server ([0046]) such that the authentication server transfers the authentication session to the second device corresponding to the identifier ([0047]-[0050]) and allows for the second device to access network services ([0062]), which meets the limitation of said service parameter is electronically communicated for accessing said protected resource via a second client device. The second device can communicate a cookie to the mobile device to indicate that the second device is logged in ([0054]: client device 130 transmits the token to the user 110 [0054] and user 110 is utilizing mobile device 120 [0037]. Therefore, device 130 transmits token to device 120 which means device 130 and device 120 are communicatively coupled), which meets the limitation of a second device communicatively coupled with said first device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the user network device of Ganesan to have transferred it’s active authentication session to a second device such that the second device is granted authenticated access to services in order to provide advanced login mechanisms to devices that do not natively support such login mechanisms as suggested by Beiter ([0013]).
Referring to claims 13, 24, 32, Ganesan, as modified in view of Hansen above, does not disclose that the authenticated service access is performed on a second device. Beiter discloses an authenticated session transfer system wherein a user provides login credentials at a mobile device such that the mobile device transmits the login credentials to a server for authentication ([0031]). Upon authentication, the authentication server transmits an authentication token to the mobile device ([0037]-[0038]) such that mobile device sends the authentication token and the id of a second device to the authentication server ([0046]) such that the authentication server transfers the authentication session to the second device corresponding to the identifier ([0047]-[0050]) and allows for the second device to access network services ([0062]), which meets the limitation of wherein said protected resource is accessed via electronically transferring an authenticated session for said login request from said second client device to said first client device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the user network device to have transferred it’s active authentication session to a second device such that the second device is granted authenticated access to services in order to provide advanced login mechanisms to device that do not natively support such login mechanisms as suggested by Beiter ([0013]).
Claims 14-17, 25, 33 are rejected under 35 U.S.C. 103 as being unpatentable over Ganesan, U.S. Publication No. 2007/0033642, in view of Chen, U.S. Publication No. 2009/0100530. Referring to claims 14, 16, 17, 25, 33, Ganesan discloses that once the protected tunnel is established, the authenticating entity network transmits a request to the user network device for a one time password ([0139]-[0140]) such that the user network device determines the one time password from an OTP token ([0141]). 
Ganesan does not disclose that authentication is performed in order to access the OTP token. Chen discloses a device that includes a signing program (Figure 1C, 116 & [0037]: signing unit can be code) and a verification program (Figure 1C, 118 & [0039]: verification unit can be code) such that the signing functionality digitally signs a random number along with GPS location information of the device ([0037]: digital signature is created using a signing key which would read on the claimed program credential) and the verification functionality performs verification of the digitally signed location information as part of an authentication process ([0039] & [0041]), which meets the limitation of wherein said electronic authentication process is based, at least in part, on a program credential for authenticating a first client program to a second client program, said program credential is used, at least in part, by said first client program to digitally sign a service location. The signing program and the verification program are separate programs (Figure 1C, 116 & 118 & [0037] & [0039]), which meets the limitation of wherein said first client program and said second client program comprise separate client programs. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the access to the OTP token of Ganesan to have required an authentication, in the manner described in Chen, in order to provide authorized access to the OTP token as suggested by Chen ([0019]).
Referring to claim 15, Ganesan discloses that the user network device browser includes ID Tool functionality ([0108]: browser invokes ID Tool) that performs digital signature functionality ([0137]: ID Tool signs R0:R1), which meets the limitation of wherein said [first] client program comprises a browser.
Ganesan does not disclose that the browser/ID tool is utilized to perform digital signing as part of an authentication to access the OTP token. Chen discloses a device that includes a signing program (Figure 1C, 116 & [0037]: signing unit can be code) and a verification program (Figure 1C, 118 & [0039]: verification unit can be code) such that the signing functionality digitally signs a random number along with GPS location information of the device ([0037]) and the verification functionality performs verification of the digitally signed location information as part of an authentication process ([0039] & [0041]: verification program would be considered the claimed second client program comprising an authenticator), which meets the limitation of wherein said first client program [comprises a browser], and second client program comprises an authenticator. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the access to the OTP token of Ganesan to have required an authentication, in the manner described in Chen, in order to provide authorized access to the OTP token as suggested by Chen ([0019]).
Additionally, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the browser/ID tool of Ganesan to have performed the digital signing functionality of the signing program in Chen, because Ganesan discloses that the ID tool already performs digital signing functionality (Ganesan: [0137]), and one of ordinary skill in the art could implement such a modification with a reasonable expectation of success. As modified above, the browser/ID tool combination of Ganesan would perform the digital signing function of the signing program of Chen and would therefore meet the limitation of said first client program comprises a browser.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Dotan, U.S. Patent No. 9,516,059, discloses a phishing prevention system that performs authentication procedures in response to received login requests.
Kane-Parry, U.S. Patent No. 9,838,384, discloses a password-based fraud detection system that performs authentication procedures in response to received login requests while detecting compromised credentials for activities such as phishing.
Alonso Cebrian, U.S. Patent No. 10,063,543, discloses preventing attacks against user authentication wherein login requests are received such that the received login requests are checked against potential attacks, such as phishing, and performs authentication in view of the received login requests when no attack is detected.
Mahaffey, U.S. Publication No. 2014/0189808, discloses a phishing prevention system that performs authentication procedures in response to received login requests.
Zhang, U.S. Publication No. 2014/0033286, discloses a phishing prevention system that performs authentication procedures in response to received login requests.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805.  The examiner can normally be reached on M-Th: 6:20-4:50.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 5712724063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BENJAMIN E LANIER/          Primary Examiner, Art Unit 2437