DETAILED ACTION
This communication is in respond to application filed on February 18, 2020 in which claims 1-20 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02/18/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

	
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 18 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 18 recites the limitation “generating an input to receive the secret credential; and accessing the secret credential via the input”, the scope of this limitation is not clear. As one of ordinary skill in the art would recognize, an input is data that is entered into or received by a computer. As 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 17-18 are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by US Pat. No. 10,536,436 B1 to Barbour et al. (hereinafter Barbour).
As per claim 17, Barbour disclosed a method, comprising: 
accessing, by a processor, an indication that a user is to be authenticated (Barbour, Fig. 5, and col. 12, line 64 – col. 13, line 14, user requesting for service implicitly includes a request for authentication); 
transmitting, by the processor, a request for a one-time username responsive to the indication, the one-time username being usable for only one time, the request comprising a pre-stored reference key of the user (Barbour, Fig. 5, and col. 12, line 64 – col. 13, line 14, user requesting for service implicitly includes a request for OTP (read: one-time username) as it’s part of required credential for authentication, the input username corresponds to the claimed 
receiving, by the processor, the one-time username (Barbour, col. 13, lines 44-47, “The computer-implemented service may generate a one-time password 516 for the user and may use the user's public cryptographic key to encrypt the one-time password for delivery to the user device 514.”, further col. 13, lines 55-60, “In response to receiving the encrypted one-time password from the computer-implemented service, the user device 514 may use the user's private cryptographic key to decrypt the encrypted one-time password to obtain the one-time password 516”); and 
transmitting, by the processor, an authentication request comprising the one-time username and a secret credential (Barbour, Fig. 9, ref# 902, and col. 20, lines 24-26, “Through the UI, the computer-implemented service may receive 902 one or more credentials (e.g., passwords) of the user, as well as a one-time password that may have been provided by the computer-implemented service in encrypted form”, the one-time password corresponds to the claimed one-time username associated with an identify of the user).

As per claim 18, Barbour disclosed the method of claim 17, further comprising: generating an input to receive the secret credential; and accessing the secret credential via the input (Barbour, Fig. 9, ref# 902, and col. 20, lines 24-26, “Through the UI, the computer-implemented service may receive 902 one or more credentials (e.g., passwords) of the user, as well as a one-time password that may have been provided by the computer-implemented service in encrypted form”, the “one or more credentials (e.g., passwords)” is received by the service provider).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 8 and 10-15 are rejected under 35 U.S.C. 103 as being unpatentable over Barbour in view of US PG-PUB No. 2016/0255089 A1 to Diestler et al. (hereinafter Diestler).
As per claim 1, Barbour disclosed an apparatus (Barbour, Fig. 1) comprising: 
a processor; and a non-transitory machine-readable medium on which is stored instructions that when executed by the processor, cause the processor to: 
receive an authentication request to authenticate a user, the authentication request comprising a one-time username associated with an identity of the user and a secret credential of the user (Barbour, Fig. 9, ref# 902, and col. 20, lines 24-26, “Through the UI, the computer-implemented service may receive 902 one or more credentials (e.g., passwords) of the user, as well as a one-time password that may have been provided by the computer-implemented service in encrypted form”, the one-time password corresponds to the claimed one-time username associated with an identify of the user); 
authenticate the user based on the one-time username and the secret credential (Barbour, col. 20, lines 29- col. 21, line 6, received one-time password and credential are verified based on stored user information, identifying of a unique user identifier is implicitly disclose as each user to be authenticated must be uniquely identified in order to retriever and validate corresponding credentials); and 

Barbour does not explicitly disclose identify, in a user registry, a unique user identifier based on the one-time username; and authenticate the user based on the unique user identifier; however, in an analogous art in network access control, Diestler disclosed using an internal unique user identifier for identifying user record in database (Diestler, par 0071, in the registration process, “...At step 304B, CAM 118 may create a new user record for User X in database(s) 120, and may enter User X's data (received from IA 116 in step 304A) in the user's record. During step 304B, database(s) 120 may also create a system-wide unique user identifier (i.e., the internal user identifier)associated with User X, to identify User X within system 100”, i.e., an internal unique user identifier is generated for each user during registration for identifying a user within the system); it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Barbour to incorporate the using of internal unique user identifier for identifying user record as disclosed by Diestler, in order to effectively identify each user within the system (Diestler, par 0069, 0071).

As per claim 2, Barbour-Diestler disclosed the apparatus of claim 1, wherein the user is registered to be authenticated during a registration process (Barbour, col. 15, lines 35-39, “At any time, a user may utilize a user client to access an application, such as a web browser, to access a user interface of a computer-implemented service to register an account with the 
generate, during the registration process, the unique user identifier and a reference key of the user (Barbour, col. 15, line 46-58, generate username during registration process, the generated username corresponds to the claimed reference key; and Diestler, par 0071, during registration process, database creates a system-wide unique user identifier (i.e. unique user identifier) and a separate, external user identifier (i.e. reference key); the reasons of obviousness have been noted in the rejection of claim 1 above and applicable herein); 
store, in a user database, an association of the unique user identifier and the reference key (Barbour, col 16, lines 13-26, “The computer-implemented service may store the public cryptographic key within a public key datastore and may associate the public cryptographic key with the user account. For example, the computer-implemented service may update a database of the datastore to indicate that the public cryptographic key corresponds to a particular username or other characteristics of the user account (e.g., user contact information, user address, etc.). Further, the computer-implemented service may use the username and password or other credentials to create a user profile for the user.”, i.e., user profile with associated information stored in the database; Diestler, par 0071, a system-wide unique user identifier generated for identifying user record); and 
provide the reference key, but not the unique user identifier, as an output of the registration process to maintain secrecy of the unique user identifier (Barbour, col. 15, lines 46-58, username (read: reference key) and password or other credentials provided to user; and Diestler, par 0071, the unique user identifier is “internal”, i.e., not provided to user; the reasons of obviousness have been noted in the rejection of claim 1 above and applicable herein).



As per claim 4, Barbour-Diestler disclosed the apparatus of claim 2, wherein the instructions when executed further cause the processor to: 
receive, prior to receipt of the authentication request, a request for the one-time username, the request comprising the reference key (Barbour, Fig. 5, and col. 12, line 64 – col. 13, line 14, user requesting for service implicitly includes a request for OTP (read: one-time username) as it’s part of required credential for authentication, the input username corresponds to the claimed reference key; also col. 11, lines 60-65, “The authentication sub-system 408 may transmit a request to the one-time password generator 410 to generate a random one-time password for the user.”); 
generate the one-time username responsive to the request for the one-time username; identify the unique user identifier based on the reference key and the user database; and store, in the user registry, an association of the unique user identifier and the one-time username to indicate generation of the one-time username with respect to the unique user identifier (Barbour, col. 11, lines 62-66, “In response to the request, the one-time password generator 410 may obtain the shared secret 416 of the user and utilize the shared secret 416 to encrypt the one-time password, resulting in the encrypted one-time password 418”, also col. 13, lines 26-55, “...the computer-implemented service generates a one-time password for the user that is encrypted using the user's public cryptographic key or a shared secret that is shared between the user and the computer-implemented service.... The computer-implemented service may also use its own cryptographic key or other encryption method to encrypt the one-time 

As per claim 8, Barbour-Diestler disclosed the apparatus of claim 4, wherein to generate the one-time username, the instructions when executed cause the processor to: generate a random number based on a pseudo random number generator (Barbour, col. 10, lines 32-35, “The authentication sub-system 308 may transmit a request to the one-time password generator 310 to obtain the one-time password stored within the user profile or within another database for verification purposes”, the examiner takes official notice that pseudo random number generator is well known and commonly used in the art as one-time password generator).

As per claim 10, Barbour-Diestler disclosed the apparatus of claim 1, wherein the user registry comprises a runtime cache of the apparatus that is overwritten with new data to remove the one-time username from the user registry (Barbour, col. 17, line 10-15, “...the one-time password, as the name implies, may only be used once. Thus, if the one-time password is used by the user and it is determined to be valid, the computer-implemented service may discard the random one-time password to prevent further use.”, further col. 17, line 46-56, “...The computer-implemented service may compare the one-time password provided by the user to 

As per claim 11, Barbour-Diestler disclosed the apparatus of claim 1, wherein the user registry comprises a stored association between the one-time username and the unique user identifier (Barbour, col. 13, lines 26-55, “...the computer-implemented service generates a one-time password for the user that is encrypted using the user's public cryptographic key or a shared secret that is shared between the user and the computer-implemented service.... The computer-implemented service may also use its own cryptographic key or other encryption method to encrypt the one-time password 516 to create a second encrypted one-time password that may be used for verification purposes. ....the second encrypted one-time password is stored by the computer-implemented service within a database that is only accessible by the computer-implemented service.”, i.e., the one-time password (read: one-time username) is generated and (an encrypted version) stored in the database (i.e. user registry), and Diestler, par 0071, association of user information using an internal unique user identifier; the reasons of obviousness have been noted in the rejection of claim 1 above and applicable herein), and wherein to update the user registry, the instructions when executed further cause the processor to: update the stored association with an indication to prevent the one-time username from being used again (Barbour, col. 17, line 10-15, “...the one-time password, as the name implies, may only be used once. Thus, if the one-time password is used by the user and it is determined to be valid, the computer-implemented service may discard the random one-time password to prevent further use.”).

As per claim 12, Barbour-Diestler disclosed the apparatus of claim 1, wherein the user registry comprises a stored association between the one-time username and the unique user identifier, and wherein to update the user registry, the instructions when executed further cause the processor to: delete the stored association from the user registry to prevent the one-time username from being used again (Barbour, col. 17, line 10-15, “...the one-time password, as the name implies, may only be used once. Thus, if the one-time password is used by the user and it is determined to be valid, the computer-implemented service may discard the random one-time password to prevent further use.”, discarding data implies deleting of stored associations of the data).

As per claim 13, Barbour-Diestler disclosed a non-transitory machine-readable medium on which is stored machine-readable instructions (Barbour, claim 12) that when executed by a processor, cause the processor to: 
access a request for a one-time username, the request comprising a reference key associated with a user (Barbour, Fig. 5, and col. 12, line 64 – col. 13, line 14, user requesting for service implicitly includes a request for OTP (read: one-time username) as it’s part of required credential for authentication, the input username corresponds to the claimed reference key; also col. 11, lines 60-65, “The authentication sub-system 408 may transmit a request to the one-time password generator 410 to generate a random one-time password for the user.”); generate the one-time username responsive to the request; identify a unique user identifier of the user based on the reference key; store an association of the unique user identifier and the one-time username in a user registry to indicate that the one-time username for the user identified by the unique user identifier was generated (Barbour, col. 11, lines 62-66, “In response to the request, 

As per claim 14, Barbour-Diestler disclosed the non-transitory machine-readable medium of claim 13, wherein the instructions when executed further cause the processor to: access a user authentication request, the user authentication request comprising the one-time username and a secret credential (Barbour, Fig. 9, ref# 902, and col. 20, lines 24-26, “Through the UI, the computer-implemented service may receive 902 one or more credentials (e.g., passwords) of 

As per claim 15, Barbour-Diestler disclosed the non-transitory machine-readable medium of claim 14, wherein the user registry comprises a temporary cache, the instructions when executed further cause the processor to: update the temporary cache to remove the stored association of the unique user identifier and the one-time username (Barbour, col. 17, line 10-15, “...the one-time password, as the name implies, may only be used once. Thus, if the one-time password is used by the user and it is determined to be valid, the computer-implemented service may discard the random one-time password to prevent further use.”, further col. 17, line 46-56, “...The computer-implemented service may compare the one-time password provided by the user to the expected one-time password to determine whether they match. If they match, and the user's other credentials are valid, the computer-implemented service may allow the user to access the computer-implemented service”, cache storage is implied, and by definition, cache is a temporary storage, therefore, therefore overwritten with new data is an inherent property); access a second user authentication request, the second user authentication request .

Claims 5-7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Barbour in view of Diestler as applied to claim 4 above, and further in view of US PG-PUB No. 2020/0351263 A1 to Alhothaily et al. (hereinafter Alhothaily).
As per claim 5, Barbour-Diestler disclosed the apparatus of claim 4, wherein the instructions when executed further cause the processor to: 
generate, during the registration process, a key for the user; store, in the user database, an association of the signature key and the reference key; and provide the key as an output of the registration process (Barbour, col. 16, lines 9-20, “....the user client to provide the public cryptographic key of the cryptographic key pair to the computer-implemented service to complete the registration process. The computer-implemented service may store the public cryptographic key within a public key datastore and may associate the public cryptographic key with the user account. For example, the computer-implemented service may update a database of the datastore to indicate that the public cryptographic key corresponds to a particular username or other characteristics of the user account (e.g., user contact information, user address, etc.)”);


As per claim 6, Barbour-Diestler-Alhothaily disclosed the apparatus of claim 5, wherein the signature key comprises a cryptographic key (Barbour, col. 16, lines 9-20, public/private key pair, also Alhothaily, par 0039-0040, generating public/private key pairs).

As per claim 7, Barbour-Diestler-Alhothaily disclosed the apparatus of claim 5, wherein the request for the one-time username is digitally signed with the signature key of the user, and wherein the instructions when executed further cause the processor to: access the signature key from the user database based on the reference key; and verify that the digitally signed request was signed with the signature key (Barbour, col. 16, lines 9-20, public/private key pair generated 

As per claim 16, Barbour-Diestler-Alhothaily disclosed the non-transitory machine-readable medium of claim 13, wherein the request is digitally signed with a signature key of the user, and wherein the instructions when executed further cause the processor to: access the signature key based on the reference key; and verify that the digitally signed request was signed with the signature key (Barbour, col. 16, lines 9-20, public/private key pair generated and stored in user database, Barbour, Fig. 5, and col. 12, line 64 – col. 13, line 14, user requesting for service implicitly includes a request for OTP (read: one-time username) as it’s part of required credential for authentication, the input username corresponds to the claimed reference key; and Alhothaily, par 0039-0040, generating public/private key pairs and signing user message with user private key; the reasons of obviousness have been noted in the rejection of claim 5 above and applicable herein).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Barbour in view of Diestler as applied to claim 2 above, and further in view of US PG-PUB No. 2015/0161417 A1 to Kaplan et al. (hereinafter Kaplan).
As per claim 9, Barbour-Diestler disclosed the apparatus of claim 2; Barbour does not explicitly disclose access an indication of a reference key renewal triggering event; generate a new .

Claims 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Barbour as applied to claim 17 above, and further in view of Alhothaily.
As per claim 19, Barbour-Alhothaily disclosed the method of claim 17, wherein transmitting the request for the one-time username comprises: digitally signing the request for the one-time username based on a pre-stored signature key of the user and transmitting the digitally signed request (Barbour, Fig. 5, and col. 12, line 64 – col. 13, line 14, user requesting for service implicitly includes a request for OTP (read: one-time username) as it’s part of required 

As per claim 20, Barbour-Alhothaily disclosed the method of claim 19, further comprising: receiving the reference key and the signature key during a registration process that user registers the user; and storing the reference key and the signature key (Barbour, col. 15, lines 46-58, username generated as part of registration process, and further col. 16, lines 9-20, “....the user client to provide the public cryptographic key of the cryptographic key pair to the computer-implemented service to complete the registration process. The computer-implemented service may store the public cryptographic key within a public key datastore and may associate the public cryptographic key with the user account. For example, the computer-implemented service may update a database of the datastore to indicate that the public cryptographic key corresponds to a particular username or other characteristics of the user account (e.g., user contact information, user address, etc.)”, and Alhothaily, par 0038-0039, generating and storing public/private key pairs and user private key used for signing message to service provider; the reasons of obviousness have been noted in the rejection of claim 5 above and applicable herein).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Tiruvaipeta et al. (US PG-PUB No. 2020/0351263 A1) disclosed a method and system for generating dynamic user IDs.
Takeuchi et al. (US PG-PUB No. 2014/0335903 A1) disclosed a method and system for maintaining anonymity of a user in network communications.
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Linglan Edwards whose telephone number is (571)270-5440. The examiner can normally be reached 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/LINGLAN E EDWARDS/Primary Examiner, Art Unit 2491