DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to RCE
This action is responsive to application filed on 06/03/2022. Claims 1-20 are pending and being considered. Claims 1, 8 and 14 are independent. Claims 1, 8 and 14 are amended. Claims 1-20 are rejected.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/03/2022 for application number 16/587,184 has been entered.

Response to Arguments/Remarks
	Applicant’s arguments/remarks filed on 06/03/2022 have been fully considered and are rendered moot in view of new grounds of rejection(s) outlined below. The argument(s) do not apply to the current art(s) being used.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 7 and 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Regarding dependent claims 7 and 20, the claims recite limitation “wherein the one or more operations comprises a XOR operation”, which is not clearly described in the specification and/or drawings (Figs. 1-3). The specification as filed must describe the claimed invention in sufficient detail so that one of ordinary skill in the art can reasonably conclude that the inventor had possession of the claimed invention. Examiner notes that the specification (Para. [0039, 0070 and/or 0076]) only discloses to generate a new authorization number and/or a randomized hash value by transforming the authorization hash output. Wherein the authorization hash output may be transformed using one or more processes (e.g., a logic gate such as XOR operation), and does not include description of “how” a XOR operation is being performed on the outputted hash to generate a new authorization number and/or a randomized hash value. Therefore, the disclosure lacks on written description of “how” a XOR operation is being performed, e.g., what algorithm being used to perform a XOR operation. Thus, the claims 7 and 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement(s). For instance, generic claim language of repeating XOR in the original disclosure does not satisfy the written description requirement since it fails to support the scope of the genus XOR operation claimed. The description does not provides any details of how the hash output may be transformed using one or more XOR operations, which does not entitle the inventor to claim any and all ways for achieving that objective. The claims lack written description since the claims define the invention in functional language specifying a desired result but the specification does not sufficiently describe how the function is performed or the result is achieved. 
MPEP 2161.01, For instance, generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed. Ariad, 598 F.3d at 1349-50, 94 USPQ2d at 1171 ("[A]n adequate written description of a claimed genus requires more than a generic statement of an invention’s boundaries.") (citing Eli Lilly, 119 F.3d at 1568, 43 USPQ2d at 1405-06); Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 968, 63 USPQ2d 1609, 1616 (Fed. Cir. 2002) (holding that generic claim language appearing in ipsis verbis in the original specification did not satisfy the written description requirement because it failed to support the scope of the genus claimed); Fiers v. Revel, 984 F.2d 1164, 1170, 25 USPQ2d 1601, 1606 (Fed. Cir. 1993) (rejecting the argument that "only similar language in the specification or original claims is necessary to satisfy the written description requirement"). The Federal Circuit has explained that a specification cannot always support expansive claim language and satisfy the requirements of 35 U.S.C. 112 "merely by clearly describing one embodiment of the thing claimed." LizardTech v. Earth Resource Mapping, Inc., 424 F.3d 1336, 1346, 76 USPQ2d 1731, 1733 (Fed. Cir. 2005). The issue is whether a person skilled in the art would understand applicant to have invented, and been in possession of, the invention as broadly claimed. In LizardTech, claims to a generic method of making a seamless discrete wavelet transformation (DWT) were held invalid under 35 U.S.C. 112, first paragraph, because the specification taught only one particular method for making a seamless DWT and there was no evidence that the specification contemplated a more generic method. "[T]he description of one method for creating a seamless DWT does not entitle the inventor . . . to claim any and all means for achieving that objective." LizardTech, 424 F.3d at 1346, 76 USPQ2d at 1733.

Claim Rejections - 35 U.S.C. 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1- 2, 4, 8-9, 11, 14-15 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht; Asaf (US 2020/0057848 A1), hereinafter (Hecht), in view of Sheets; John F. et al. (US 2010/0180327 A1), hereinafter (Sheets), and further in view of Liu et al. (US 9,798,822 B2), hereinafter (Liu).

Regarding claim 1, Hecht teaches a system for providing electronically authorized access to resources, the system comprising (Hecht, Para. [0006], discloses systems, methods and non-transitory computer readable media […] to obtain access to one or more access-controlled network resources): a memory device with computer-readable program code stored thereon (Hecht, Fig. 1 and Para. [0051], discloses one or more memory devices of vault 108 that store information and are accessed and/or managed through security server 104 (hereinafter a processing device), or see also Para. [0033], discloses a tangible computer-readable media that store software instructions); a communication device (Hecht, Fig. 1 and Para. [0050], discloses that the security server 104 may interact with access-restricted network resources through, or by reference to, directory service 106 (hereinafter a communication device) that enforces security policies of network environment 102); and a processing device operatively coupled to the memory device and the communication device (Hecht, Fig. 1 and Para. [0050-0051], depicts and discloses security server 104 which is communicatively/operatively coupled to the one or more memory devices of vault 108 and the directory service 106), wherein the processing device is configured to execute the computer-readable program code to (Hecht, Para. [0051], discloses that the security server 104 may access and/or mange the information stored on one or more memory devices of vault 108, or see also Para. [0050], discloses that the security server may include one or more processors configured to, and as disclosed on Para. [0033], execute software instructions stored on the tangible computer-readable media to perform operations): 
detect an authorization request to access a resource (Hecht, Para. [0056], discloses that the step 302 (i.e., hash generation) may be performed upon demand (e.g., upon detection of a request for access to an access-restricted resource 110-118));
Hecht, Fig. 3 and Para. [0060], discloses to form a new password 316 (hereinafter new authorization code)); and 
overwrite the authorization code with the new authorization code (Hecht, Para. [0062], discloses that the security server 104 may receive an indication to rotate a password according to the network environment 102's security policy. The security policy may require a periodic update of passwords, an event-based update (e.g., based on a potential security threat, a request for access to an access-restricted resource, etc.), or another type of update).  
retrieve, from a historical database, historical data associated with the authorization code (Hecht, Para. [0020 or 0023], discloses a secure credential repository (hereinafter, a vault 108, as depicted in Fig. 1) that securely maintains the data (i.e., historical data) associated with the plurality of authentication credentials, and as disclosed in Fig. 1 and Para. [0051], wherein the vault 108 may include computing components (e.g., database management system, database server, etc.) configured to receive and process requests for data (i.e., historical data) stored in memory devices of vault 108 and to provide data (i.e., historical data) from vault 108), 
wherein the historical data comprises Hecht, Fig. 1 and Para. [0051], discloses a vault 108 that may be one or more databases storing credential information (i.e., historical data associated with the authorization code) for one or more access-restricted network resources in network environment 102 (e.g., servers 110, databases 112, workstation 114, user device 116, and user accounts 118, as disclosed in Fig. 1 and Para. [0050]). The one or more databases may include, for example, network resources accessed by an identity, an identity's attempt to access a network resource, and the like, and/or see also Para. [0029], discloses to securely maintain data (i.e., historical data) associated with a plurality of authentication credentials, the plurality of authentication credentials being useable by a plurality of identities to obtain access to one or more access-controlled network resources, and/or see also Para. [0017], discloses to monitor activity of an identity associated with the new authentication credential data);
Hecht teaches to create/form a new password, as disclosed above, however fails to explicitly disclose but Sheets teaches receive an authorization code from an authorization device associated with the authorization request (Sheets, Para. [0008], discloses that an access device receives from a consumer device an authentication code […]. The access device then sends the authentication request message to a service provider containing at least the authentication code (and/or see also Para. [0057])); 
input the authorization code, the historical data, one or more salt values, and a nonce value into a hash algorithm to generate a hash output (Sheets, Para. [0062], wherein the service provider needs to receive the authentication code and enough additional information and/or a different set of data so that the service provider (e.g., the issuer 28) can recreate the authentication code by utilizing the process, such as described in Para. [0083-0089 OR 0095-0100], wherein the set of data (such as, username, password/auth-code, transaction amount, terminal ID and a nonce) could be used as an input(s) to a SHA-256 hash function to generate a hash output of the inputted data. This hash output can then be truncated to create an authentication code. (herein, ‘username and terminal id’ represents one or more salt values and transaction amount (i.e., transactional information that is stored for later use (see Para. [0054 and 0110]) represents historical data)), wherein the one or more salt values comprises a user identifier and a device identifier associated with the authorization device (Sheets, Para. [0062 and/or 0064], discloses that the access device sends the username and authentication code from the consumer device along with a dynamic data element (nonce), transaction amount, and a terminal ID to the service provider, and/or as disclosed in Para. [0090], wherein a username and a portable consumer device ID can be sent from the portable consumer device (herein, username and terminal id/ portable consumer device ID represents one or more salt values)); 
perform one or more operations on the hash output to generate a new authorization code (Sheets, Para. [0060], discloses that in addition to applying a function such as a hashing function to scramble the data, other operations can also be taken on the output of the (hash) function to create the (i.e., new) authentication code, and/or see also Para. [0064 and 0066], discloses that the authentication code was re-created by the server computer by truncating the output of a hash of selected input data (such as, username, password, transaction amount, terminal ID, and dynamic data (a nonce)), and/or see also Para. [0089], discloses that the hash output can then be truncated to create an authentication code. For example, the authentication code might be the first sixteen characters of the hash); and 
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Sheets’ into the teachings of ‘Hecht’, with a motivation to input the authorization code, the historical data, one or more salt values, and a nonce value into a hash algorithm to generate a hash output, and perform one or more operations on the hash output to generate a new authorization code, as taught by Sheets, in order to reduce the ability of any participant (or an attacker) in the transaction to fake an authentication code; Sheets, Para. [0059].
Hecht teaches to securely maintain data (i.e., historical data) associated with a plurality of authentication credentials, wherein the plurality of authentication credentials being useable by a plurality of identities to obtain access to one or more access-controlled network resources, as disclosed above, however Hecht as modified by Sheets fails to explicitly disclose but Liu teaches wherein the historical data comprises authorization device location data, resource location data associated with the resource, and one or more timestamps associated with use of the authorization code to access the resource (Liu, Fig. 6 (Block 603) and Col. 9 (Lines 51-67), discloses to store URL of webpage (i.e., resource location data) as a record in a history of records for a browsing history, wherein each record in a browsing history may be a data structure including a URL accessed via a browser hosted by a device, a physical location indicating where the device was when the browser accessed the URL, and a timestamp indicating when the browser accessed the URL, or see also Fig. 1 and Col. 4 (Lines 1-36), wherein applications 107 may generate records for histories of records 113 (e.g. stored in a mass storage device, a memory, a flash memory, or other storage components etc.) over time. For example, applications 107 may include a web browser storing browsing histories based on web pages or URLs visited. Each record may be a data structure containing an application specific data (e.g. a URL), a timestamp and a location data. The location data may be GPS or geolocation-based information indicating where a corresponding record was collected. The timestamp may include date and/or time information indicating when the corresponding record was collected, such as when the location data was received for the corresponding record. For example, a browser running in a device may access a URL to generate a browsing record including the URL, the location data and the timestamp indicating where and when the browser in the device accessed the URL. For example, the timestamp may indicate when a request for the URL was sent from the device); 
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Liu’ into the teachings of ‘Hecht’ as modified by ‘Sheets’, with a motivation wherein the historical data comprises authorization device location data, resource location data associated with the resource, and one or more timestamps, as taught by Liu, in order for a processing logic to retrieve a history of location based records from one or more locally or remotely coupled devices, for example, according to an identity determined from a request received. Wherein the identity may be associated with a user operating a device where the request originates from; Liu, Col. 10 (Lines 60-65).

Regarding claim 2, Hecht as modified by Sheets in view of Liu teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to update authorization data within an authorization database using the new authorization code (Hecht, Para. [0050], discloses that the security server 104 may be a system including one or more processors configured to interact with network environment 102 to update and manage credentials (such as passwords, keys, tokens, certificates, and other privilege data) for access-restricted resources (e.g., servers 110, databases 112, workstation 114, user device 116, and user accounts 118), and/or as disclosed in Para. [0062], for example, the security server 104 may receive an indication to rotate a password according to the network environment 102's security policy. The security policy may require a periodic update of passwords, an event-based update (e.g., based on a potential security threat, a request for access to an access-restricted resource, etc.), or another type of update).  

Regarding claim 4, Hecht as modified by Sheets in view of Liu teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to (Hecht, Para. [0050], discloses that the security server may include one or more processors configured to, and as disclosed on Para. [0033], execute software instructions stored on the tangible computer-readable media to): detect a second authorization request to access the resource (Hecht, Para. [0029] and/or claim 24, discloses to identifying an attempted privileged access session, and as further disclosed in Para. [0030] and/or claim 25, wherein the attempted privileged access session may include an attempt by an identity to access an access-restricted network resource); 
receive the new authorization code from the authorization device associated with the second authorization request (Hecht, Para. [0029] and/or claim 24, discloses that the attempted privileged access session including an attempted use of a second authentication credential, and as disclosed in Para. [0031] and/or claim 26, wherein the attempted use of the second authentication credential may include the identity providing the second authentication credential to be authenticated); 
attempt to validate the new authorization code using an authorization database; determine that the new authorization code matches the data within the authorization database (Hecht, Para. [0065], discloses that, at step 408, the security server 104 may validate the new password containing the secret data element. For example, if an account requests a password change on a domain controller (DC) (e.g., in response to an identity seeking access to an access-restricted network resource), the password may first be validated by a solution agent installed on the DC or on another target credential host, and as disclosed in Para. [0066], wherein the solution agent may query the vault 108 (i.e., database) for the secret data element "on-demand". The vault 108 may return the secret data element, which is in turn validated by the solution agent, and as further disclosed in Para. [0069], at step 410, the new password is validated (and/or matches the data received from vault 108)); and 
grant the authorization request to access the resource (Hecht, Para. [0049], discloses that a network resource may be, for example, any secure device, application, database, virtualized computing instance, or network that requires an identity to be authenticated before accessing the resource, such as disclosed in Para. [0031], wherein the second authentication credential, provided by the identity, to be authenticated/validated at step 408 of Fig. 4 and/or at step 510 of Fig. 5).  

Regarding claims 8-9 and 11, the claims are drawn to the computer program product corresponding to the system of using same as claimed in claims 1-2 and 4, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 1-2 and 4 is equally applicable to the claims 8-9 and 11 of the computer program product, respectively.

Regarding claims 14-15 and 17, the claims are drawn to the computer implemented-method corresponding to the system of using same as claimed in claims 1-2 and 4, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 1-2 and 4 is equally applicable to the claims 14-15 and 17 of the computer implemented-method, respectively.

Claims 3, 5-6, 10, 12-13, 16 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht in view of Sheets and Liu, as applied above, and further in view of DOLAN; Gerald et al. (US 2011/0185403 A1).

Regarding claim 3, Hecht as modified by Sheets in view of Liu teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to (See Hecht, Para. [0050]): 
Hecht as modified by Sheets in view of Liu fails to disclose but Dolan teaches attempt to validate the authorization code using an authorization database (Dolan, Para. [0035], discloses that the authentication module 106 determines, through the local user database 108 associated with the identified resource, whether the identified user is authenticated and is allowed to access the identified resource based on the received password); 
determine that the authorization code matches the data within the authorization database; and grant the authorization request to access the resource (Dolan, Para. [0036], discloses that if the received and stored passwords match (208), then the authentication module 106 informs (210) the network resource 110 that the identified user is authenticated and authorized to use the network resource 110).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Dolan’ into the teachings of ‘Hecht’ as modified by ‘Sheets’ in view of ‘Liu’, with a motivation to determine that the authorization code matches the data within the authorization database, and grant the authorization request to access the resource, as taught by Dolan, in order to ensure that only authorized users are able to access network resources such as services, applications, files, data, and the like; Dolan, Para. [0001].

Regarding claim 5, Hecht as modified by Sheets in view of Liu teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to (See Hecht, Para. [0050]): 
Hecht as modified by Sheets in view of Liu fails to disclose but Dolan teaches attempt to validate the authorization code using an authorization database (Dolan, Para. [0035], discloses that the authentication module 106 determines, through the local user database 108 associated with the identified resource, whether the identified user is authenticated and is allowed to access the identified resource based on the received password, etc.); 
determine that the authorization code does not match the data within the authorization database; and reject the authorization request to access the resource (Dolan, Para. [0036], discloses that if the received and stored passwords match (208), then the authentication module 106 informs (210) the network resource 110 that the identified user is authenticated and authorized to use the network resource 110. Otherwise, access to the network resource 110 is refused (212)).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Dolan’ into the teachings of ‘Hecht’ as modified by ‘Sheets’ in view of ‘Liu’, with a motivation to determine that the authorization code matches the data within the authorization database, and reject the authorization request to access the resource, as taught by Dolan, in order to ensure that only authorized users are able to access network resources such as services, applications, files, data, and the like; Dolan, Para. [0001].

Regarding claim 6, Hecht as modified by Sheets in view of Liu and Dolan teaches the system according to claim 5, wherein Hecht further teaches the computer-readable program code further causes the processing device to transmit an alert to one or more users, wherein the alert indicates that the authorization device has been compromised (Hecht, Para. [0069], discloses that the system 100/200 (e.g., through security server 104) may generate an alert to send to one or more system administrators or a security team indicating that an unauthorized attempt to modify a password was made by a potential attacker, and as disclosed in Para. [0052], by compromising an identity 118 (i.e., machine, device, etc.) in network environment 102).  

Regarding claims 10 and 12-13, the claims are drawn to the computer program product corresponding to the system of using same as claimed in claims 3 and 5-6, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 3 and 5-6 is equally applicable to the claims 10 and 12-13 of the computer program product, respectively.

Regarding claims 16 and 18-19, the claims are drawn to the computer implemented-method corresponding to the system of using same as claimed in claims 3 and 5-6, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 3 and 5-6 is equally applicable to the claims 16 and 18-19 of the computer implemented-method, respectively.

Claims 7 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht in view of Sheets and Liu, as applied above, and further in view of Norton; Derk (US 2017/0272245 A1), hereinafter (Norton).

Regarding claim 7, Hecht as modified by Sheets in view of Liu teaches the system according to claim 1, wherein Hecht as modified by Sheets in view of Liu fails to teach but Norton teaches the one or more operations comprises a XOR operation (Norton, Para. [0006], discloses to perform an “exclusive-or” or XOR operation on the outputted hash, such as follows S=XOR(HASH(A), HASH(P))).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Norton’ into the teachings of ‘Hecht’ as modified by ‘Sheets’ in view of ‘Liu’, with a motivation to perform XOR operation on the computed hash, in order to generate an secret/authentication key; Norton, Para. [0006].

Regarding claim 20, the claim is drawn to the computer implemented-method corresponding to the system of using same as claimed in claim 7. Therefore, the rejection(s) set forth above with respect to the system claim 7 is equally applicable to the claim 20 of the computer implemented-method, respectively.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose contact number is 571-272-1239. The examiner can normally be reached on Monday-Friday: 8:00AM – 4:00PM.
 If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ALI CHEEMA/
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496