DETAILED ACTION
This office action is in response to applicant’s amendment filed on 05/14/2021.  Claim 17 has been added. Claims 1-5, 7-12, 14-15 have been amended.  Claims 1-17 are pending and are directed towards apparatus, system, method, and computer product for Password Generation and Verification. Examiner acknowledges applicant’s amendment to abstract of specification and therefore withdraws the previous office action’s objections to the abstract of the specification.  In addition, examiner acknowledges applicant’s amendment to claims 1-5, 8-11, and 14-15 and therefore withdraws the previous office action’s objections to these claims.  Also, examiner acknowledges applicant’s amendment to claims 1, 5-6, and 9-12, and therefore withdraws the previous office action’s 112(f) interpretation to these claims.  Finally, examiner acknowledges applicant’s amendment to claims 3-4, 7, and 9, and therefore withdraws the previous office action’s 112(b) rejection to these claims.  
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	Applicant’s arguments filed 05/14/2021 have been fully considered.

B) Applicant’s arguments, with respect to the 102 rejection of claim 1 and 15, that Xia fails to teach “mapping the computer address to a base address, so that multiple computer addresses are mapped to the same base address; determining if the base address is registered with the identifier manager, and if not, assigning a unique base address system-identifier to the base address, and store the base address together with the base address system- identifier, if so, obtaining the base address system-identifier” (page 4-5 of the present response) have been fully considered but they are not persuasive.
	Regarding B) Xia teaches mapping the computer address to a base address, so that multiple computer addresses are mapped to the same base address (para 41, line 1-17; multiple network addresses for accessing a single secure service 10 are accommodated by assigning all the addresses to a single service handle 
C) Applicant’s arguments, with respect to the 102 rejection of claim 1 and 15, that Xia fails to teach “determine if the user identifier is registered with the identifier manager, and if not, assign a unique user system-identifier to the user identifier, and store the user identifier together with the user system- identifier, and if so, obtain the user system-identifier” (page 5-6 of the present response) have been fully considered but they are not persuasive.

D) Applicant’s arguments, with respect to amended limitation of claim 1, that Shen fails to teach “a password unit arranged to determine a first combined identifier by applying a first combined identifier function to the base address system-identifier, the user system-identifier, and the user password, and determine a final password from the first combined identifier” and that “there is no prima facie case for obviousness” (page 7-8 of the present response) have been fully considered but they are moot in view of the new grounds of 35 U.S.C. 103 rejections.
Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
3.	Claims 1-11 and 14-17 are rejected under 35 U.S.C. 103 as being unpatentable over Xia et al. (US Pub. 2003/0005299), hereinafter Xia, filed on Jun. 29, 2001 in view of Henry et al. (US Patent 6,996,718), hereinafter Henry, filed on Aug. 11, 2000.
Regarding claim 1, Xia teaches a password generation device (para 39, line 1-14; password management system processor 32 create passwords) comprising: 
an input interface arranged to receive, from a user device (para 42, line 1-13 and para 46, line 1-13; authentication management system 8 receives user inputs),
a computer address for accessing a computer resource (para 46, line 1-13; identify and intercept authentication responses directed towards network addresses), 
a user identifier indicating a user of the user device, and a user password (para 42, line 1-13; receive user ID 40 and password 42); and 

a computer address unit arranged to map the computer address to a base address, so that multiple computer addresses are mapped to the same base address (para 41, line 1-17; multiple network addresses for accessing a single secure service 10 are accommodated by assigning all the addresses to a single service handle included in address table 36); 
an identifier manager arranged to 
determine if the base address is registered with the identifier manager, and if not, assign a unique base address system-identifier to the base address, and store the base address together with the base address system-identifier, and if so, obtain the base address system-identifier (para 51, line 1-8 and para 52, line 1-23; if it is recognized that the network address is not in the address table 36, provide the user with an appropriate address handle to associate with the network address and is included in the handle table 38 of the repository), 
determine if the user identifier is registered with the identifier manager (para 43, line 1-9; check to verify the entered user ID), and 

a password unit arranged to 
determine a first combined identifier from the base address system-identifier, the user system-identifier, and the user password (para 49, line 1-12 and para 50, line 1-14; if a handle is found for the authentication response, an encoded password is obtained from the handle table 38 and is decoded for use in user authentication along with extracted user ID token), and
Xia does not teach applying a first combined identifier function
Henry teaches applying a first combined identifier function (col. 3, line 60-67 and col. 4, line 1-8; a password transform algorithm may generate a designated password using user ID, user common password, and URL of service provider)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia to incorporate the teachings of Henry to provide a password transform algorithm 
Xia teaches determine a final password from the first combined identifier (para 67, line 1-8 and para 70, line 1-8; password updating protocol uses the old password as an input to create a new password). 
Regarding claim 2, Xia and Henry teach apparatus of claim 1.
Xia teaches the identifier manager is further arranged to 
determine if the first combined identifier is registered with the identifier manager, and 3Attorney Docket No.: 5061-0043Preliminary Amendmentif not, assign a unique first combined system-identifier to the first combined identifier, and store the first combined identifier together with the first combined system-identifier, if so, obtain the first combined system-identifier assigned to the first combined identifier (para 68, line 1-21; upon confirmation of successful updating of the password, the processor 32 updates the password information in the handle table 38 and the stored password is encoded), and 
the password unit is further arranged to determine a second combined identifier from at least the first combined system-identifier (para 41, line 12-20; if the password for the service is changed, then the encoded password corresponding to the network address handle is updated), and 

Regarding claim 3, Xia and Henry teach apparatus of claim 1.
Xia teaches the password unit is further arranged to retrieve password constraints for the computer resource and to determine a final password satisfying the retrieved password constraints (para 67, line 1-8 and para 70, line 1-8; password rules, providing bounds on the allowable format of the password, are extracted from the password rules column of the handles table 38 and password updating protocol uses the old password as an input).
Regarding claim 4, Xia and Henry teach apparatus of claim 1.
Xia teaches the identifier manager is arranged to 
change the base address system-identifier, thus renewing all passwords for the computer resource (para 53, line 1-12; update the address table 36 to include the new address and the handle association and any future authorization response directed towards this network address will have the password modifications perform automatically), and/or 
change the user system-identifier, thus renewing all passwords for the user identifier.
Regarding claim 5, Xia and Henry teach apparatus of claim 1.
Xia teaches a login provider unit arranged to interface between a first login provider and the user device, the first login provider providing a first original user identifier, the login provider unit being arranged to obtain the user identifier from the first original user identifier and sent it to the user device (para 50, line 14-26; the dialog box, displayed on the display 20, shows that extracted user ID token and user then transfer it to the user authentication form).
Regarding claim 6, Xia and Henry teach apparatus of claim 1.
Xia teaches the login provider unit is arranged to interface between a second login provider and the user device, the second login provider providing a second original user identifier, the login provider unit being arranged to obtain a further user identifier from the second original user identifier and sent it to the user device, the identifier manager being arranged to store a user identifier correction factor, the password generation device applying the user identifier correction factor to the further user identifier to map it to the user identifier (para 43, line 14-17 and para 45, line 1-7 and para 58, line 1-13; user authentication system 8 supports multiple users, each user is assigned a master user ID 404 associated with a particular repository 34, and permits multiple users 
Regarding claim 7, Xia and Henry teach apparatus of claim 2.
Xia teaches the identifier manager stores a password correction factor, the password generation device applying the password correction factor to the second combined identifier to map it to a further second combined identifier previously generated for a different user identifier (para 43, line 14-19 and para 60, line 1-13; check to verify that the entered user ID is different from the corresponding master user ID and the appropriate password 410 is decoded from the handle table 38 of the repository 34).
Regarding claim 8, Xia and Henry teach apparatus of claim 1.
Xia teaches the identifier manager is arranged to store a hash of a generated password, optionally together with the computer address or base address (para 40, line 1-13; the repository 34 includes links between network addresses and encoded passwords and are shown in handle table 38), the software further comprises a part for: 
a verification unit, the verification unit including an interface arranged to receive a password and optionally a computer address (para 42, line 1-13 and para 46, line 1-13; authentication management system 8 receives user inputs, 
the verification unit being arranged to determine if the password was stored in hashed form and optionally if the received address matches the base address associated with the stored hashed password (para 39, line 1-16; detect authentication responses, where encoded passwords are stored in repository 34).
Regarding claim 9, Xia and Henry teach apparatus of claim 8.
Xia teaches store the password in hashed form and optionally the computer address (para 39, line 1-16; encoded passwords are stored in repository 34), and  5Attorney Docket No.: 5061-0043 Preliminary Amendment 
determine if the same password is received multiple times (para 39, line 1-16; detect and intercept authentication responses from users and the password management system processor 32 identifies the passwords).
Regarding claim 10, Xia and Henry teach apparatus of claim 1.
Xia teaches a ticket unit arranged to assign a ticket identifier to a generated password, and to store the ticket identifier, a ticket constraint, and the generated password, the ticket unit being arranged to send the ticket identifier to the user device (para 65, line 1-19 and para 69, line 1-16; password creation process includes algorithm that receives a system clock input 126, such as a time stamp, 
the ticket unit being arranged to 
receive a received ticket identifier and a received computer address from the computer resource (para 68, line 1-30 and para 69, line 1-16; network address 520 is provided by user to service provider 10 along the date for password updates), and 
verify that ticket identifier was assigned by the ticket unit and that the received computer address matches the base address associated with the generated password, and the ticket constraint, and if so, send the generated password to the computer resource (para 68, line 1-30 and para 69, line 1-16 and para 70, line 1-8; upon confirmation of password update where the clock date was used for the update process, store the password information in the handles tables 38 and it is inputted into dialog box and transmitted via network 12 to service provider 10).
Regarding claim 11, Xia and Henry teach apparatus of claim 10.

the ticket unit is arranged to generate a further ticket identifier, and to associate the further ticket identifier with the user, and is arranged to send the further ticket identifier to the computer resource after successful verification (para 68, line 1-30 and para 69, line 1-16; secure service provider 10 performs the password update for a user using the clock date and the network address 520), 
the ticket unit being arranged to 
receive a further received ticket identifier, verify that the further received ticket identifier matches the stored further ticket identifier, and if so send the personal information associated with the user to the computer resource (para 68, line 1-30 and para 69, line 1-16 and para 70, line 1-8; upon confirmation of password update where the cock date was used for the update process, store the password information in the handles tables 38 and it is inputted into dialog box and transmitted via network 12 to service provider 10). 
Regarding claim 14, Xia teaches a password generation system comprising the password generation device according to claim 1 and the user device (see claim 1 rejection), the user device including a web browser (para 42, line 4-12; a 
receive an original user password (para 42, line 1-8 and para 46, line 5-9; identify user password 42), 
hash the original password, to obtain the user password (para 44, line 24-31; a password in the repository 34 is encoded), 
detect a password field in a web page (para 42, line 1-12; a dialog box on display 20, which is generated by web browser 18, requires a password 42), and 
send the user identifier, computer address of the web page, and the user password to the password generation device (para 49, line 1-12 and para 50, line 1-14; if a handle is found for the authentication response, an encoded password is obtained from the handle table 38 and is decoded for use in user authentication where information may be entered into a dialog box on the display 20).
Regarding claim 15, Xia teaches a password generation method (para 39, line 1-14; password management system processor 32 create passwords) comprising 
receiving from a user device (para 42, line 1-13 and para 46, line 1-13; authentication management system 8 receives user inputs) 

a user identifier indicating a user of the user device, and a user password (para 42, line 1-13; receive user ID 40 and password 42); 
mapping the computer address to a base address, so that multiple computer addresses are mapped to the same base address (para 41, line 1-17; multiple network addresses for accessing a single secure service 10 are accommodated by assigning all the addresses to a single service handle included in address table 36); 
determining if the base address is registered with the identifier manager, and if not, assigning a unique base address system-identifier to the base address, and store the base address together with the base address system-identifier, if so, obtaining the base address system-identifier (para 51, line 1-8 and para 52, line 1-23; if it is recognized that the network address is not in the address table 36, provide the user with an appropriate address handle to associate with the network address and is included in the handle table 38 of the repository); 
determining if the user identifier is registered with the identifier manager (para 43, line 1-9; check to verify the entered user ID), and 

determining a first combined identifier from the base address system-identifier, the user system-identifier, and the user password (para 49, line 1-12 and para 50, line 1-14; if a handle is found for the authentication response, an encoded password is obtained from the handle table 38 and is decoded for use in user authentication along with extracted user ID token).
Xia does not teach applying a first combined identifier function
Henry teaches applying a first combined identifier function (col. 3, line 60-67 and col. 4, line 1-8; a password transform algorithm may generate a designated password using user ID, user common password, and URL of service provider)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia to incorporate the teachings of Henry to provide a password transform algorithm may generate a designated password using user ID, user common password, and 
Xia teaches determine a final password from the first combined identifier (para 67, line 1-8 and para 70, line 1-8; password updating protocol uses the old password as an input to create a new password).
Regarding claim 16, Xia teaches a computer program comprising computer program instructions arranged to perform the method according to claim 15 (see claim 15 rejection) when the computer program is run on a computer (para 39, line 1-14; a program or software component of the client device 14 operating system.
Regarding claim 17, Xia and Henry teach apparatus of claim 2.
Xia teaches the identifier manager is arranged to change the first combined system-identifier, thus renewing the second combined identifier and/or final password for the user identifier and the computer resource (para 67, line 1-8 and para 70, line 1-8; password updating protocol uses the old password as an input to create a new password for the service).
4.	Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Xia in view of Henry and Shen et al. (US Pub. 2012/0297190), hereinafter Shen, filed on May 19, 2011.
Regarding claim 12, Xia and Henry teach apparatus of claim 1.
Xia does not teach storing a list of registered device identifiers, the input interface is further arranged to receive a user device identifier, the software being arranged to refuse to generate a password if the user device identifier is not registered or blocked.
Shen teaches storing a list of registered device identifiers, the input interface is further arranged to receive a user device identifier, the software being arranged to refuse to generate a password if the user device identifier is not registered or blocked (para 21, line 1-6 and para 64, line 1-19; architecture includes mobile devices, register a device such as a mobile phone using a unique device ID, and uses the device ID to derive the credentials for user authentication).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia and Henry to incorporate the teachings of Shen to provide for the registration of mobile device and credentials for user authentication using device ID.  Doing so would allow for multi-party security protocol that incorporates biometric based authentication on a mobile phone, as recognized by Shen.
Regarding claim 13, Xia and Henry teach apparatus of claim 1.

It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia and Henry to incorporate the teachings of Shen to provide for the capture of biometric data by sensors to cloud which provides the password for accessing secure website.  Doing so would allow for multi-party security protocol that incorporates biometric based authentication on a mobile phone, as recognized by Shen.
Conclusion
5.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following are relevant prior arts: Cavanagh et al. (US Pub. 2017/0011214) discloses periodically generating and managing passwords for one or more websites of users and users are provided with the ability to automatically replace their old passwords with new passwords for their one or more website accounts; Karp et al. (US Pub. 2004/0025026) discloses generating a .
6.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will 
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NHAN H NGUYEN whose telephone number is (571)272-6443.  The examiner can normally be reached on Monday-Friday 8:30am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/NHAN HUU NGUYEN/Examiner, Art Unit 2492

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492