DETAILED ACTION
This office action is in response to the correspondence filed 06/30/2020. Claims 1-20 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application discloses and claims only subject matter disclosed in prior Application No. 15660278, filed 07/26/2017, and names the inventor or at least one joint inventor named in the prior application. Accordingly, this application may constitute a continuation or division. Should applicant desire to claim the benefit of the filing date of the prior application, attention is directed to 35 U.S.C. 120, 37 CFR 1.78, and MPEP § 211 et seq.


Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 09/10/2020.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. 

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. US 10735407 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the instant application are essentially the same while slightly broader in scope than the ones in the issued patent. The instant application has the basic elements of temporary password management while the issued patent has the additional user approval for the local device instead of the local device obtaining the temporary password from the user device as seen in the example below in claim 1 of the instant application and claim 1 of the issued patent.

Instant Application
U.S. Patent No. 10735407 B2
1. (Currently Amended) A computer-implemented method of passwords management, the method comprising:
obtaining, by a password management entity, a request to login a local device into an authentication authority;
generating, by the password management entity, a temporary password;

sending, by the password management entity, the temporary password to a user device;
obtaining, at the local device, the temporary password from the user device;
obtaining, at the authentication authority, the temporary password from the local device;
comparing, by the authentication authority, the temporary password obtained from the local device with the temporary password obtained from the password management entity; and
authorizing the login if a match is found.

obtaining, by a password management entity, a request to login into a local device;
sending, by the password management entity, a notification to a user device;
obtaining, by the password management entity, a notification approval from the user device;

sending, by the password management entity, the temporary password to the authentication authority;
sending, by the password management entity, the temporary password to the local device;
sending, by the local device, the temporary password obtained from the password management entity to the authentication authority;
obtaining, at the authentication authority, the temporary password from the local device;
comparing, by the authentication authority, the temporary password obtained from the local device with the temporary password obtained from the password management entity; and
.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 10-11, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Connor (US Pub No. 8,528,062 B1, referred to as Connor) in view of Sundararajan et al. (US Pub No. 2005/0015604 A1, referred to as Sundararajan).
Regarding claims 1 and 11, taking claim 1 as exemplary, Connor discloses,
1. (Currently Amended) A computer-implemented method of passwords management, the method comprising:
obtaining, by a password management entity, a request to login a local device into an authentication authority; (Connor: Fig. 4; Coln. 8, ls. 59-65; buyer/users with a system to be protected 
generating, by the password management entity, a temporary password; (Connor: Fig. 4; Coln. 8, ls. 59-65; the website provides a temporary password (it needs to generate first then send).)
sending, by the password management entity, the temporary password to the authentication authority; (Connor: Fig. 4; Coln. 8, ls. 65-67; the website sends the temporary password to the secure cloud server)
…
obtaining, at the authentication authority, the temporary password from the local device; (Connor: Fig. 4; Coln. 9, ls. 1-3; the authorized administrator of the user’s system connects to the secure cloud server using the provided temporary password.) 
comparing, by the authentication authority, the temporary password obtained from the local device with the temporary password obtained from the password management entity; and (Connor: Fig. 4; Coln. 9, ls. 3-11; the secure cloud server compares the temporary password obtained from the user’s system with the temporary password it gets from the website.)
authorizing the login if a match is found. (Connor: Fig. 4; Coln. 9, ls. 21-25; if the logon to the secure server is successful (including that the password matches), the system is authorized.)
Connor does not explicitly disclose, however Sundararajan teaches,
sending, by the password management entity, the temporary password to a user device; (Sundararajan: Fig. 1; [0012]; random password generator (password management entity) sends a temporary password to a peripheral device (user device).)
obtaining, at the local device, the temporary password from the user device; (Sundararajan: [0012]; the user obtains the temporary password from the peripheral device (user device) and enters the password at the un-trusted public access computing system (local device).)

Regarding the non-exemplary limitations of claim 11, Sundararajan discloses:
	A memory and a processor in Sundararajan: [0017].
	

	
Regarding claims 10 and 20, taking claim 10 as exemplary, the combination of Connor and Sundararajan discloses, 
 10. (Original) The method of claim 1, further comprising:
Connor further discloses,
storing the temporary password on the local device. (Connor: Coln. 9, ls. 1-3; the system uses the provided temporary password to connect to the secure cloud server (temporary password was stored in some type of medium))



Claims 2-3, and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Connor in view of Sundararajan, further in view of Begen et al. (US Pub No. 8,201,217 B1, referred to as Begen).
Regarding claims 2 and 12, taking claim 2 as exemplary, the combination of Connor and Sundararajan discloses,
2. (Original) The method of claim 1, further comprising:
Connor does not explicitly disclose, however Begen teaches,
generating two values, TP1 and TP2, based on the temporary password, wherein the temporary password can be determined based on the values TP1 and TP2. (Begen: Coln. 13, Table with field and definition; prior passwords or temporary passwords can be generated with two values.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings Begen of into the combination of Connor and Sundararajan with a motivation to enable user access between a client and a bridge server and increase security of password hash by combining pseudo random value with password information (Begen abstract and Coln. 13, Table with field and definition).


Regarding claims 3 and 13, taking claim 3 as exemplary, the combination of Connor, Sundararajan and Begen discloses,
3. (Original) The method of claim 2, further comprising:
Connor further discloses,
sending, by the password management entity, TP1 to the user device over a first secured communication channel; and (Connor: Coln. 1, ls. 62-66; protected server in the cloud could be in a secured private network. Also, see Begen: Coln. 6, l. 67, Coln. 7, ls. 1-3; communications between a client and a bridge server are encrypted. (i.e. it is obvious to send password related information in secured communication channels).)
sending, by the password management entity, TP2 to the user device over a second secured communication channel. (Connor: Coln. 1, ls. 62-66; protected server in the cloud could be in a secured private network. Also, see Begen: Coln. 6, l. 67, Coln. 7, ls. 1-3; communications between a client and a bridge server are encrypted. (i.e. it is obvious to send password related information in secured communication channels).)


Claims 4-6, 14, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Connor in view of Sundararajan, further in view of Begen, and further in view of Grajek et al. (US Pub No. 2015/0237038 A1, referred to as Grajek).
Regarding claims 4 and 14, taking claim 4 as exemplary, the combination of Connor, Sundararajan and Begen discloses,
 4. (Original) The method of claim 3, further comprising:
Connor does not explicitly disclose, however Begen teaches,
combining TP1 and TP2 by the user device to arrive at the temporary password; and (Begen: Coln. 13, Table with field and definition; prior passwords or temporary passwords can be generated with a combination of two values.)
The same motivation that was utilized for combining Connor and Begen as set forth in claim 2 is equally applicable to claim 4.
Connor does not explicitly disclose, however Grajek teaches,
sending the temporary password from the user device to the local device using an out-of-band channel. (Grajek: [0096]; the authentication system directly or indirectly communicates with the user and deliver the one-time password in an out-of-band channel.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Grajek into the combination of Connor, Sundararajan and Begen with a motivation to conduct a one-time password authentication by delivering a one-time password to a user (Grajek abstract).


claims 5 and 17, taking claim 5 as exemplary, the combination of Connor, Sundararajan and Begen discloses,
5. (Currently Amended) The method of claim 2, further comprising:
Connor further discloses,
sending, by the password management entity, TP1 to the user device over a first secured communication channel; (Connor: Coln. 1, ls. 62-66; protected server in the cloud could be in a secured private network. Also, see Begen: Coln. 6, l. 67, Coln. 7, ls. 1-3; communications between a client and a bridge server are encrypted. (i.e. it is obvious to send password related information in secured communication channels).)
sending, by the password management entity, TP2 to the local device over a second secured communication channel; (Connor: Coln. 1, ls. 62-66; protected server in the cloud could be in a secured private network. Also, see Begen: Coln. 6, l. 67, Coln. 7, ls. 1-3; communications between a client and a bridge server are encrypted. (i.e. it is obvious to send password related information in secured communication channels).)
Connor does not explicitly disclose, however Begen teaches,
…
combining TP1 and TP2 by the local device to arrive at the temporary password. (Begen: Coln. 13, Table with field and definition; prior passwords or temporary passwords can be generated with a combination of two values.)
The same motivation that was utilized for combining Connor and Begen as set forth in claim 2 is equally applicable to claim 5.
Connor does not explicitly disclose, however Grajek teaches,
sending the TP1 from the user device to the local device using out-of-band channel (Grajek: [0096]; the authentication system directly or indirectly communicates with the user and deliver the one-
The same motivation that was utilized for combining Connor, Sundararajan, Begen and Grajek as set forth in claim 4 is equally applicable to claim 5.


Regarding claims 6 and 18, taking claim 6 as exemplary, the combination of Connor, Sundararajan and Begen discloses,
6. (Original) The method of claim 2, further comprising:
Connor further discloses,
sending, by password management entity, TP1 to authentication authority over a first secured communication channel; (Connor: Coln. 1, ls. 62-66; protected server in the cloud could be in a secured private network. Also, see Begen: Coln. 6, l. 67, Coln. 7, ls. 1-3; communications between a client and a bridge server are encrypted. (i.e. it is obvious to send password related information in secured communication channels).)
sending, by password management entity, TP2 to the authentication authority over a second secured communication channel; and (Connor: Coln. 1, ls. 62-66; protected server in the cloud could be in a secured private network. Also, see Begen: Coln. 6, l. 67, Coln. 7, ls. 1-3; communications between a client and a bridge server are encrypted. (i.e. it is obvious to send password related information in secured communication channels).)
Connor does not explicitly disclose, however Begen teaches,
combining TP1 and TP2 by the authentication authority to arrive at the temporary password.
(Begen: Coln. 13, Table with field and definition; prior passwords or temporary passwords can be generated with a combination of two values.)
.


Claims 7 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Connor in view of Sundararajan, further in view of Thackston (US Pub No. 2008/0071674 A1, referred to as Thackston).
Regarding claims 7 and 19, taking claim 7 as exemplary, the combination of Connor and Sundararajan discloses,
7. (Original) The method of claim 1, further comprising:
Connor does not explicitly disclose, however Thackston teaches,
deleting the temporary password from the authentication authority after comparing (Thackston: [00148]; a temporary password is typically discarded after it is used).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings Thackston of into the teachings of Connor and Sundararajan with a motivation to provide an on-line commerce operations including payment transaction by providing a temporary password to a customer (Thackston abstract and [0148]).




Allowable Subject Matter
Claims 8-9, and 15-16 are objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

At the effective filing date of the application, the above limitations would not have been obvious over the prior arts of record. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The listed references disclose relevant inventions of using a separate device to facilitate authentication and authentication using different communication channels.
Smith; Fred Hewitt et al. (US 20140157392 A1) 
Revell; Elise (US 20180063131 A1) 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571)272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435