Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
This action is in response to the communication filed on 08/16/2019.
Claims 1-12 are under examination.
The Information Disclosure Statements filed on 08/16/2019 has been entered and considered.

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  

Claim Objections
Claim 2 is objected to because of the following informalities:  Claim 2 recites “dividedting”.  Appropriate correction is required.

Allowable Subject Matter
Claims 6 and 10 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Redberg (US 20170279795 A1), Sama (US 8,572,684 B1) and Gibson et al. (US 8,832,788 B1).
Regarding claim 1, Redberg discloses An authentication processing method performed in a service server implemented as a computer, the method 5comprising steps of: (1) receiving a service subscription request, comprising user identification (ID) information and device information of a first electronic device, from the first electronic device [par. 0066, “As shown in FIG. 3, a client device 302 can send an access request along with a first set of user credentials to an application server 304. Application server 304 can determine access attributes associated with the access request, and validate the first set of user credentials. Application server 304 can then send at least a part of the user credentials (e.g., the user identifier) along with or without the access attributes to an authentication server 306, which can in turn, generate a first OTP”, par. 0042, “when an access request is received by application server 106 from computing device 102, application server 106 can challenge the user of computing device 102 to enter user credentials, for example, a username and a password… Non-limiting examples of access attributes include a time associated with the access request, a device identifier… ”]; (2) receiving a one-time password (OTP) from an 10authentication server by requesting the OTP in response to the service subscription request [par. 0066, “Application server 304 can then send at least a part of the user credentials (e.g., the user identifier) along with or without the access attributes to an authentication server 306, which can in turn, generate a first OTP to be associated with the user identifier”]. 
Redberg does not explicitly disclose the service server receiving the one-time password, wherein a first divided OTP and second divided OTP divided from the OTP are received; storing the first divided OTP along with the user ID information and the device information in response to the 15service subscription request.
However Sama teaches the service server receiving the one-time password, wherein a first divided OTP and second divided OTP divided from the OTP are received; storing the first divided OTP along with the user ID information and the device information in response to the 15service subscription request [col. 6, lines 32-35, “in a case where an authentication server generates multiple OTPs or passwords for a user where all of the OTPs/passwords are active, the identifier may be included in the generated password”, col. 8, lines 23-25, “service provider 140 may include authentication server 130, such that service provider 140 is operable to perform authentication of user 120 as discussed herein”, col. 10, lines 13-15, “the OTP may be separated into two or more portions, such as OTP_A 322 and OTP_B 324”, col. 6, lines 24-31, “A table may be stored at an authentication server that authenticates a user of one or more of the devices, where the OTP elements of the table may be static or dynamically generated (e.g., generated in response to each authentication request received from a user)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Sama into the teaching of Redberg with the motivation for using multiple one-time passwords (OTPs) to authenticate a user to access goods or services provided by a single service provider as taught by Sama [Sama: abs.].
They do not explicitly disclose transmitting the second divided OTP to the first electronic device; and transmitting the second divided OTP, received from the first electronic device, to the authentication server along with the first divided OTP with respect to a service 20requiring authentication for the user ID information, and performing authentication processing.
However, Gibson et al. teaches transmitting the second divided OTP to the first electronic device [col. 6, lines 34-54, “The password sub-module 215 can generate one-time passwords (OTP) for the number of trusted associates… The password sub-module 215 can deliver an OTP to a target user”]; and transmitting the second divided OTP, received from the first electronic device, to the authentication server along with the first divided OTP with respect to a service 20requiring authentication for the user ID information, and performing authentication processing [col. 6, line 55-col. 7, line 2, “The password sub-module 215 can store password data 257 in the data store 250. Subsequently, a target user can provide the OTPs to the password sub-module 215 and the password sub-module 215 can validate the OTPs received from the target user using the password data 255 stored in the data store 250. The password data 255 can be used to determine whether the received OTPs are valid such that a target user can continue with a desired action (e.g., reset a password, replace a lost secure identification key, replace a mobile phone number being used for second factor authentication, access data, and perform an action, such as a system administrator action (e.g., shut down servers)). The password data 257 can include copies of the distributed OTPs, algorithms used to generates the OTPs, and algorithms used to combine the distributed OTPs to form an authentication password”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Gibson et al. into the teaching of Redberg and Sama with the motivation of using one-time passwords form user and trusted associates combined to form an authentication password used to determine whether the user is allowed to perform an action as taught by Gibson et al. [Gibson et al.: col. 2, lines 1-8].
Regarding claim 2, the rejection of claim 1 is incorporated.
Gibson et al. further discloses dividedting, by the authentication server, the OTP generated by an OTP server into the first divided OTP and the 5second divided OTP in response to a request from the authentication server, and receiving the first divided OTP and the second divided OTP from the authentication server [col. 6, lines 34-54, “The password sub-module 215 can generate one-time passwords (OTP) for the number of trusted associates… The password sub-module 215 can deliver an OTP to a target user”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Gibson et al. into the teaching of Redberg and Sama with the motivation of using one-time passwords form user and [Gibson et al.: col. 2, lines 1-8].
Regarding claim 3, the rejection of claim 1 is incorporated.
Sama further discloses storing the first divided OTP, the user ID information, and the device information in a first database (DB) included in the service server or connected to the service server by matching the first divided OTP up with 15the user ID information and the device information [col. 6, lines 32-35, “in a case where an authentication server generates multiple OTPs or passwords for a user where all of the OTPs/passwords are active, the identifier may be included in the generated password”, col. 8, lines 23-25, “service provider 140 may include authentication server 130, such that service provider 140 is operable to perform authentication of user 120 as discussed herein”, col. 10, lines 13-15, “the OTP may be separated into two or more portions, such as OTP_A 322 and OTP_B 324”, col. 6, lines 24-31, “A table may be stored at an authentication server that authenticates a user of one or more of the devices, where the OTP elements of the table may be static or dynamically generated (e.g., generated in response to each authentication request received from a user)”], the second divided OTP is stored in a second DB included in the first electronic device or connected to the first electronic device [col. 5, lines 43-48, “Among the multiple OTPs that a user has, each one may be assigned a unique short identifier (e.g., a single letter from [0 . . . 9, a . . . z, A . . . Z]) which would distinguish it from others. This identifier may be stored along with the OTP parameters on the authentication server as well as on the user device that is operable to generate the OTPs”].
[Sama: abs.].
Regarding claim 7, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.

Claims 4-5 and 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Redberg (US 20170279795 A1), Sama (US 8,572,684 B1) and Gibson et al. (US 8,832,788 B1) as applied to claims 1-3 and 7 above, and further in view of Ting et al. (US 20120204245 A1).
Regarding claim 4, the rejection of claim 1 is incorporated.
Sama further disclose the OTPs in the service server and the first electronic device for each service requiring authentication 36 for the user ID information [col. 10, lines 13-15, “the OTP may be separated into two or more portions, such as OTP_A 322 and OTP_B 324”, col. 6, lines 24-31, “A table may be stored at an authentication server that authenticates a user of one or more of the devices, where the OTP elements of the table may be static or dynamically generated (e.g., generated in response to each authentication request received from a user)”, col. 5, lines 43-48, “Among the multiple OTPs that a user has, each one may be assigned a unique short identifier (e.g., a single letter from [0 . . . 9, a . . . z, A . . . Z]) which would distinguish it from others. This identifier may be stored along with the OTP parameters on the authentication server as well as on the user device that is operable to generate the OTPs”].
[Sama: abs.].
Gibson et al. further discloses generating a new OTP for the first electronic device and allocating the new OTP [col. 6, lines 34-54, “The password sub-module 215 can generate one-time passwords (OTP) for the number of trusted associates… The password sub-module 215 can deliver an OTP to a target user”, col. 4, lines 52-59, “A one-time password is a password that is valid for one session. Subsequently, the target user 103 can use the collected one-time passwords as an authentication password, for example, to receive a new password”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Gibson et al. into the teaching of Redberg and Sama with the motivation of using one-time passwords form user and trusted associates combined to form an authentication password used to determine whether the user is allowed to perform an action as taught by Gibson et al. [Gibson et al.: col. 2, lines 1-8].
They do not explicitly disclose discarding an old OTP in the service server and the first electronic device for each service requiring authentication.
However, Ting et al. teaches discarding the old OTP for each service requiring authentication [par. 0039, “If the OTP is valid, remote access server 150 returns the success message to remote access client 155 and simultaneously marks the OTP as having been used. At the client 115, the OTP may be deleted from card 105 (via reader 113) and from user profile 137”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ting et al. into the teaching of Redberg, Sama and Gibson et al. to discard an old OTP in the service server and the first electronic device for each service requiring authentication; with the motivation to facilitate the use of a contactless memory token to automate log-on procedures to a remote access server using dynamic one-time passwords as taught by Ting et al. [Ting et al.: abs.].
Regarding claim 5, the rejection of claim 1 is incorporated.
Sama further disclose receiving a service use request, comprising the user ID information, the device information, and the second divided OTP, from the first electronic device [col. 8, lines 23-25, “service provider 140 may include authentication server 130, such that service provider 140 is operable to perform authentication of user 120 as discussed herein”, col. 13, lines 30-43, “authentication server 130 receives a user identifier (user_ID) from electronic computing device 110… authentication server 130 receives OTP information including an OTP and OTP identifier from electronic computing device 110”, col. 15, lines 35-40, “electronic computing device 110 may communicate a device identifier that uniquely identifies that device to authentication server 130, such as a MAC address, IP address, and/or other information uniquely identifying electronic computing device 110”];  10reading the first divided OTP matched up with the user ID information and device information included in the service use request, and transmitting the read first divided OPT to the authentication server along with the second divided OTP included in the service use request [col. 15, lines 17-32, “authentication server 130 identifies OTP identifiers that are assigned to the user associated with the received OTP information. Authentication server 130 may identify OTP identifiers using any one or more of a number of techniques. In one embodiment, authentication server 130 may receive the user identifier from electronic computing device 120 as discussed in operation 510 with reference to FIG. 5. Authentication server may then read look-up table 710 (FIG. 7) and compare the received user identifier with user identifiers included in user identifier column 712. For each match, authentication server 130 may read the associated OTP identifier from table 710. For example, where the received user identifier is "BOB", authentication server may match the received user identifier with three entries in look-up table 710, and read the corresponding OTP identifiers "1", "2", and "3"”];  15permitting the service requested by the first electronic device if the authentication server succeeds in OTP verification [col. 10, lines 13-15, “the OTP may be separated into two or more portions, such as OTP_A 322 and OTP_B 324”, col. 6, lines 24-31, “A table may be stored at an authentication server that authenticates a user of one or more of the devices, where the OTP elements of the table may be static or dynamically generated (e.g., generated in response to each authentication request received from a user)”, col. 3, lines 12-15, “The methods may also include determining whether the identified OTP matches the received OTP, and authenticating the user based on whether or not the identified OTP matches the received OTP”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Sama into the teaching of Redberg with the motivation for using multiple one-time passwords (OTPs) to authenticate a [Sama: abs.].
Gibson et al. further discloses receiving a new OTP from the authentication server [col. 6, lines 34-54, “The password sub-module 215 can generate one-time passwords (OTP) for the number of trusted associates… The password sub-module 215 can deliver an OTP to a target user”, col. 4, lines 52-59, “A one-time password is a password that is valid for one session. Subsequently, the target user 103 can use the collected one-time passwords as an authentication password, for example, to receive a new password”], wherein a third divided OTP and fourth divided OTP divided from the new OTP are received [col. 6, lines 34-54, “The password sub-module 215 can generate one-time passwords (OTP) for the number of trusted associates… The password sub-module 215 can deliver an OTP to a target user”]; 20storing the third divided OTP, and transmitting the fourth divided OTP to the first electronic device,37 and the fourth divided OTP is stored [col. 6, lines 34-54, “The password sub-module 215 can generate one-time passwords (OTP) for the number of trusted associates… The password sub-module 215 can deliver an OTP to a target user”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Gibson et al. into the teaching of Redberg and Sama with the motivation of using one-time passwords form user and trusted associates combined to form an authentication password used to determine whether the user is allowed to perform an action as taught by Gibson et al. [Gibson et al.: col. 2, lines 1-8].

However, Ting et al. teaches discarding the first divided OTP related to the user ID information and the device information, wherein the second divided OTP stored in the first electronic device is discarded [par. 0039, “If the OTP is valid, remote access server 150 returns the success message to remote access client 155 and simultaneously marks the OTP as having been used. At the client 115, the OTP may be deleted from card 105 (via reader 113) and from user profile 137”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Ting et al. into the teaching of Redberg, Sama and Gibson et al. to discard an old OTP in the service server and the first electronic device for each service requiring authentication; with the motivation to facilitate the use of a contactless memory token to automate log-on procedures to a remote access server using dynamic one-time passwords as taught by Ting et al. [Ting et al.: abs.].
Regarding claim 8, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 9, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.

Claims 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Redberg (US 20170279795 A1), Sama (US 8,572,684 B1) and Gibson et al. (US 8,832,788 B1) as applied to claims 1-3 and 7 above, and further in view of Bowness (US 8,412,928 B1).
Regarding claim 11, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Redberg, Sama and Gibson et al. do not disclose receiving a one-time password (OTP) from an OTP server.
However, Bowness teaches receiving a one-time password (OTP) from an OTP server [abs, “The OTP server maintains user-specific secret data used in a one-time-password (OTP) process to generate OTPs for user authentication”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Bowness into the teaching of Redberg, Sama and Gibson et al. to discard an old OTP in the service server and the first electronic device for each service requiring authentication; with the motivation to employ password-based authentication schemes (such as Kerberos) in order to obtain the additional strong authentication benefits of OTPs as taught by Bowness [Bowness: col.2, lines 26-29].
Regarding claim 12, it recites limitations similar to claim 11. The reason for the rejection of claim 11 is incorporated herein.
 

 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20130145449 A1		Method and Apparatus for Providing a One-Time Password
US 9178880 B1		Gateway mediated mobile device authentication
US 9780950 B1		Authentication of PKI credential by use of a one time password and pin
US 20130179350 A1		ELECTRONIC SIGNATURE SECURITY ALGORITHMS
US 20190080060 A1		USER AUTHENTICATION METHOD AND AUTHENTICATION SYSTEM USING MATCH WITH JUNK DATA
US 20150349958 A1		A METHOD FOR PROVIDING SECURITY USING SECURE COMPUTATION
US 20120210408 A1		VERIFICATION METHOD AND SYSTEM THEREOF
US 20130262857 A1		SECURE AUTHENTICATION IN A MULTI-PARTY SYSTEM
US 20070005955 A1		Establishing secure mutual trust using an insecure password

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/JASON CHIANG/Primary Examiner, Art Unit 2431