DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Regarding the objection to claim 2:
	Applicant’s amendment is considered to have overcome said objection. Accordingly, the objection has been withdrawn.

Regarding the rejection of claim 14 under 35 USC 112:
	Applicant’s amendment is considered to have overcome said rejection. Accordingly, the rejection has been withdrawn.

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant's arguments filed 1/3/2022 have been fully considered but they are not persuasive. 
Applicant argues that “Casey only relates to password authentication” and that the combination of the Casey and Florencio references does not disclose the amended claim (e.g., “and at least a portion of a user’s identifier; a result of said applying comprising at least said portion of the user’s identifier for the remote server, either in clear or in encrypted form”). In response to the arguments against Casey individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case, the Florencio reference is relied upon for disclosure of the amended claim language concerning the user identifier. For instance, refer to at least [0030] of Florencio, wherein “as appropriate or required by context, security credentials can include a username, password, or username-password pair… a security credential can include a part of a combined or amalgamated credential as well as an entire credential.” Further, at least [0031] of Florencio discusses determining “whether a specific security credential is being used or presented,” while at least [0032] of Florencio discloses that username and password fields are both capturable for, e.g., hashing. Florencio disclosure further relates to “the security credential” rather than a specific security credential such as a password. As such, it is believed that the Florencio reference discloses the amended claim language concerning the user identifier.
Where Applicant argues that “Florencio deals with preventing (and detecting) phishing attacks,” it is noted that the cited portions of Florencio accomplish this via applying a hash function to received user authentication data before it is sent, which is believed to be equivalent to that of the claim language. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-12 and 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Casey (US 8,832,804 B1) in view of Florencio (US 2007/0006305 A1).

Regarding claim 1, Casey discloses: A method, implemented by a connection device, the method comprising:
receiving user authentication data for an access to a remote server, said received authentication data comprising at least a password and at least a portion of a user’s identifier;
Refer to at least FIG. 5A-C and Col. 4, Ll. 63-Col. 5, Ll. 1 of Casey with respect to entry of credentials including a user ID and a password. 
Refer to at least Col. 1, Ll. 10-15 and Col. 4, Ll. 32-39 of Casey with respect to credentials being entered for a website.
applying a function to said received user authentication data;
Refer to at least Col. 3, Ll. 38-42, Col. 3, Ll. 55-Col. 4, Ll. 4, and Col. 5, Ll. 1-5 of Casey with respect to translating the password into a symbolic representation, such as via a hash function.
in the event of a match between said result of said applying and a result, of an applying of said function to user authentication data received during a previous access to said server via said connection device, sending to the remote server the user identifier corresponding to said received user authentication data and the password comprised in said received user authentication data; else
Refer to at least Col. 4, Ll. 29-40 of Casey with respect to storing the representations of passwords.
Refer to at least Col. 4, Ll. 5-8 and Col. 5. Ll. 54-Col. 6, Ll. 8 of Casey with respect to comparing a current representation to that of the stored representation. In the event of no mismatch, the current credentials are allowed to be submitted.
Refer to at least Col. 1, Ll. 10-13 of Casey with respect to submitting credentials. 
in the event of a mismatch between said results, requesting on a user interface, to confirm or to invalidate user authentication data to be sent to the remote server and proposing a user interface enabling to respond to said request.
Refer to at least Col. 4, Ll. 9-17 of Casey with respect to displaying the comparison results to a user, and with respect to a mismatch which results in preventing the submission without a user override.
Casey does not appear to specify that its stored representation is registered in association with an identifier of the remote server. Caser further does not disclose applying its function to the user ID as well as the password, i.e.: a result of said applying comprising at least said portion of the user’s identifier for the remote server, either in clear or in encrypted form. However, Casey in view of Florencio discloses: registered in association with an identifier of the remote server;
Refer to at least [0035]-[0037] of Florencio with respect to storing saved password hashes in association with a respective domain name for which they are used. 
a result of said applying comprising at least said portion of the user’s identifier for the remote server, either in clear or in encrypted form. 
Refer to at least [0030]-[0032] of Florencio with respect to hashing both usernames and passwords as part of a security credential protection implementation. 
The teachings of Casey and Florencio both concern hashing passwords and storing the hashed password values for comparison with currently entered passwords. Accordingly, they are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Casey to further include an identification of websites associated with the stored representations for at least the purpose of reducing the chance of sensitive data leakage (i.e., since the intended website is known, a user may be prevented from sending their credentials to an unintended website). It further would have been obvious to modify the teachings of Casey to include the user ID as a protected security credential for at least the purpose of increasing user security and privacy (i.e., the user ID may itself comprise personally identifiable information which the user would like to keep secure and private, such as a work email or their last name).

Regarding claim 2, Casey-Florencio discloses: The method of claim 1, wherein said method further comprises, in the event of a mismatch between said results: receiving from said user interface a request to correct said received user authentication data and new user authentication data for an access to the remote server, said new authentication data comprising at least a password; in the event of a match between a result of said function applied to said new authentication data and said registered result, said result of said function applied to said new authentication data comprising at least said portion of the user's identifier for the remote server, either in clear or in encrypted form, sending a user identifier corresponding to said new user authentication data and the password comprised in said new user authentication data to the remote server.
Refer to at least Col. 4, Ll. 5-14 of Casey with respect to a mismatch and prompting the user.
Refer to at least FIG. 5A-F of Casey with respect to the user entering keystrokes for a password and obtaining a visual prompt. As per at least Col. 8, Ll. 3-11 of Casey, the user may re-enter new credentials at any point after a mismatch is identified.

Regarding claim 3, it is rejected for substantially the same reasons as claims 3 and 1 above (i.e., the citations for claim 3 above and at least Col. 4, Ll. 29-40 of Casey and [0036]-[0037] of Florencio).

Regarding claim 4, it is rejected for substantially the same reasons as claims 2-3 above (i.e., the citations concerning storing representations and updating them; new credentials).

Regarding claim 5, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations drawn to hashing the password as a symbolic representation).

Regarding independent claim 6, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claims 7-10, they are substantially similar to claims 2-5 above, and are therefore likewise rejected.

Regarding claim 11, it is rejected for substantially the same reasons as claim 1 above (i.e., at least Col. 4, Ll. 35-40 of Casey concerning a web browser).

Regarding independent claim 12, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale).

Regarding claim 14, Casey-Florencio discloses: The method of claim 1 comprising, in the event of a mismatch between said results, sending a message to the user interface asking to verify that the received user authentication are indeed the data to be sent to the remote server.
Refer to at least Col. 4, Ll. 9-17 of Casey with respect to displaying the comparison results to a user, and with respect to a mismatch which results in preventing the submission without a user override.
Refer to at least [0032], [0046], and [0062] of Florencio with respect to a warning and user override.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claims 15-16, they are substantially similar to claim 14 above, and are therefore likewise rejected.

Regarding claims 17-20, they are substantially similar to claims 2-5 above, and are therefore likewise rejected.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/V.S/Examiner, Art Unit 2432