Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received October 22, 2021.  Claims 1, 7, 11, 19, 24, and 28 have been amended.  Therefore, claims 1-31 are pending and addressed below. 

Title
The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 


Response to Arguments
Applicant's arguments to the rejection of claims 28-31 under 35 USC 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention are not sufficient.  Applicant argues that in specifications, Figure 7 illustrates machine 700 includes hardware processor 702, machine readable medium 722.  Examiner states again that in applicant's specifications, paragraph 0142, recites "Various embodiments may be implemented fully or partially in software and/or firmware".  Therefore the rejection is held. 


Based on claim’s amendments, the Examiner rejects claims 1-31 with the new ground of rejections.



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 28-31 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 28 limitation “means for obtaining a public key of a client device, means for generating a random number seed for the client device; means for encrypting the random number seed using the public key; means for transmitting the encrypted random number seed to the client device; means for receiving a plurality of ordered character inputs from the client device; means for receiving data indicating delays, each of the delays between two of the plurality of character inputs; means for generating 
In applicant's specifications, paragraph 0142, recites "Various embodiments may be implemented fully or partially in software and/or firmware".  The specifications disclose modules, devices and units related to the limitations, but fails to disclose particular structures to perform the functions.  
Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 

If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.







CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
Claim 28 limitation “means for obtaining … means for generating a random number seed … means for encrypting … means for transmitting … means for receiving … means for receiving data indicating delays, … means for generating random numbers … means for deriving … means for generating … and means for authenticating an account”.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-31 are rejected under 35 U.S.C. 103 as being unpatentable over CHOW et al. (US 2002/0002678 A1, publish date 01/03/2002) in view of Brown (US2018/0097794 A1, publish date 04/05/2018).

Claims 1, 11, 28:
With respect to claims 1, 11, 28, CHOW et al. discloses a system of authenticating a user /A method if authenticating a user/An apparatus (client authentication, Figure 1) (the First Computer Program 10 responding to an authentication challenge from the Second Computer Program 12 by transmitting to the Second Computer Program 12 a password calculate, 0025-0026) (accounts and passwords authorized, 0003) comprising: 
hardware processing circuitry (Figure 2);
one or more hardware memories comprising instructions that when executed by the hardware processing circuitry (computer processor or device executed by an electronic system, a electronic memory to execute such method steps, 0242) to perform operations comprising: 
means for/obtaining a public key of a client device (the User's Public/private key pair and the servers’ 38 public key used for signing could be stored in this section, 0160) (the Server could store the User's public key used for signing, 0166) (the Client Software could store the public key of the Server 38, allowing all requests to be encrypted as only the real Server 38 can decrypt the request with the corresponding private key, 0237);
means for/generating a random number seed for the client device (transmitting an initial value to the Second Computer Program calculated by at least one iteration of a non-reversible function on a stored seed value and the Second Computer Program is operable to store the last transmitted password or initial value as a reference value, 0017) (calculate sequence of codes using seed value, Figure 1, 14) (calculates an initial value s.sub.n by executing the non-reversible function on a stored seed value, 0025); 
means for/encrypting the random number seed using the public key (if the Password Data File is stored in an encrypted form, 0103) (new sequence of passwords generated is now stored, this data will be encrypted if required by the local security Policy, 0113); 
means for/transmitting the encrypted random number seed to the client device (by transmitting the initial value s.sub.n to the Second Computer Program 12 at step 16, 0025) (by transmitting to the Second Computer Program 12 a password calculated by fewer iterations of the non-reversible function on the stored seed value than used to calculate the reference value, 0026) (The First Computer Program 10 as described above, is installed and operating on Client Computer 34, and the Second Computer Program 12 is installed and operating on a Server 38.  However, that in fact both the First Computer Program 10 and the Second Computer Program 12 could reside in the same computer, 0030); 
generating random numbers based on the random number seed (calculate sequence code using non-reversible function where = a seed value, Figure 1, 14) (using a simple non-reversible function such as the additive congruential pseudo-random number generator, 0034) (The seed value s.sub.0, may be created a number of ways, including use of a random number generator, 0042) (to generate passwords which are very long and totally random, and the User does not have to remember them, 0071) (All the required seeds may be generated randomly and automatically, 0175).

CHOW et al. does not disclose means for/receiving a plurality of ordered character inputs from the client device; means for/receiving data indicating delays, each of the delays between two of the plurality of character inputs; means for/deriving client device generated delays based on the generated random numbers; means for/generating revised delays by subtracting each of the client device generated delays from a corresponding one of the indicated delays; and means for/authenticating an account based on matching the plurality of character inputs with a stored password and matching the one or more revised delays with corresponding stored delays as claimed. 

However, Brown teaches user interface 200 can use a timer to identify when the user inputs each character of a password.  After the username and password have been input and the user clicks submit, the username and password as well as the timing information (collectively "multidimensional credentials") can be stored on server system (0030), means for/receiving a plurality of ordered character inputs from the client device; means for/receiving data indicating delays, each of the delays between two of the plurality of character inputs; means for/deriving client device generated delays based on the generated random numbers (the user has entered a username of "user12345" and a password of "12345".  It will also be assumed that the user entered the five characters of the password with a duration of 250 milliseconds between each character. Data structure 300 includes the username (user12345), the password (12345), and a timing array 301 that defines the timing information associated with the password, 0031) (data structure 500 initially defines that a duration of 250 ms should exist between each character of user12345's password and that a variance of up to 10 ms would be acceptable. … timing array 301 could be updated to [0, 250, 500, 750, 990]). … the variance of 10 ms would still apply so that the last character would be accepted as long as it was input between 230 and 250 ms after the fourth character” (0050) (Figure 5); 
means for/generating revised delays by subtracting each of the client device generated delays from a corresponding one of the indicated delays; and means for/authenticating an account based on matching the plurality of character inputs with a stored password and matching the one or more revised delays with corresponding stored delays (client computing device 102a sends authentication request 610 which includes the username and password input by the user as well as the timing information that was generated based on when the user input the characters of the password. Server system 101 uses the username contained in authentication request to identify a matching username, Server system 101 then compares the corresponding timing information, 0055-0058).

CHOW et al. and Brown are analogous art because they are from the same field of endeavor password authentication.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Brown in CHOW et al. for means for/receiving a plurality of ordered character inputs from the client device; means for/receiving data indicating delays, each of the delays between two of the plurality of character inputs; means for/deriving client device generated delays based on the generated random numbers; means for/generating revised delays by subtracting each of the client device generated delays from a corresponding one of the indicated delays; and means for/authenticating an account based on matching the plurality of character inputs with a stored password and matching the one or more revised delays with corresponding stored delays as claimed for purposes of enhancing the secure authentication system of CHOW et al. by adding dimension of password verification can greatly increase the security of a system while adding very little burden on the user. (see Brown 0002)


Claims 2, 29:
With respect to claims 2, 29, CHOW et al. discloses wherein means for/obtaining the public key for the client device comprises receiving a message from the client device indicating the public key (the User's Public/private key pair and the servers’ 38 public key used for signing could be stored in this section, 0160) (the Server could store the User's public key used for signing, 0166) (the Client Software could store the public key of the Server 38, allowing all requests to be encrypted as only the real Server 38 can decrypt the request with the corresponding private key, 0237).

Claims 3, 30:
With respect to claims 3, 30, the combination of CHOW et al. and Brown disclose the limitations of claims 1, 28, as addressed.

Brown teaches wherein the plurality of character inputs are received in one or more messages from the client device (the user has entered a username of "user12345" and a password of "12345", 0031) (Figure 2).

CHOW et al. and Brown are analogous art because they are from the same field of endeavor password authentication.

The motivation for combining CHOW et al. and Brown is recited in claims 1, 28.


Claims 4, 12, 31:
With respect to claims 4, 12, 31, the combination of CHOW et al. and Brown discloses the limitations of claims 1, 11, 28, as addressed.

Brown teaches wherein the data indicating the delays are two or more messages from the client device, wherein the indicated delays are equivalent to delays between reception of sequence messages of the two or more messages (Timing array, Variance, Figures 3, 5).

CHOW et al. and Brown are analogous art because they are from the same field of endeavor password authentication.

The motivation for combining CHOW et al. and Brown is recited in claims 1, 11, 28.

Claims 5, 13:
With respect to claims 5, 13, the combination of CHOW et al. and Brown discloses the limitations of claims 1, 11, as addressed.

Brown teaches wherein authenticating the account (the present invention can 
require the input of credentials such as a username and password, 0002) comprises evaluating the revised delays against delay criterion stored in a data store, and the operations further comprising rejecting the authentication in response to the delay criterion not being met and granting the authentication in response to the revised delays meeting the delay criterion; and transmitting a message to the client device indicating the rejection or the granting of the authentication (client computing device 102a sends authentication request 610 which includes the username and password input by the user as well as the timing information that was generated based on when the user input the characters of the password. Server system 101 uses the username contained in authentication request to identify a matching username, Server system 101 then compares the corresponding timing information, 0055-0058).

CHOW et al. and Brown are analogous art because they are from the same field of endeavor password authentication.

The motivation for combining CHOW et al. and Brown is recited in claims 1, 11.

Claims 6, 14:
With respect to claims 6, 14, the combination of CHOW et al. and Brown disclose the limitations of claims 1, 11, as addressed.

Brown teaches the operations further comprising: generating a random number for each pair of sequential characters in the ordered plurality of character inputs based on the random number seed; determining a delay between each pair of sequential characters in the ordered plurality of character inputs based on the data indicating delays ();  (data structure 500 initially defines that a duration of 250 ms should exist between each character of user12345's password and that a variance of up to 10 ms would be acceptable, timing array 301 could be updated to [0, 250, 500, 750, 990]). the variance of 10 ms would still apply so that the last character would be accepted as long as it was input between 230 and 250 ms after the fourth character, 0050) (Figure 5);  
for each generated random number, subtracting the generated random number from a respective delay between a respective pair of sequential characters to determine a respective one of the revised delays (client computing device 102a sends authentication request 610 which includes the username and password input by the user as well as the timing information that was generated based on when the user input the characters of the password. Server system 101 uses the username contained in authentication request to identify a matching username, Server system 101 then compares the corresponding timing information, 0055-0058).

CHOW et al. and Brown are analogous art because they are from the same field of endeavor password authentication.

The motivation for combining CHOW et al. and Brown is recited in claims 1, 11.

Claims 7, 15:
With respect to claims 7, 15, the combination of CHOW et al. and Brown disclose the limitations of claims 1, 11, as addressed.

CHOW et al. discloses the operations further comprising: selecting, from a group of random number functions, a particular random number function (pseudo-random number generator, 0034); and 
encrypting an indicator of the selected particular random number function, wherein the encrypted indicator is transmitted to the client device with the random number seed.
(if the Password Data File is stored in an encrypted form, 0103) (new sequence of passwords generated is now stored, this data will be encrypted if required by the local security Policy, 0113)(transmitting an initial value to the Second Computer Program calculated by at least one iteration of a non-reversible function on a stored seed value and the Second Computer Program is operable to store the last transmitted password or initial value as a reference value, 0017) (calculate sequence of codes using seed value, Figure 1, 14) (calculates an initial value s.sub.n by executing the non-reversible function on a stored seed value, 0025).

Claims 8, 16:
With respect to claims 8, 16, the combination of CHOW et al. and Brown disclose the limitations of claims 1, 11, as addressed.

CHOW et al. discloses wherein the indicator comprises instructions implementing the random number generator function (pseudo-random number generator, 0034).


Claims 9, 17, 22, 26:
With respect to claims 9, 17, 22, 26, the combination of CHOW et al. and Brown disclose the limitations of claims 1, 11, 19, 24, as addressed.

CHOW et al. discloses wherein the plurality of ordered character inputs represent one or more of an account name and a password for the account (accounts and passwords authorized, 0003).

Brown teaches wherein the plurality of ordered character inputs represent one or more of an account name and a password for the account (username and password, Figure 3).

CHOW et al. and Brown are analogous art because they are from the same field of endeavor password authentication.

The motivation for combining CHOW et al. and Brown is recited in claims 1, 11, 19, 24.

Claims 10, 18, 23, 27:
With respect to claims 10, 18, 23, 27, the combination of CHOW et al. and Brown disclose the limitations of claims 1, 11, 19, 24, as addressed.

CHOW et al. discloses the operations further comprising encrypting an indicator of a random number generation range, wherein the encrypted indicator of the random number generation range is transmitted to the client device with the random number seed (if the Password Data File is stored in an encrypted form, 0103) (new sequence of passwords generated is now stored, this data will be encrypted if required by the local security Policy, 0113)(transmitting an initial value to the Second Computer Program calculated by at least one iteration of a non-reversible function on a stored seed value and the Second Computer Program is operable to store the last transmitted password or initial value as a reference value, 0017) (calculate sequence of codes using seed value, Figure 1, 14) (calculates an initial value s.sub.n by executing the non-reversible function on a stored seed value, 0025), wherein the generation of the random numbers by the client device is in accordance with the indicated random number generation range (pseudo-random number generator, 0034).

Claims 19, 24:
With respect to claims 19, CHOW et al. discloses a system for authenticating a user/A system for authenticating a user (client authentication, Figure 1) (the First Computer Program 10 responding to an authentication challenge from the Second Computer Program 12 by transmitting to the Second Computer Program 12 a password calculate, 0025-0026) (accounts and passwords authorized, 0003), comprising: 
hardware processing circuitry (Figure 2);
one or more hardware memories storing instructions that when executed by the hardware processing circuitry (computer processor or device executed by an electronic system, a electronic memory to execute such method steps, 0242) to perform operations comprising:
receiving, by a client device, a message from a server (by transmitting the initial value s.sub.n to the Second Computer Program 12 at step 16, 0025) (by transmitting to the Second Computer Program 12 a password calculated by fewer iterations of the non-reversible function on the stored seed value than used to calculate the reference value, 0026) (The First Computer Program 10 as described above, is installed and operating on Client Computer 34, and the Second Computer Program 12 is installed and operating on a Server 38.  However, that in fact both the First Computer Program 10 and the Second Computer Program 12 could reside in the same computer, 0030); 
decoding a random number seed from the message (Once the Password Data File has been identified, it is opened, read and decrypted as shown at step 48, 0097)
based on a private key assigned to the client device (the User's Public/private key pair and the servers’ 38 public key used for signing could be stored in this section, 0160) (the Server could store the User's public key used for signing, 0166) (the Client Software could store the public key of the Server 38, allowing all requests to be encrypted as only the real Server 38 can decrypt the request with the corresponding private key, 0237);
generating random numbers based on the random number seed (calculate sequence code using non-reversible function where = a seed value, Figure 1, 14) (using a simple non-reversible function such as the additive congruential pseudo-random number generator, 0034) (The seed value s.sub.0, may be created a number of ways, including use of a random number generator, 0042) (to generate passwords which are very long and totally random, and the User does not have to remember them, 0071) (All the required seeds may be generated randomly and automatically, 0175);

CHOW et al. does not disclose deriving random delays from the random numbers; receiving input indicating a plurality of ordered characters and delays, each of the delays occurring between entry of two of the plurality of characters; generating revised delays by adding each of the random delays to a corresponding one of the indicated delays, and authenticating an account by transmitting the revised delays to the server, the server matching the plurality of character inputs with a stored password and matching the one or more revised delays expected by the server as claimed. 

However, Brown teaches user interface 200 can use a timer to identify when the user inputs each character of a password.  After the username and password have been input and the user clicks submit, the username and password as well as the timing information (collectively "multidimensional credentials") can be stored on server system (0030), deriving random delays from the random numbers; receiving input indicating a plurality of ordered characters and delays, each of the delays occurring between entry of two of the plurality of characters; generating revised delays by adding each of the random delays to a corresponding one of the indicated delays (the user has entered a username of "user12345" and a password of "12345".  It will also be assumed that the user entered the five characters of the password with a duration of 250 milliseconds between each character. Data structure 300 includes the username (user12345), the password (12345), and a timing array 301 that defines the timing information associated with the password, 0031) (data structure 500 initially defines that a duration of 250 ms should exist between each character of user12345's password and that a variance of up to 10 ms would be acceptable. … timing array 301 could be updated to [0, 250, 500, 750, 990]). … the variance of 10 ms would still apply so that the last character would be accepted as long as it was input between 230 and 250 ms after the fourth character” (0050) (Figure 5); and authenticating an account by transmitting the revised delays to the server, the server matching the plurality of character inputs with a stored password and matching the one or more revised delays expected by the server (client computing device 102a sends authentication request 610 which includes the username and password input by the user as well as the timing information that was generated based on when the user input the characters of the password. Server system 101 uses the username contained in authentication request to identify a matching username, Server system 101 then compares the corresponding timing information, 0055-0058).

CHOW et al. and Brown are analogous art because they are from the same field of endeavor password authentication.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Brown in CHOW et al. for means for/receiving a plurality of ordered character inputs from the client device; means for/receiving data indicating delays, each of the delays between two of the plurality of character inputs; means for/deriving client device generated delays based on the generated random numbers; means for/generating revised delays by subtracting each of the client device generated delays from a corresponding one of the indicated delays; and means for/authenticating an account based on matching the plurality of character inputs with a stored password and matching the one or more revised delays with corresponding stored delays as claimed for purposes of enhancing the secure authentication system of CHOW et al. by adding dimension of password verification can greatly increase the security of a system while adding very little burden on the user. (see Brown 0002)

Claim 20:
With respect to claim 20, the combination of CHOW et al. and Brown disclose the limitations of claim 19, as addressed. 

CHOW et al. discloses the operations further comprising transmitting a public key associated with the private key to the server (the User's Public/private key pair and the servers’ 38 public key used for signing could be stored in this section, 0160) (the Server could store the User's public key used for signing, 0166)( the Client Software could store the public key of the Server 38, allowing all requests to be encrypted as only the real Server 38 can decrypt the request with the corresponding private key, 0237).

Claims 21, 25:
With respect to claims 21, 25, the combination of CHOW et al. and Brown disclose the limitations of claims 19, 24, as addressed.

CHOW et al. discloses the operations further comprising receiving, from the server, an indication of a random number generator function (pseudo-random number generator, 0034), and invoking the indicated random number generator function to generate the random numbers (if the Password Data File is stored in an encrypted form, 0103) (new sequence of passwords generated is now stored, this data will be encrypted if required by the local security Policy, 0113)(transmitting an initial value to the Second Computer Program calculated by at least one iteration of a non-reversible function on a stored seed value and the Second Computer Program is operable to store the last transmitted password or initial value as a reference value, 0017) (calculate sequence of codes using seed value, Figure 1, 14) (calculates an initial value s.sub.n by executing the non-reversible function on a stored seed value, 0025).







Response to Remarks/Arguments
Applicant's arguments filed on October 22, 2021 have been considered but are moot in view of the new ground(s) of rejection.   In the remarks, Applicant argues that:

(1) Applicant submits that even if we include Brown in the 103 combination, that combination does not disclose or suggest at least: generating random numbers based on the random number seed; deriving client device generated delays based on the generated random numbers; generating revised delays by subtracting each of the client device generated delays from a corresponding one of the indicated delays; and authenticating an account based on matching the plurality of character inputs with a stored password and matching the one or more revised delays with corresponding stored delays. That is, none of the references calculate the random delays on both the client and server side, subtracts this random delay from the prespecified delay, and then verifies the prespecified delay.
 Chow mentions a function result to authenticate, this function result is used in another formula to then authenticate the client. This is not a disclosure of both random and intentional delays as claimed. 
Kacmarcik mentions a “timing” field indicating a time at which the keystroke was entered into the client computing device, this is to allow the host device to maintain the same intervals between keystrokes as were typed into the client computing device. See Kacmarcik, [0041]. Thus, Kacmarcik does not calculate the random delay values, it receives them in the message. Kacmarcik also does not use them to generate modified delay values which are then used for authentication as claimed. 
Brown mentions pre-specified delay characters, Brown also does not calculate the random delay values on the authentication side, nor does it compensate for this random delay prior to authentication. Brown simply compares the received delays with the stored delays to determine an authentication result.

In response to remark/arguments (1), Examiner respectfully disagrees.  Kacmarcik does not calculate the random delay values, it receives them in the message. Kacmarcik also does not use them to generate modified delay values which are then used for authentication as claimed. However, Brown teaches “data structure 500 initially defines that a duration of 250 ms should exist between each character of user12345's password and that a variance of up to 10 ms would be acceptable. … timing array 301 could be updated to [0, 250, 500, 750, 990]). … the variance of 10 ms would still apply so that the last character would be accepted as long as it was input between 230 and 250 ms after the fourth character” (0050) (Figure 5).  Therefore Brown calculate the random delay values on the authentication side, and does compensate for this random delay prior to authentication.  Therefore, Examiner maintains that the combination of CHOW et al. and Brown does teach and suggest this limitation. 


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm., every other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433