DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.


Response to Amendment
The amendment filed 2021-12-28 has been entered and fully considered.


Response to Arguments
Applicant’s arguments, see pages 11-14, filed 2021-12-28, with respect to the claim amendments overcoming the cited prior art references of the rejection of claims 1-20 under 35 U.S.C. § 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn; however, upon further search and consideration, a new grounds of rejection – as necessitated by amendment – is made in view of newly cited prior art.
Double Patenting
The rejection on the ground of nonstatutory double patenting over U.S. Patent No. 13194287 in the Office action mailed 2021-10-07 is held in abeyance as requested by Applicant in the remarks filed 2021-12-28.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3-4, 7-11, 13, 15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ashfield in view of Schechter and Boss. 

With respect to independent claim 1, Ashfield discloses a method, comprising:
dynamically generating, via at least one of the one or more computing devices, a plurality of knowledge-based questions in response to determining that the [user does not have the correct credentials] {col. 6, ll. 22-27: “authenticating persons, such as customers, by asking dynamic authentication questions, such as OOW questions, where the questions and/or answers change from one authentication request to the next”}.
providing, via at least one of the one or more computing devices, the plurality of knowledge-based questions to an application executing on a client device {col. 8, ll. 56-61: “user interface for interacting with a user, such as the customer 114 or employee 104, in order to: receive requests to access or use an account from the user; provide the user with authentication questions”}.
generating, via the at least one of the one or more computing devices, a score based at least in part on a comparison of a plurality of received answers to the plurality of knowledge-based questions with a plurality of valid answers to the plurality of knowledge-based questions, the plurality of received answers being received from the application {col. 10, ll. 51-60; and col. 16 ll. 33-39: “a risk rating may be used by the financial institution's computer system 130 and/or the authentication engine 140 when determining, for example, … how many failed attempts to answer authentication questions will be permitted”}
in response to determining that the score meets or exceeds a predetermined threshold, granting, via the at least one of the one or more computing devices, access to … the user account {col. 16, ll. 36-42: “The authentication engine 140 would then verify that 80 is a passing score with the authentication rules datastore 139 and then proceed to archive the results with the authentication archive datastore 137. The authentication engine 140 would then send an authentication message to the customer terminal 112 or other device over the network 110, and allow the customer to proceed”}.
Although Ashfield teaches user authentication via dynamic knowledge-based questions, Ashfield does not explicitly disclose that the user authentication is triggered based upon receiving an invalid credential from a user; however, Schechter discloses:
receiving, via at least one of one or more computing devices, a request to authenticate a user account, the request comprising a master security credential to authenticate the user account for access to [resources] {col. 3, ll. 32-41: “authentication servers that receive communications from various entities that seek knowledge based access to restricted resources. …The authenticator 102 may enable users 104 to obtain access to a restricted resource by inputting personal authentication information, such as a username, password, personal identification number (PIN), personal question response, and so forth”}.
dynamically generating, via at least one of the one or more computing devices, a plurality of knowledge-based questions in response to determining that the master security credential is invalid {col. 4, ll. 50-60; col. 5, ll. 9-26; and col. 6, ll. 22-29: “when the input is not a match with the stored answer, further processing may be warranted”, such processing includes “an illustrative process of providing evidence-based dynamic scoring to limit guesses in knowledge based authentication”, the knowledge based authentication including “personal knowledge based questions and/or answers”}
providing, via at least one of the one or more computing devices, the plurality of knowledge-based questions to an application executing on a client device {col. 5, ll. 27-35: “a request for personal information from a knowledge based authentication process” is sent to the user}.
generating, via the at least one of the one or more computing devices, a score based at least in part on a comparison of a plurality of received answers to the plurality of knowledge-based questions with a plurality of valid answers to the plurality of knowledge-based questions, the plurality of received answers being received from the application {col. 6, l. 66 – col. 7, l. 11: “the authenticator 102, via the dynamic scoring module 130, determines that the received input at 316 is similar to the input at 302 (or, in some embodiments, another previous input), then the authenticator 102 may calculate the score with a similarity reduction at 324”}.
in response to determining that the score [falls below] a predetermined threshold, granting, via the at least one of the one or more computing devices, access to … the user account {col. 12, ll. 15-26: “dynamic scoring module 130 may then reduce an incremental score, which is ultimately compared to a threshold, which may enable the user 104 to enter another input to gain access to the restricted resource”}.
Although Ashfield teaches user authentication via dynamic knowledge-based questions, Ashfield does not explicitly disclose that the user authentication is for resetting a master security credential; however, Boss discloses:
receiving, via at least one of one or more computing devices, a request to authenticate a user account, the request comprising a master security credential to authenticate the user account for access to a plurality of security credentials {paras. 0002  “Rather than requiring users to remember multiple passwords, many organizations use a password manager program that assigns to each user a single password used for accessing all of the organization's computerized resources”}.
dynamically generating, via at least one of the one or more computing devices, a plurality of knowledge-based questions in response to determining that the master security credential is invalid {para. 0021: “user interface component 400 starts when accessed by a user seeking to retrieve or reset a password”, wherein “user interface component 400 determines if more authentication questions need to be asked based on the requirements of configuration file 250”}.
in response to determining that the [answers to the security questions are correct], granting, via the at least one of the one or more computing devices, access to reset a master security credential associated with the user account {para. 0021: “If more authentication questions need not be asked at step 428, user interface component 400 requests a new password from password manager 230 (430). Password manager 230 resets the user's password”}.

Ashfield and Schechter are analogous art because they are from the same field of endeavor or problem-solving area of user authentication.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Ashfield and Schechter before him or her, to modify/develop the authentication procedure of Ashfield’s system to utilize triggering the security questions based upon a received incorrect authentication credential.  The suggestion and/or motivation for doing so would have been because it’s merely combining prior art elements according to known methods to yield predictable results, i.e. automatically triggering the security questions rather than having the user manually request a different authentication procedure.  Therefore, it would have been Ashfield’s system with triggering the security questions based upon a received incorrect authentication credential to obtain the invention as specified in the instant claim(s).  The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.
Ashfield-Schechter and Boss are analogous art because they are from the same field of endeavor or problem-solving area of user authentication.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Ashfield-Schechter and Boss before him or her, to modify/develop the protected resource (e.g. financial institution) of Ashfield-Schechter’s system to utilize a password manager.  The suggestion and/or motivation for doing so would have been because it’s a simple substitution of one known element for another to obtain predictable results, i.e. employing the weighted security questions to a password manager instead of a financial institution, thereby increasing the security regarding password resets of the password manager.  Therefore, it would have been obvious to combine the protected resource (e.g. financial institution) in Ashfield-Schechter’s system with a password manager to obtain the invention as specified in the instant claim(s).  The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.

With respect to dependent claim 3, Ashfield discloses wherein providing the plurality of knowledge-based questions to the application comprises sending data to the application configured to generate a user interface to be rendered by the application, the user interface comprising the plurality of knowledge-based questions {col. 17, ll. 6-34: “a graphical user interface 500”, wherein “the authentication engine displays the transactional question through a server over the network to the customer terminal for the customer to answer”}.

With respect to dependent claim 4, Ashfield discloses wherein the plurality of security credentials grant access for the user account to a plurality of different applications {col. 7, ll. 32-60: “authenticating a person so that the person can access or use a financial account, such as a checking account, deposit account, savings account, other bank account, brokerage account, and/or the like” to employ different types of a “financial transaction”}.

With respect to dependent claim 7, Ashfield discloses wherein at least one of the plurality of knowledge-based questions is generated based at least in part on at least one of: purchase transaction data, browsing history, order history, search history, or profile information associated with the user account {col. 19, ll. 4-9: “generate authentication questions based at least in part on the electronic request and information about the financial account, wherein the authentication questions generated include one or more of financial behavior, financial history, or financial transaction associated with the financial account”}.

With respect to dependent claim 8, Ashfield discloses wherein individual received answers of the plurality of received answers are weighted with a respective different weight based at least in part on a respective knowledge-based question of the plurality of knowledge-based questions {col. 16, ll. 21-42: for each question, “the authentication rules datastore 139 may specify that answer scores with response times under two minutes are not decreased by any factor, answer scores with response times between two-six minutes are decreased by a factor of 20% and answer scores with response times above six minutes are decreased by a factor of 50%”}.

With respect to claims 9-10, a corresponding reasoning as given earlier in this section with respect to claims 1-2 applies, mutatis mutandis, to the subject matter of claims 9-10; therefore, claims 9-10 are rejected, for similar reasons, under the grounds as set forth for claims 1-2.

With respect to dependent claim 11, Boss discloses wherein the account data comprises a plurality of security credentials accessible via the master security credential, and wherein, when executed, the manager causes the at least one computing device to at least provide the plurality of security credentials to the client device {paras. 0002, 0019, & 0021: “Rather than requiring users to remember multiple passwords, many organizations use a password manager program that assigns to each user a single password used for accessing all of the organization's computerized resources”; the Examiner notes that some prior art password managers provide the passwords to the user’s client device}.

With respect to claim 13, a corresponding reasoning as given earlier in this section with respect to claim 7 applies, mutatis mutandis, to the subject matter of claim 13; therefore, claim 13 is rejected, for similar reasons, under the grounds as set forth for claim 7.

With respect to claim 15, a corresponding reasoning as given earlier in this section with respect to claim 1 applies, mutatis mutandis, to the subject matter of claim 15; therefore, claim 15 is rejected, for similar reasons, under the grounds as set forth for claim 1.

With respect to dependent claim 17, Ashfield discloses wherein the account data comprises at least one of a username, a password, a security key, or a certificate {col. 12, ll. 12-21: “an online banking account may only require a customer's login ID and password”}.

With respect to claim 18, a corresponding reasoning as given earlier in this section with respect to claim 12 applies, mutatis mutandis, to the subject matter of claim 18; therefore, claim 18 is rejected, for similar reasons, under the grounds as set forth for claim 12.

With respect to dependent claim 19, Ashfield discloses wherein the instructions, when executed, further cause the at least one computing device to at least deny access to the account data based at least in part on the score failing to meet a predetermined threshold {col. 16, ll. 43-59: “authentication engine 140 may determine that authentication failed since the overall score does not match the score required by the authentication rules datastore 139 … and proceed to send an ‘access denied’ message to the customer 114 over the network 110, and thus, deny the customer 114 and/or any requested transaction from proceeding, as represented by block 245”}.

With respect to dependent claim 20, Ashfield discloses wherein providing the plurality of knowledge-based questions comprises at least one of: generating a network page for rendering in a browser in the client device or sending data to the application in order for a user interface to be rendered by the application {col. 17, ll. 6-34: an “authentication question” may be provided via a “personal banking website over the Internet and the customer terminal may be the customer's personal computer”}.


Claims 2, 5-6, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Ashfield in view of Schechter, Boss, and Begen.

With respect to dependent claim 2, although Boss teaches password management, Boss does not explicitly disclose session expiration; however, Begen discloses providing access to the plurality of security credentials for a predetermined number of minutes {para. 0049: “the session associated with the validation token has expired”}.

Ashfield-Schechter-Boss and Begen are analogous art because they are from the same field of endeavor or problem-solving area of single sign-in authentication.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Ashfield-Schechter-Boss and Begen before him or her, to modify/develop the user authentication of Ashfield-Schechter-Boss’s system to utilize timeouts and password hashing.  The suggestion and/or motivation for doing so would have been because it’s merely combining prior art elements according to known methods to yield predictable results, i.e. securing passwords and the sessions.  Therefore, it would have been obvious to combine the user authentication in Ashfield-Schechter-Boss’s system with timeouts 

With respect to dependent claim 5, Boss-Begen disclose:
receiving a new master security credential from the application {Boss, para. 0021: “Password manager 230 resets the user's password”}.
storing a hashed version of the new master security credential as the master security credential {Begen, para. 0055: “bridge data 111 of a preferred embodiment stores … password hash (or other masked password data) which may be used in the validation of the user”}.

With respect to dependent claim 6, Begen discloses sending a configuration file including a security credential specification to the client device, the security credential specification specifying at least one of: a character set, a minimum length, or a maximum length for a password {para. 0008: “the credential requirements by different applications are different (e.g., password length, alphanumeric requirements, etcetera)”}.

With respect to dependent claim 14, Begen discloses wherein the request comprises a master security credential, and receiving the request comprises determining that the master security credential is not valid based at least in part on comparing a hashed version of the master security credential with a master security credential stored in association with the user {para. 0055: “bridge data 111 of a preferred embodiment stores … password hash (or other masked password data) which may be used in the validation of the user”}.


Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Ashfield in view of Schechter, Boss, and Bair.

With respect to dependent claim 12, although Boss teaches wherein the account data comprises a plurality of security credentials accessible via the master security credential, Boss does not explicitly disclose generation of passwords based on password specifications; however, Bair discloses wherein, when executed, the manager causes the at least one computing device to at least:
automatically generate at least one of the plurality of security credentials according to a security credential specification received from a remote computing device {para. 0070: “the process generates the password automatically and stores the password based on the constraints or parameters entered by the user”}.
send the at least one of the plurality of security credentials and the security credential specification to the client device {paras. 0045 & 0070: “the process generates the password automatically and stores the password based on the constraints or parameters entered by the user” or “password manager 310 obtains access information 314 from database 312 in the form of a password and user identifier”}.

Ashfield-Schechter-Boss and Bair are analogous art because they are from the same field of endeavor or problem-solving area of single sign-in authentication.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Ashfield-Schechter-Boss and Bair before him or her, to modify/develop the password manager of Ashfield-Schechter-Boss’s system to utilize credential parameters.  The suggestion and/or motivation for doing so would have been because it’s merely combining prior art elements according to known methods to yield predictable results, i.e. generation of passwords that comply with the restraints of the website.  Therefore, it would have been obvious to combine the password manager in Ashfield-Schechter-Boss’s system with credential parameters to obtain the invention as specified in the instant claim(s).  The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.


Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Ashfield in view of Schechter, Boss and Oztekin.

Ashfield teaches weighting security questions that are based on recent transactions (col. 6 ll. 43-55; col. 16 ll. 16-42), Ashfield does not explicitly disclose that the weighting is based on recency; however, Oztekin discloses wherein, when executed, the instructions further cause the at least one computing device to at least assign a different weight to individual answers of the plurality of received answers based at least in part on a recency of at least one of purchase transaction data or profile information associated with the account data {para. 0158: “relevance score between a question term or question topic and the consultant is increased when the consultant's search history or other online history meets predefined criteria for recent activity with respect to the topic or topics associated with the question”}.

Ashfield-Schechter-Boss and Oztekin are analogous art because they are from the same field of endeavor or problem-solving area of weighting questions.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Ashfield-Schechter-Boss and Oztekin before him or her, to modify/develop the weighting of security questions of Ashfield-Schechter-Boss’s system to utilize weighting/scoring based on recency of activity.  The suggestion and/or motivation for doing so would have been because it’s combining prior art elements according to known methods to yield predictable results, i.e. providing greater weight to more recent information.  Therefore, it would have been obvious to combine the weighting of security questions in Ashfield-Schechter-Boss’s system with weighting/scoring based on recency of activity to obtain the invention as specified in the instant claim(s).  The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.

Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 




Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Kevin Bechtel/Primary Examiner, Art Unit 2491