DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 12/16/2021.
In the instant Amendment, claims 1, 9 and 17 have been amended; and claims 1, 9 and 17 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.

Response to Arguments
The rejections of claim(s) 1-20 under 35 USC 112(b) have been withdrawn due to applicant’s amendment.
Applicants’ arguments in the instant Amendment, filed on 12/16/2021, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “Brown, Burch, and Bhogal, either alone or in combination, do not teach, suggest, or disclose that a random generated challenge is a single, or one-time use as required in claims 1, 9, and 17.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Burch discloses a single-use generated random challenge (Burch: ¶0077 a needed key is dynamically pushed to the mobile device each time authentication is being requested and the key can be random [i.e., random challenge], such that it is not reproducible for a second iteration of authentication). Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

The amended claims 1, 9, and 17 have been addressed in rejection below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 3-6, 8 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over BROWN et al. (“Brown,” US 2009/0240943), published on September 24, 2009, in view of Burch et al. (“Burch,” US 2015/0215299), published on July 30, 2015.

Regarding claim 1: Brown discloses a method of authenticating a user to a computer in an adverse environment, comprising:
Brown: ¶0036 the requesting device receiving a user password; ¶0063 use a wireless friendly encoding, compression and encryption technique to deliver all information to a mobile device, thus effectively extending the security firewall to include each mobile device 100 associated with the host system 30); 
initiating a login process in the computer (Brown: ¶0068 the authenticating device detects that a connection is being requested, and proceeds to authenticate the requesting device in accordance with the challenge response scheme); 
encoding a generated random challenge in a message in the computer (Brown: ¶0010 the authenticating device generates a challenge that is issued to the requesting device. The requesting device combines the challenge with a hash of a password provided by a user of the requesting device; ¶0069 the Challenge c may be a group of bits that have been randomly generated by the authenticating device);
encoding the received random challenge using a hash of the user's received password in the trusted user device to generate an entered password hash-encoded random challenge (Brown: ¶0070 the Challenge c and the hash of the password H(user_ password) are concatenated together [...] this combination of the Challenge c and the hash of the password H(user_ password)); 
sending the entered password hash-encoded random challenge from the user's trusted device to the computer via a speaker coupled to the user's trusted device (Brown: ¶0070 the response r is then transmitted to the authenticating device; ¶0091 when the mobile device 100 is operating in a voice communication mode, the overall operation of the mobile device is substantially similar to the data mode, except that received signals are preferably be output to the speaker 334);
receiving the entered password hash-encoded random challenge in the computer via a microphone coupled to the computer (Brown: ¶0071 the authenticating device determines an authenticating encryption key k [...] the authenticating encryption key k is used to decrypt the response r received from the requesting device; ¶0091 when the mobile device 100 is operating in a voice communication mode, the overall operation of the mobile device is substantially similar to the data mode, except that [...] voice signals for transmission are generated by a micro phone336);
encoding the random challenge using a known hash value of the user's password to generate a known password hash-encoded random challenge (Brown: ¶0070 the requesting device prompts the user of the requesting device for a password user_ password. This password is hashed, using known hashing functions such as SHA-1, to create H(user_ password) which is then combined with the Challenge c received from the authenticating device); and
comparing the known password hash-encoded random challenge to the entered password hash-encoded random challenge in the computer to authenticate the user (Brown: ¶0071 a hash of the decrypted response H(decrypted_ response) is then compared to the stored hash of the device password H(stored_ password). If the two hashes match, then the decrypted response was the correct device password. Thus the authenticating device has authenticated the requesting device).
Brown does disclose generate a random challenge but does not explicitly disclose a single-use generated random challenge, sending the random challenge message to the 
However, Burch discloses a single-use generated random challenge (Burch: ¶0077 a needed key is dynamically pushed to the mobile device each time authentication is being requested and the key can be random [i.e., random challenge], such that it is not reproducible for a second iteration of authentication);
sending the random challenge message to the trusted user device via a speaker coupled to the computer (Burch: ¶0033 at 4, the AAS returns an HTML page to the browser (of the desktop device) [...] the HTML page also includes an audio file that the browser is to play to generate sound on the speaker of the desktop device);
receiving the random challenge in the message in the trusted user device via a microphone coupled to the trusted user device (Burch: ¶0035 at 6, the mobile application of the mobile device "hears" the sound generated from the speaker of the desktop device by monitoring the microphone of the mobile device).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Burch with the system/method of Brown to include sending/receiving the random challenge message to the trusted user device via a speaker/microphone.
One would have been motivated to provide the device access to a resource based on evaluation of the audio message and the response message (Burch: ¶0005).

Regarding claim 3: Brown in view of Burch discloses the method of authenticating a user to a computer in an adverse environment of claim 1.
Brown further discloses wherein one or more communications between the trusted device and the computer comprise a frequency modulated signal or an amplitude modulated signal (Brown: ¶0059 a message is then delivered to the mobile device 100 via wireless transmission, typically at a radio frequency (RF), from a base station in the wireless network 105 to the mobile device 100).

Regarding claim 4: Brown in view of Burch discloses the method of authenticating a user to a computer in an adverse environment of claim 1.
Brown further discloses wherein the trusted device comprises a smartphone, a personal computer, or a tablet computer (Brown: fig. 1; items 10 and 100; ¶0021 the authenticating device is a wireless handheld device and the requesting device is a desktop computer).

Regarding claim 5: Brown in view of Burch discloses the method of authenticating a user to a computer in an adverse environment of claim 1.
Brown further discloses wherein the computer queries an authentication server in comparing the known password hash-encoded random challenge to the entered password hash-encoded random challenge in the computer to authenticate the user (Brown: ¶0070 this password is hashed, using known hashing functions such as SHA-1, to create H(user_ password) which is then combined with the Challenge c received from the authenticating device; ¶0071 a hash of the decrypted response H(decrypted_ response) is then compared to the stored hash of the device password H(stored_ password). If the two hashes match, then the decrypted response was the correct device password. Thus the authenticating device has authenticated the requesting device).

Regarding claim 6: Brown in view of Burch discloses the method of authenticating a user to a computer in an adverse environment of claim 1.
Burch further discloses wherein the generated random challenge is changed for every authentication transaction (Burch: ¶0077 a needed key is dynamically pushed to the mobile device each time authentication is being requested and the key can be random, such that it is not reproducible for a second iteration of authentication with the server authentication agent).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Burch with the system/method of Brown to include the generated random challenge is changed for every authentication transaction.
One would have been motivated to prevent modification of the random string or the user identity (Burch: ¶0068).

Regarding claim 8: Brown in view of Burch discloses the method of authenticating a user to a computer in an adverse environment of claim 1.
Brown further discloses wherein receiving the user's password in a trusted user device comprises receiving the password from the user via a keyboard or via a password management application (Brown: ¶0084 some subsystems, such as the keyboard 332 and the display 322 may be used for both communication-related functions, such as entering a text message for transmission over a data communication network).

Regarding claim 17: Brown discloses a method of authenticating a user to a computer in an adverse environment, comprising:
receiving a user's password in a trusted user device (Brown: ¶0036 the requesting device receiving a user password; ¶0063 use a wireless friendly encoding, compression and encryption technique to deliver all information to a mobile device, thus effectively extending the security firewall to include each mobile device 100 associated with the host system 30);
encoding a keyword with a hash of the entered password in the trusted user device to create an encoded keyword (Brown: ¶0070 the Challenge c and the hash of the password H(user_ password) are concatenated together [...] this combination of the Challenge c and the hash of the password H(user_ password) is further hashed in order to generate a requesting encryption key kr=H(c||H(user_ password))); and
comparing in the computer the encoded keyword with a keyword encoded with a known hash of the user's password in the computer to authenticate the user (Brown: ¶0071 a hash of the decrypted response H(decrypted_ response) is then compared to the stored hash of the device password H(stored_ password). If the two hashes match, then the decrypted response was the correct device password. Thus the authenticating device has authenticated the requesting device).
Brown does disclose a concatenated keyword [challenge] but does not explicitly disclose wherein the encoded keyword comprises a single-use generated random challenge 
However, Burch discloses wherein the encoded keyword comprises a single-use generated random challenge (Burch: ¶0077 a needed key is dynamically pushed to the mobile device each time authentication is being requested and the key can be random [i.e., random challenge], such that it is not reproducible for a second iteration of authentication); and
communicating the encoded keyword from the trusted user device to the computer using a physical communication channel perceivable by the user (Burch: ¶0036 at 7, the mobile application of the mobile device sends the audio file that it produced in 6 by playing the audio file on a speaker of the mobile device, which is received at the speaker of the desktop device (which the desktop device is monitoring for a reply in 5 above, via the microphone of the desktop device)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Burch with the system/method of Brown to include communicating the encoded keyword from the trusted user device to the computer using a physical communication channel perceivable by the user.
One would have been motivated to utilize multifactor authentication utilized speakers and microphones to perform that audio authentication (Burch: ¶0040).

Regarding claim 18: Brown in view of Burch discloses method of authenticating a user to a computer in an adverse environment of claim 17.
Brown: ¶0084 an input/output component provided through the auxiliary I/O 328, keyboard 332, speaker 334, and microphone 336).

Regarding claim 19: Brown in view of Burch discloses method of authenticating a user to a computer in an adverse environment of claim 17.
Brown further discloses wherein the known hash of the user's password is stored in the computer that authenticates the user (Brown: ¶0043 the authenticating device storing a hash of a defined password generated by applying the hash operation to the defined password).

Regarding claim 20: Brown in view of Burch discloses method of authenticating a user to a computer in an adverse environment of claim 17.
Brown further discloses randomly generating the keyword in the computer and sending the keyword from computer to trusted user device using the physical communication channel perceivable by the user (Brown: ¶0084 an input/output component provided through the auxiliary I/O 328, keyboard 332, speaker 334, and microphone 336).


Claims 2, 7 and 9-16 are rejected under 35 U.S.C. 103 as being unpatentable over BROWN et al. (“Brown,” US 2009/0240943), published on September 24, 2009, in view of Burch et al. (“Burch,” US 2015/0215299), published on July 30, 2015 and Bhogal et al. (“Bhogal,” US 2016/0323108), published on November 3, 2016.

Regarding claim 2: Brown in view of Burch discloses the method of authenticating a user to a computer in an adverse environment of claim 1.
Brown in view of Burch does not explicitly disclose appending one or more communications between the trusted user device and the computer with at least one of a known prefix and a known suffix in a sending device, and verifying the known prefix and/or the known suffix in the receiving device to verify integrity of the message.
However, Bhogal discloses appending one or more communications between the trusted user device and the computer with at least one of a known prefix and a known suffix in a sending device, and verifying the known prefix and/or the known suffix in the receiving device to verify integrity of the message (Bhogal: ¶0019 authentication of the optical code comprises embedding into the optical code a signature of the reference (e.g., a Uniform Resource Locator (URL), network address, or the like) to content ( e.g., a web page, multi-media content, or the like) encoded by the optical code such that the signature can be used to authenticate the reference to content; ¶0024 using the embedded signature of the URL in the QR code, the integrity of the QR code and the URL may be verified).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bhogal with the system/method of Brown and Burch to include communications between the trusted user device and the computer with at least one of a known prefix and a known suffix in a sending device, and verifying the known prefix and/or the known suffix in the receiving device to verify integrity of the message.
Bhogal: ¶0019).

Regarding claim 7: Brown in view of Burch discloses the method of authenticating a user to a computer in an adverse environment of claim 1.
Brown in view of Burch does not explicitly disclose wherein the adverse environment comprises an environment where the user does not have exclusive control of the computer.
However, Bhogal discloses wherein the adverse environment comprises an environment where the user does not have exclusive control of the computer (Bhogal: ¶0025 it is possible that a malicious source may have distributed its own signed QR codes, i.e. the malicious domain may generate its own URL and sign it with its own digital signature mechanisms such that the resulting QR code represents a signed URL that, when verified for integrity, will verify that the URL was signed by the malicious domain).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bhogal with the system/method of Brown and Burch to include the adverse environment comprises an environment where the user does not have exclusive control of the computer.
One would have been motivated to ensure that the source is a reputable or trustworthy source of content and not a potentially malicious or suspect source (Bhogal: ¶0019).

Regarding claim 9: Brown discloses a method of authenticating a user to a computer in an adverse environment, comprising:
receiving a user's password in a trusted user device (Brown: ¶0036 the requesting device receiving a user password; ¶0063 use a wireless friendly encoding, compression and encryption technique to deliver all information to a mobile device, thus effectively extending the security firewall to include each mobile device 100 associated with the host system 30); 
initiating a login process in the computer (Brown: ¶0068 the authenticating device detects that a connection is being requested, and proceeds to authenticate the requesting device in accordance with the challenge response scheme); 
encoding a generated random challenge in a message in the computer (Brown: ¶0010 the authenticating device generates a challenge that is issued to the requesting device. The requesting device combines the challenge with a hash of a password provided by a user of the requesting device; ¶0069 the Challenge c may be a group of bits that have been randomly generated by the authenticating device);
encoding the received random challenge using a hash of the user's received password in the trusted user device to generate an entered password hash-encoded random challenge (Brown: ¶0070 the Challenge c and the hash of the password H(user_ password) are concatenated together [...] this combination of the Challenge c and the hash of the password H(user_ password)); 
sending the entered password hash-encoded random challenge from the user's trusted device to the computer via a display coupled to the user's trusted device (Brown: ¶0070 the response r is then transmitted to the authenticating device; ¶0090 when the mobile device 100 is operating in a data communication mode, a received signal [...] is processed by the transceiver module 311 and provided to the microprocessor 338, which preferably further processes the received signal in multiple stages [...] for eventual output to the display 322);
receiving the entered password hash-encoded random challenge in the computer via a camera coupled to the computer (Brown: ¶0071 the authenticating device determines an authenticating encryption key k [...] the authenticating encryption key k is used to decrypt the response r received from the requesting device; ¶0090 when the mobile device 100 is operating in a data communication mode, a received signal [...] is processed by the transceiver module 311 and provided to the microprocessor 338, which preferably further processes the received signal in multiple stages [...] alternatively, to an auxiliary I/O device 328 [camera]);
encoding the random challenge using a known hash value of the user's password to generate a known password hash-encoded random challenge (Brown: ¶0070 the requesting device prompts the user of the requesting device for a password user_ password. This password is hashed, using known hashing functions such as SHA-1, to create H(user_ password) which is then combined with the Challenge c received from the authenticating device); and
comparing the known password hash-encoded random challenge to the entered password hash-encoded random challenge in the computer to authenticate the user (Brown: ¶0071 a hash of the decrypted response H(decrypted_ response) is then compared to the stored hash of the device password H(stored_ password). If the two hashes match, then the decrypted response was the correct device password. Thus the authenticating device has authenticated the requesting device).
Brown does disclose generate a random challenge but does not explicitly disclose a single-use generated random challenge.
However, Burch discloses a single-use generated random challenge (Burch: ¶0077 a needed key is dynamically pushed to the mobile device each time authentication is being requested and the key can be random [i.e., random challenge], such that it is not reproducible for a second iteration of authentication).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Burch with the system/method of Brown to include a single-use generated random challenge.
One would have been motivated to prevent modification of the random string or the user identity (Burch: ¶0068).
Brown in view of Burch does not explicitly disclose sending the random challenge message to the trusted user device via a display coupled to the computer and receiving the random challenge in the message in the trusted user device via a camera coupled to the trusted user device.
However, Bhogal discloses sending the random challenge message to the trusted user device via a display coupled to the computer (Bhogal: ¶0049 the QR code generated by the secure optical code generator 120 may be applied to print material or output via a visual output device, such as a LCD or the like); 
receiving the random challenge in the message in the trusted user device via a camera coupled to the trusted user device (Bhogal: ¶0049 at a later time, a client device, such as client 114, may utilize its associated image capture device to capture an image of the QR code). 
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bhogal with the system/method of Brown and Burch to include sending the random challenge message to the trusted user device via a display coupled to the computer and receiving the random challenge in the message in the trusted user device via a camera coupled to the trusted user device.
One would have been motivated to access a resource based on interpretation of a secure optical code (Bhogal: ¶0004).

Regarding claim 10: Brown in view of Burch and Bhogal discloses the method of authenticating a user to a computer in an adverse environment of claim 9.
Bhogal further discloses appending one or more communications between the trusted user device and the computer with at least one of a known prefix and a known suffix in a sending device, and verifying the known prefix and/or the known suffix in the receiving device to verify integrity of the message (Bhogal: ¶0019 authentication of the optical code comprises embedding into the optical code a signature of the reference (e.g., a Uniform Resource Locator (URL), network address, or the like) to content ( e.g., a web page, multi-media content, or the like) encoded by the optical code such that the signature can be used to authenticate the reference to content; ¶0024 using the embedded signature of the URL in the QR code, the integrity of the QR code and the URL may be verified).

One would have been motivated to ensure that the source is a reputable or trustworthy source of content and not a potentially malicious or suspect source (Bhogal: ¶0019).

Regarding claim 11: Brown in view of Burch and Bhogal discloses the method of authenticating a user to a computer in an adverse environment of claim 9.
Bhogal further discloses wherein one or more communications between the trusted device and the computer comprise a barcode, a QR code, or optical character recognition (Bhogal: ¶0015 optical codes, i.e. [...] visual characteristics, such as QR codes, matrix/2D barcodes).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bhogal with the system/method of Brown and Burch to include communications between the trusted device and the computer comprise a barcode, a QR code, or optical character recognition.
One would have been motivated to access a resource based on interpretation of a secure optical code (Bhogal: ¶0004).

Regarding claim 12: Brown in view of Burch and Bhogal discloses the method of authenticating a user to a computer in an adverse environment of claim 9.
 Brown further discloses wherein the trusted device comprises a smartphone, a personal computer, or a tablet computer (Brown: fig. 1; items 10 and 100; ¶0021 the authenticating device is a wireless handheld device and the requesting device is a desktop computer).

Regarding claim 13: Brown in view of Burch and Bhogal discloses the method of authenticating a user to a computer in an adverse environment of claim 9.
 Brown further discloses wherein the computer queries an authentication server in comparing the known password hash-encoded random challenge to the entered password hash-encoded random challenge in the computer to authenticate the user (Brown: ¶0070 this password is hashed, using known hashing functions such as SHA-1, to create H(user_ password) which is then combined with the Challenge c received from the authenticating device; ¶0071 a hash of the decrypted response H(decrypted_ response) is then compared to the stored hash of the device password H(stored_ password). If the two hashes match, then the decrypted response was the correct device password. Thus the authenticating device has authenticated the requesting device).

Regarding claim 14: Brown in view of Burch and Bhogal discloses the method of authenticating a user to a computer in an adverse environment of claim 9.
Burch: ¶0077 a needed key is dynamically pushed to the mobile device each time authentication is being requested and the key can be random, such that it is not reproducible for a second iteration of authentication with the server authentication agent).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Burch with the system/method of Brown to include the generated random challenge is changed for every authentication transaction.
One would have been motivated to prevent modification of the random string or the user identity (Burch: ¶0068).

Regarding claim 15: Brown in view of Burch and Bhogal discloses the method of authenticating a user to a computer in an adverse environment of claim 9.
 Bhogal further discloses wherein the adverse environment comprises an environment where the user does not have exclusive control of the computer (Bhogal: ¶0025 it is possible that a malicious source may have distributed its own signed QR codes, i.e. the malicious domain may generate its own URL and sign it with its own digital signature mechanisms such that the resulting QR code represents a signed URL that, when verified for integrity, will verify that the URL was signed by the malicious domain).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bhogal 
One would have been motivated to ensure that the source is a reputable or trustworthy source of content and not a potentially malicious or suspect source (Bhogal: ¶0019).

Regarding claim 16: Brown in view of Burch and Bhogal discloses the method of authenticating a user to a computer in an adverse environment of claim 9.
Brown further discloses wherein receiving the user's password in a trusted user device comprises receiving the password from the user via a keyboard or via a password management application (Brown: ¶0084 some subsystems, such as the keyboard 332 and the display 322 may be used for both communication-related functions, such as entering a text message for transmission over a data communication network).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KARI L SCHMIDT/Primary Examiner, Art Unit 2439