DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
This action is responsive to application filed on 11/24/2021. Claims 1-20 are pending and being considered. Claims 1, 8 and 14 are independent. Claims 1, 3-5, 8, 10-12, 14 and 16-18 are amended. Thus, claims 1-20 are rejected.

Response to Arguments/Remarks
	Applicant’s arguments/remarks filed on 11/24/2021 have been fully considered and are rendered moot in view of new grounds of rejection(s) outlined below. The argument(s) do not apply to the current art(s) being used. 
Furthermore, in view of the claim amendments filed on 11/24/2021,
Objection to the Abstract has been waived.
Claim rejections under - 35 U.S.C § 112(b) has been withdrawn 

Claim Rejections - 35 U.S.C. 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1- 2, 4, 8-9, 11, 14-15 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht; Asaf (US 2020/0057848 A1), hereinafter (Hecht), in view of Sheets; John F. et al. (US 2010/0180327 A1), hereinafter (Sheets), and further in view of Perumal Raj Sivarajan (US 2018/0041507 A1), hereinafter (Sivarajan).

Regarding claim 1, Hecht teaches a system for providing electronically authorized access to resources, the system comprising (Hecht, Para. [0006], discloses systems, methods and non-transitory computer readable media […] to obtain access to one or more access-controlled network resources): a memory device with computer-readable program code stored thereon (Hecht, Fig. 1 and Para. [0051], discloses one or more memory devices of vault 108 that store information and are accessed and/or managed through security server 104 (hereinafter a processing device), or see also Para. [0033], discloses a tangible computer-readable media that store software instructions); a communication device (Hecht, Fig. 1 and Para. [0050], ); and a processing device operatively coupled to the memory device and the communication device (Hecht, Fig. 1 and Para. [0050-0051], depicts and discloses security server 104 which is communicatively/operatively coupled to the one or more memory devices of vault 108 and the directory service 106), wherein the processing device is configured to execute the computer-readable program code to (Hecht, Para. [0051], discloses that the security server 104 may access and/or mange the information stored on one or more memory devices of vault 108, or see also Para. [0050], discloses that the security server may include one or more processors configured to, and as disclosed on Para. [0033], execute software instructions stored on the tangible computer-readable media to perform operations): 
detect an authorization request to access a resource (Hecht, Para. [0056], discloses that the step 302 (i.e., hash generation) may be performed upon demand (e.g., upon detection of a request for access to an access-restricted resource 110-118));
Hecht, Fig. 3 and Para. [0060], discloses to form a new password 316 (hereinafter new authorization code)); and 
overwrite the authorization code with the new authorization code (Hecht, Para. [0062], discloses that the security server 104 may receive an indication to rotate a password according to the network environment 102's security policy. The security policy may require a periodic update of passwords, an event-based update (e.g., based ).  
Hecht teaches to create/form a new password 316, as disclosed above, however fails to explicitly disclose but Sheets teaches: receive an authorization code from an authorization device associated with the authorization request (Sheets, Para. [0008], discloses that an access device receives from a consumer device an authentication code […]. The access device then sends the authentication request message to a service provider containing at least the authentication code (and/or see also Para. [0057])); 
input the authorization code, Sheets, Para. [0059], discloses to use the consumer’s (entered/supplied) password and a dynamic data element (such as a nonce, see Para. [0048]) as an input to the transformation function (i.e., a hash function such as SHA-256) to generate an output, and as disclosed in Para. [0066], as a hash of selected input data (i.e., password and a dynamic data element (a nonce))); 
perform one or more operations on the hash output to generate a new authorization code (Sheets, Para. [0060], discloses that in addition to applying a function such as a hashing function to scramble the data, other operations can also be taken on the output of the (hash) function to create the (i.e., new) authentication code, and/or see also Para. [0066], discloses that the (new) authentication code was created by the server computer by truncating the output of a hash of selected input data (such as password and a dynamic element (a nonce))); and 

Hecht as modified by Sheets fails to explicitly disclose but Sivarajan teaches retrieve, from a historical database, historical data associated with the authorization code, wherein the historical data comprises at least one of authorization device location data, resource location data (Sivarajan, Para. [0046-0047], discloses that the provisioning server 104 can also check if location details (of the device) are close to location details historically used, after the provisioning server 104 first checks if the user has performed strong authentication (using at least one of a username/password, OTP, etc.) successfully); 
input the authorization code, the historical data, and a nonce value into a hash algorithm to generate a hash output (Sivarajan, Para. [0051], discloses that the provisioning server 104 generates the AuthKey (i.e., hash output) by applying a Password Based Key Derivation Function (PBKDF1 or PBKDF2) using nonce (N1, N2), location details, a prefixed string (say “authentication key”), and DK as inputs. Wherein the PBKDF1/PBKDF2 relies on PRF (Pseudo Random Function), which in turn relies on HMAC (Keyed-Hash Message Authentication Code) algorithm);


Regarding claim 2, Hecht as modified by Sheets in view of Sivarajan teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to update authorization data within an authorization database using the new authorization code (Hecht, Para. [0050], discloses that the security server 104 may be a system including one or more processors configured to interact with network environment 102 to update and manage credentials (such as passwords, keys, tokens, certificates, and other privilege data) for access-restricted resources (e.g., servers 110, databases 112, workstation 114, user device 116, and user accounts 118), and/or as disclosed in Para. [0062], for example, the security server 104 may receive an indication to rotate a password according to the network environment 102's security policy. The security policy may require a periodic update of passwords, an event-based update (e.g., based on a potential security threat, a request for access to an access-restricted resource, etc.), or another type of update).  

Regarding claim 4, Hecht as modified by Sheets in view of Sivarajan teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to (Hecht, Para. [0050], ): detect a second authorization request to access the resource (Hecht, Para. [0029] and/or claim 24, discloses to identifying an attempted privileged access session, and as further disclosed in Para. [0030] and/or claim 25, wherein the attempted privileged access session may include an attempt by an identity to access an access-restricted network resource); 
receive the new authorization code from the authorization device associated with the second authorization request (Hecht, Para. [0029] and/or claim 24, discloses that the attempted privileged access session including an attempted use of a second authentication credential, and as disclosed in Para. [0031] and/or claim 26, wherein the attempted use of the second authentication credential may include the identity providing the second authentication credential to be authenticated); 
attempt to validate the new authorization code using an authorization database; determine that the new authorization code matches the data within the authorization database (Hecht, Para. [0065], discloses that, at step 408, the security server 104 may validate the new password containing the secret data element. For example, if an account requests a password change on a domain controller (DC) (e.g., in response to an identity seeking access to an access-restricted network resource), the password may first be validated by a solution agent installed on the DC or on another target credential host, and as disclosed in Para. [0066], wherein the solution agent may query the vault 108 (i.e., database) for the secret data element "on-demand". The vault 108 may return the secret data element, which is in turn validated by the solution agent, ); and 
grant the authorization request to access the resource (Hecht, Para. [0049], discloses that a network resource may be, for example, any secure device, application, database, virtualized computing instance, or network that requires an identity to be authenticated before accessing the resource, such as disclosed in Para. [0031], wherein the second authentication credential, provided by the identity, to be authenticated/validated at step 408 of Fig. 4 and/or at step 510 of Fig. 5).  

Regarding claims 8-9 and 11, the claims are drawn to the computer program product corresponding to the system of using same as claimed in claims 1-2 and 4, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 1-2 and 4 is equally applicable to the claims 8-9 and 11 of the computer program product, respectively.

Regarding claims 14-15 and 17, the claims are drawn to the computer implemented-method corresponding to the system of using same as claimed in claims 1-2 and 4, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 1-2 and 4 is equally applicable to the claims 14-15 and 17 of the computer implemented-method, respectively.

Claims 3, 5-6, 10, 12-13, 16 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht in view of Sheets and Sivarajan, as applied above, and further in view of DOLAN; Gerald et al. (US 2011/0185403 A1).

3, Hecht as modified by Sheets in view of Sivarajan teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to (See Hecht, Para. [0050]): 
Hecht as modified by Sheets in view of Sivarajan fails to disclose but Dolan teaches attempt to validate the authorization code using an authorization database (Dolan, Para. [0035], discloses that the authentication module 106 determines, through the local user database 108 associated with the identified resource, whether the identified user is authenticated and is allowed to access the identified resource based on the received password); 
determine that the authorization code matches the data within the authorization database; and grant the authorization request to access the resource (Dolan, Para. [0036], discloses that if the received and stored passwords match (208), then the authentication module 106 informs (210) the network resource 110 that the identified user is authenticated and authorized to use the network resource 110).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Dolan’ into the teachings of ‘Hecht’ as modified by ‘Sheets’ in view of ‘Sivarajan’, with a motivation to determine that the authorization code matches the data within the authorization database, and grant the authorization request to access the resource, as taught by Dolan, in order to ensure that only authorized users are able to access network resources such as services, applications, files, data, and the like; Dolan, Para. [0001].

5, Hecht as modified by Sheets in view of Sivarajan teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to (See Hecht, Para. [0050]): 
Hecht as modified by Sheets in view of Sivarajan fails to disclose but Dolan teaches attempt to validate the authorization code using an authorization database (Dolan, Para. [0035], discloses that the authentication module 106 determines, through the local user database 108 associated with the identified resource, whether the identified user is authenticated and is allowed to access the identified resource based on the received password, etc.); 
determine that the authorization code does not match the data within the authorization database; and reject the authorization request to access the resource (Dolan, Para. [0036], discloses that if the received and stored passwords match (208), then the authentication module 106 informs (210) the network resource 110 that the identified user is authenticated and authorized to use the network resource 110. Otherwise, access to the network resource 110 is refused (212)).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Dolan’ into the teachings of ‘Hecht’ as modified by ‘Sheets’ in view of ‘Sivarajan’, with a motivation to determine that the authorization code matches the data within the authorization database, and reject the authorization request to access the resource, as taught by Dolan, in order to ensure that only authorized users are able to access network resources such as services, applications, files, data, and the like; Dolan, Para. [0001].

6, Hecht as modified by Sheets in view of Sivarajan and Dolan teaches the system according to claim 5, wherein Hecht further teaches the computer-readable program code further causes the processing device to transmit an alert to one or more users, wherein the alert indicates that the authorization device has been compromised (Hecht, Para. [0069], discloses that the system 100/200 (e.g., through security server 104) may generate an alert to send to one or more system administrators or a security team indicating that an unauthorized attempt to modify a password was made by a potential attacker, and as disclosed in Para. [0052], by compromising an identity 118 (i.e., machine, device, etc.) in network environment 102).  

Regarding claims 10 and 12-13, the claims are drawn to the computer program product corresponding to the system of using same as claimed in claims 3 and 5-6, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 3 and 5-6 is equally applicable to the claims 10 and 12-13 of the computer program product, respectively.

Regarding claims 16 and 18-19, the claims are drawn to the computer implemented-method corresponding to the system of using same as claimed in claims 3 and 5-6, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 3 and 5-6 is equally applicable to the claims 16 and 18-19 of the computer implemented-method, respectively.

s 7 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht in view of Sheets and Sivarajan, as applied above, and further in view of Norton; Derk (US 2017/0272245 A1), hereinafter (Norton).

Regarding claim 7, Hecht as modified by Sheets in view of Sivarajan teaches the system according to claim 1, wherein Hecht as modified by Sheets in view of Sivarajan fails to teach but Norton teaches the one or more operations comprises a XOR operation (Norton, Para. [0006], discloses to perform an “exclusive-or” or XOR operation on the outputted hash, such as follows S=XOR(HASH(A), HASH(P))).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Norton’ into the teachings of ‘Hecht’ as modified by ‘Sheets’ in view of ‘Sivarajan’, with a motivation to perform XOR operation on the computed hash, in order to generate an secret/authentication key; Norton, Para. [0006].

Regarding claim 20, the claim is drawn to the computer implemented-method corresponding to the system of using same as claimed in claim 7. Therefore, the rejection(s) set forth above with respect to the system claim 7 is equally applicable to the claim 20 of the computer implemented-method, respectively.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose telephone number is 571-272-1239. The examiner can normally be reached on 8AM-4PM (EST) Monday-Friday. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 571-272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a 

/ALI CHEEMA/
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496