DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.  This is in response to the communications filed on 19 September 2019.
2.  Claims 1-13 are pending in the application.
3.  Claims 1-13 have been rejected.
Information Disclosure Statement
4.  The examiner has considered the information disclosure statement (IDS) filed on 21 June 2019.
Specification
5.  The abstract of the disclosure does not commence on a separate sheet in accordance with 37 CFR 1.52(b)(4) and 1.72(b). A new abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text.
6.  The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


7.  Claim 9 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which 
Claim 9 recites the limitation "the plurality of shared items of information" in the claim.  There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
8.  Claims 1, 7, 10, 12 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schechter et al US 2013/0212385 A1 (hereinafter Schechter) in view of Fowler US 2005/0278538 A1.

hashing, at a hashing module of a server, a first item of information provided by a first user with a salt to produce a first hashed output (i.e. performing a hash over the concatenation of the password, the salt and the key) [0042]; 
storing, by the server, the salt and the first hashed output in a data object (i.e. retaining the values) [0042]; 
receiving, by the server from the second user, a second item of information (i.e. a client sets forth a username and password) [0044]; 
retrieving, by the hashing module, the stored salt from the data object (i.e. salt corresponding to the username and a first hash) [0044]; 
hashing, by the hashing module, the second item of information received from the second user with the retrieved salt to produce a second hashed output (i.e. generate a concatenation of the password, salt and the key to generate a second hash) [0044]; 
comparing, at a hash comparison module of the server, the first hashed, output with the second hashed output (i.e. comparing the first and second hash) [0044]; and 
determining, by the hash comparison module, whether the first and second hashed outputs are the same, thereby determining whether the first and second items of information are the same (i.e. the authentication output is indicative of a difference between the first hash value and the second hash value) [0044]. 

Fowler teaches generating, by a reference code module at the server, a reference code and storing it in the data object (i.e. a session index value) [0040].  Fowler teaches providing, by the server, the reference code to a second user (i.e. sending index to client) [0041].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Schechter so that it would have been generated, by a reference code module at the server, a reference code and storing it in the data object.  The server would have provided the reference code to a second user.  The second user would have received from the server a second item of information and the reference code.  The hashing module would have retrieved and with the reference to the reference code the stored salt from the data object.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Schechter by the teaching of Fowler because it helps prevent credentials from being exposed to eavesdroppers [0004].
As to claim 7, Schechter teaches a method of authentication as claimed in claim 1, wherein the server is remote from the first and second users (i.e. the server is separated from the client) [figures 3 and 4].
As to claim 10, Schechter teaches a method of authentication as claimed in claim 1, wherein the salt is randomly generated by a salt generation module (i.e. server generates random salt) [0028]. 
As to claim 12, Schechter discloses a system of authentication comprising: 
a first user device (i.e. client devices) [0025-0026]; 
a second user device, in communication with the first user device (i.e. client devices) [0025-0026]; and 
a server, in communication with the first and second user devices via a network (i.e. authentication server) [0026], comprising a hashing module, a reference code module and a hash comparison module, wherein the first user device (i.e. through the protected module) [0026], the second user device and the server are configured to perform the method steps of: 
hashing, at the hashing module, a first item of information provided by the first user device with a salt to produce a first hashed output (i.e. performing a hash over the concatenation of the password, the salt and the key) [0042]; 
storing, by the server, the salt and the first hashed output in a data object (i.e. retaining the values) [0042]; 

retrieving, by the hashing module, the stored salt from the data object (i.e. salt corresponding to the username and a first hash) [0044]; 
hashing, by the hashing module, the second item of information received from the second user with the retrieved salt to produce a second hashed output (i.e. generate a concatenation of the password, salt and the key to generate a second hash) [0044]; 
comparing, at the hash comparison module, the first hashed output with the second hashed output (i.e. comparing the first and second hash) [0044]; and 
determining, by the hash comparison module, whether the first and second hashed outputs are the same, thereby determining whether the first and second items of information are the same (i.e. the authentication output is indicative of a difference between the first hash value and the second hash value) [0044]. 
Schechter does not teach generating, by the reference code module; a reference code and storing it in the data object.  Schechter does not teach providing, by the server and via the first user device, the reference code to the second user device.  Schechter does not teach sending, by the second user device to the server, a second item of information and the reference code.  Schechter does not teach retrieving, by the hashing module, and with reference to the reference code the stored salt from the data object.
Fowler teaches generating, by the reference code module; a reference code and storing it in the data object (i.e. a session index value) [0040].  Fowler teaches providing, by the server and via the first user device, the reference code to the second user device (i.e. sending index to client) [0041].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Schechter so that it would have been generated, by the reference code module a reference code and storing it in the data object.  The server would have provided and via the first user device, the reference code to the second user device.  The second user device would have sent to the server, a second item of information and the reference code.  The hashing module would have retrieved and with reference to the reference code the stored salt from the data object.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Schechter by the teaching of Fowler because it helps prevent credentials from being exposed to eavesdroppers [0004].
As to claim 13, Schechter discloses an authentication server storing instructions that, when executed, cause the server to perform the steps of: 

storing the salt and the first hashed output in a data object (i.e. retaining the values) [0042]; 
receiving, from the second user, a second item of information (i.e. a client sets forth a username and password) [0044]; 
retrieving the stored salt from the data object (i.e. salt corresponding to the username and a first hash) [0044]; 
hashing the second item of information with the retrieved salt to produce a second hashed output (i.e. generate a concatenation of the password, salt and the key to generate a second hash) [0044]; 
comparing the first hashed output with the second hashed output (i.e. comparing the first and second hash) [0044]; and 
determining whether the first and second hashed outputs are the same, thereby determining whether the first and second items of information are the same (i.e. the authentication output is indicative of a difference between the first hash value and the second hash value) [0044]. 
	Schechter does not teach generating a reference code and storing it in the data object.  Schechter does not teach providing the reference code to a second user.  Schechter does not teach receiving, from the second user, a second item of information and the reference code.  Schechter does not teach retrieving, with reference to the reference code, the stored salt from the data object.
	Fowler teaches generating a reference code and storing it in the data object (i.e. a session index value) [0040].  Fowler teaches providing the reference code to a second user (i.e. sending index to client) [0041].
	Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Schechter so that a reference code would have been generated and stored it in the data object.  The reference code would have been provided to a second user.  It would have been received, from the second user, a second item of information and the reference code.  It would have been retrieved, with reference to the reference code, the stored salt from the data object.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Schechter by the teaching of Fowler because it helps prevent credentials from being exposed to eavesdroppers [0004].
9.  Claims 2 and 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schechter et al US 2013/0212385 A1 (hereinafter Schechter) and Fowler US 2005/0278538 A1 as applied to claim 1 above, and further in view of Takahashi et al US 2008/0082817 A1 (hereinafter Takahashi).
As to claim 2, the Schechter-Fowler combination does not teach a method of authentication as claimed in claim 1, further comprising, before the first hashing step: sharing a plurality of items of information between the first user and the second user, wherein the first item of information is one of the plurality of shared items of information. 
Takahashi teaches before the first hashing step: sharing a plurality of items of information between the first user and the second user (i.e. plurality of secret fragments) [0015], wherein the first item of information is one of the plurality of shared items of information (i.e. a fragment) [0063].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination so that before the first hashing step: a plurality of items of information would have been shared between the first user and the second user, wherein the first item of information would have been one of the plurality of shared items of information.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination by the teaching of Takahashi because it helps prevent leakage of user secret data [0013].
As to claim 3, the Schechter-Fowler combination does not teach a method of authentication as claimed in claim 2, wherein the first item of information is a part of one of the plurality of the shared items of information. 
Takahashi teaches that the first item of information is a part of one of the plurality of the shared items of information (i.e. a fragment) [0063]. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination so that the first item of information would have been a part of one of the plurality of the shared items of information. 
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination by the teaching of Takahashi because it helps prevent leakage of user secret data [0013].
10.  Claim 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schechter et al US 2013/0212385 A1 (hereinafter Schechter), Fowler US 2005/0278538 A1 and Takahashi et al US 2008/0082817 A1 (hereinafter Takahashi) as applied to claim 2 above, and further in view of Munshi et al US 2016/0308840 A1 (hereinafter Munshi).
As to claim 4, the Schechter-Fowler-Takahashi combination does not teach a method of authentication as claimed in claim 2, further comprising, before the first hashing step: selecting, by one or both of the first and second users, the first item of the plurality of items to be provided by the first and second users. 
Munshi teaches before the first hashing step: selecting, by one or both of the first and second users, the first item of the plurality of items to be provided by the first and second users (i.e. user selects from a list of passcodes to pick one to share) [0170]. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler-Takahashi combination so that before the first hashing step: selecting, by one or both of the first and second users, the first item of the plurality of items to be provided by the first and second users. 
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler-Takahashi combination by the teaching of Munshi because it helps provide encryption options [0010].
11.  Claim 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schechter et al US 2013/0212385 A1 (hereinafter Schechter) and Fowler US 2005/0278538 A1 as applied to claim 1 above, and further in view of Koskimies et al US 2018/0278623 A1 (hereinafter Koskimies).
As to claim 5, the Schechter-Fowler combination does not teach a method of authentication as claimed in claim 1, wherein the reference code is a shortened form of the first hashed output. 
Koskimies teaches that the reference code is a shortened form of the first hashed output (i.e. shortened truncated hash value) [0057]. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination so that the reference code would have been a shortened form of the first hashed output. 
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination by the teaching of Koskimies because it helps free some more bits for message content [0057].
12.  Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schechter et al US 2013/0212385 A1 (hereinafter Schechter) and Fowler US 2005/0278538 A1 as applied to claim 1 above, and further in view of Mani US 2011/0041166 A1.
As to claim 6, the Schechter-Fowler combination does not teach a method of authentication as claimed in in claim 1, wherein the first item is sent to the hashing module via an application or a website. 
Mani teaches that the first item is sent to the hashing module via an application or a website (i.e. via a client application) [0008]. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination so that the first item would have been sent to the hashing module via an application or a website. 
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination by the teaching of Mani because it avoids drawbacks of not keeping credentials on the servers [0010].
13.  Claim 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schechter et al US 2013/0212385 A1 (hereinafter Schechter) and Fowler US 2005/0278538 A1 as applied to claim 1 above, and further in view of Flynn US 2018/0157725 A1.
As to claim 8, the Schechter-Fowler combination does not teach a method of authentication as claimed in claim 1, wherein one or more of the hashing module, the hashing comparison module and the reference code module are located at a customer device. 
Flynn teaches that one or more of the hashing module, the hashing comparison module and the reference code module are located at a customer device (i.e. hashing module at customer device) [0027].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination so that one or more of the hashing module, the hashing comparison module and the reference code module were located at a customer device.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination by the teaching of Flynn because it prevents from requiring a significant amount of processing power by the server [0001].
14.  Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schechter et al US 2013/0212385 A1 (hereinafter Schechter) and Fowler US 2005/0278538 A1 as applied to claim 1 above, and further in view of Wheeler et al US 2003/0014372 A1 (hereinafter Wheeler).
As to claim 9, the Schechter-Fowler combination does not teach a method of authentication as claimed in claim 1, wherein the plurality of shared items of information are two or more of: a date of birth, a mother's maiden name, a whole or part of an address, a school, a bank account number, a credit/debit card number, a personal identification number and a password. 
Wheeler teaches that the plurality of shared items of information are two or more of: a date of birth, a mother's maiden name, a whole or part of an address, a school, a bank account number, a credit/debit card number, a personal identification number and a password (i.e. two different shared secrets such as zip code and mother’s maiden name) [0009]. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination so that the plurality of shared items of information are two or more of: a date of birth, a mother's maiden name, a whole or part of an address, a school, a bank account number, a credit/debit card number, a personal identification number and a password. 
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination by the teaching of Wheeler because by requiring more than one secret item it provides additional security [0009].
15.  Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schechter et al US 2013/0212385 A1 (hereinafter Schechter) in view of Fowler US 2005/0278538 A1 and Wheeler et al US 2003/0014372 A1 (hereinafter Wheeler).
As to claim 11, Schechter discloses a method of authentication, comprising: 
hashing, at the hashing module, the first secret with a randomly generated salt to form a first hashed output (i.e. performing a hash over the concatenation of the password, the salt and the key) [0042]; 
storing, in a data object at a data object store, the salt and the first hashed output (i.e. retaining the values) [0042]; 
receiving, at the hashing module and from the second user, the first shared secret (i.e. a client sets forth a username and password) [0044]; 
retrieving, from the data object, the salt (i.e. salt corresponding to the username and a first hash) [0044]; 
sending, to the hashing module by the data object store, the salt [0044]; 
hashing, by the hashing module, the first shared secret received from the second user with the salt to form a second hashed output (i.e. generate a concatenation of the password, salt and the key to generate a second hash) [0044]; 
receiving, at a hash comparison module, the first hashed output from the data object store and the second hashed output from the hashing module [0044]; 
comparing, by the hash comparison module, the first hashed output with the second hashed output (i.e. comparing the first and second hash) [0044]; 
determining, by the hash comparison module, whether the first and second hashed outputs are identical (i.e. the authentication output is indicative of a difference between the first hash value and the second hash value) [0044]; and 
sending, by the hash comparison module, to one or both of the first and second users, a statement relating to the comparison [0044]. 
Schechter does not teach sharing, between a first user and a second user, one or more secrets.  Schechter does not teach receiving, at a hashing module and from the first user, a first secret of the shared secrets.  Schechter does not teach creating, by a reference module, a reference code relating to the salt and the first hashed output.
Schechter does not teach storing, in a data object at a data object store, the reference code, the salt and the first hashed output.  Schechter does not teach sending, from the data object store to the first user, the reference code.  Schechter does not teach sending, by the first user to the second user, the reference code.  Schechter does not teach receiving, at the hashing module and from the second user, the first shared secret and the reference code.  Schechter does not teach retrieving, from the data object and based on the reference code, the salt.
Wheeler teaches sharing, between a first user and a second user, one or more secrets (i.e. two different shared secrets) [0009].  Fowler teaches creating, by a reference module, a reference code [0040].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Schechter-Fowler combination so that one or more secrets would have been shared between a first user and a second user.  It would have been received, at a hashing module and from the first user, a first secret of the shared secrets.  It would have been created, by a reference module, a reference code relating to the salt and the first hashed output.  It would have been stored, in a data object at a data object store, the reference code, the salt and the first hashed output.  It would have been sent, from the data object store to the first user, the reference code.  It would have been sent, by the first user to the second user, the reference code.  It would have been received, at the hashing module and from the second user, the first shared secret and the reference code.  It would have been retrieved, from the data object and based on the reference code, the salt.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Schechter by the teaching of Fowler because it helps prevent credentials from being exposed to eavesdroppers [0004].
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Schechter by the teaching of Wheeler because by requiring more than one secret item it provides additional security [0009].
Relevant Prior Art
16.  The following references have been considered relevant by the examiner:
A.  Morris US 2017/0237568 A1 directed to the secure identification, authentication, protection and transfer of personal and computing device identifying information between computing devices [abstract].
B.  Arnold et al US 2017/0063831 A1 directed to authenticating a user having a username and password and authenticating access to the user’s information [abstract].
C.  Aissi et al US 2007/0005966 A1 directed to allowing two electronic devices to derive a shared keystream from a shared secret [abstract].
Conclusion
17.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARAVIND K MOORTHY whose telephone number is (571)272-3793.  The examiner can normally be reached on M-F 7:30-7:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ARAVIND K MOORTHY/            Primary Examiner, Art Unit 2492