DETAILED ACTION

Remarks

1.	Pending claims for reconsideration are 1-20.  

Response to Arguments

2.	Applicant's arguments filed 11/12/2019 have been fully considered but they are not persuasive. 

In the remarks, applicant argues in substance:
	
a.        That- While different in scope, independent claims 10 and 18 recite similar subject matter. As discussed during the interview, Hammad and Shepler, alone or in any combination, do not teach or suggest the subject matter of claim 1 recited above. The Office Action cites to col. 11, lines 61-64 of Hammad for this subject matter, while citing Shepler for other purposes. Applicant respectfully disagrees. Instead, col. 11, lines 61-64, of Hammad state: Inaction #6, the MPI sends a Payer Authentication Request (PAReq) to the Access Control Server (ACS) via the card holder's computing device using the URL for the
ACS provided to it by the Directory Server. This passage of Hammad does not teach or suggest any device including, into a response from a server to a client, a URL with one or more randomly generated characters within a predetermined character space, as in claim 1.
response to applicant’s argument- The claim language has been interpreted in its broadest most reasonable interpretation in light of the specification. Hammad discloses an intermediary device via the validation entity 80 which is a communication link between the user computer 10 ([Fig.5]) and amongst a plurality of clients (merchants 20, acquiring bank 50, issuing bank 60) and servers (directory server, authentication history server, and validation server [Fig.5]). Hammad figure 8/item 140 further discloses in its broadest interpretation a first request from a first client of the plurality of clients to a server of the plurality of servers via a connection between the device and the first client by establishing a link between verification token and computer(client) having network facility [Fig.8/item 140]).  Hammad Col.11/lines 61-64 discloses the limitation “including, by the device into a response from the server to the first client, a uniform resource locator (URL) comprising one or more randomly generated characters within a predetermined character space” by teaching in action #6, the MPI sends a Payer Authentication Request (PAReq) to the Access Control Server (ACS) via the card holder's computing device using the URL for the ACS provided to it by the Directory Server [Col.11/lines 61-64]).



b.        That- While different in scope, independent claims 10 and 18 recite similar subject matter. As discussed during the interview, Hammad and Shepler, alone or in any combination, do not teach or suggest the subject matter of claim 1 recited above. The Office Action cites to col. 7, lines 36- 39, and FIG. 4 of Shepler for this subject matter, while citing Hammad for other purposes. Applicant respectfully disagrees. Instead, col. 7, lines 35-39 of Shepler state: At decisional block 436, a determination is made by module 320 whether IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an
error message is returned. If so, the method proceeds to block 440. This passage of Shepler does not teach or suggest any device determining that a client has an autonomous program responsive to receiving a second request from the client using the URL, as in claim 1.
response to applicant’s argument- It is the combination of Hammad and Shepler that teaches the claimed language, neither Hammad nor Shepler alone. Shepler in its broadest most reasonable interpretation in light of the applicant’s specification discloses an autonomous event via the determination module which determines whether an IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an error message is returned. If so, the method proceeds to block 440 Shepler[Col.7/lines 36-39]).




Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


3.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 9,105,027 B2 to Hammad et al(hereafter referenced as Hammad), in view of Patent No.: US 9,542,545 B2 to Shepler et al(hereafter referenced as Shepler).
Regarding claim 1, Hammad discloses “a method comprising: receiving, by a device intermediary (validation entity 80 [Fig.5]) to a plurality of clients (user device 1[Fig.1], also see portable consumer device 5[Fig.1], user’s com device 7[Fig.1]) and a plurality of servers -(Validation entity 80 comprises a system having one or more servers coupled to a communications network [Col.33/lines 26-29]) , “a first request from a first client of the plurality of clients to a server of the plurality of servers via a connection between the device and the first client” (establish a link between verification token and computer having network facility [Fig.8/item 140]) ;
“including, by the device into a response from the server to the first client, a uniform resource locator (URL) comprising one or more randomly generated characters within a predetermined character space” (In action #6, the MPI sends a Payer Authentication Request (PAReq) to the Access Control Server (ACS) via the card holder's computing device using the URL for the ACS provided to it by the Directory Server [Col.11/lines 61-64]).
Hammad does not explicitly disclose “determining, by the device, that the first client has an autonomous program responsive to receiving a second request from the first client using the URL; and terminating, by the device responsive to the determination, the connection to the first client.”
However, Shepler in an analogous art discloses “determining, by the device, that the first client has an autonomous program responsive to receiving a second request (request email address Shepler[Fig.4/item 404]) from the first client using the URL (generate URL with token Shepler[Fig.4/item 414]); and terminating, by the device responsive to the determination, the connection to the first client.” (a determination is made by module 320 whether IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an error message is returned. If so, the method proceeds to block 440 Shepler[Col.7/lines 36-39]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Hammad’s URL identification process with Shepler’s authentication process in which an access request is received from a user for a secure resource via the transmission of a uniform resource locator (URL) to the user via an electronic mail message in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Hammad teaches a URL identification process, Shepler discloses an authentication process requiring an access request being received from a user for a secure resource via the transmission of a uniform resource locator (URL) to the user via an electronic mail message, and both are from the same field of endeavor.
Regarding claim 2 in view of claim 1, the references combined disclose “further comprising: generating, by the device, the URL to include one or more random alphanumeric characters”(generate URL with token Shepler[Fig.4/item 414]).
Regarding claim 3 in view of claim 1, the references combined disclose “ further comprising: generating, by the device, the URL to be one of blank or invisible on a web page displayed on one or more clients of the plurality of clients” (a determination is made by module 320 whether IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an error message is returned. If so, the method proceeds to block 440 [Col.7/lines 36-39]).
	Regarding claim 4 in view of claim 1, the references combined disclose “further comprising: generating, by the device, a plurality of URLs within a web page” (verification tokens 40 may store the URIDs to their respective associated validation entities 80 Hammad[Col.22lines 20-23]), “the plurality of URLs including the URL comprising the one or more randomly generated characters and one or more URLs corresponding to one or more valid addresses of one or more other web pages.” (URID – verification token comprising URL Hammad[Col.22/lines 20-23]).
Regarding claim 5 in view of claim 1, the references combined disclose “ further comprising: generating, by the device, a session associated with the URL having a time out value” (module 320 utilizes timing data 324 to limit the availability of a particular URL 362 Shepler[Col.6/lines 59-60]); “determining, by the device, the URL has been available to the first client for a period of time equal to the time out value”(record timestamp for URL transmission Shepler[Fig.4/item 420]) ; and
terminating, by the device, the session and the URL.” (a determination is made by module 320 whether IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an error message is returned. If so, the method proceeds to block 440 Shepler[Col.7/lines 36-39]).
Regarding claim 6 in view of claim 5, the references combined disclose “ further comprising: including, by the device, a subsequent URL in a subsequent response to the first client, the subsequent URL associated with a subsequent session.”(record timestamp of URL access request Shepler[Fig.4/item 424]).
Regarding claim 7 in view of claim 1, the references combined disclose “further comprising: providing, by the device, the response with the URL to multiple clients of the plurality of clients connected to the device” (responsive to validating the IP address corresponding to the URL request with the IP address of the access request, providing access to the secure resource Shepler[Col.1/lines 61-64]).
Regarding claim 8 in view of claim 1, the references combined disclose “further comprising: providing, by the device, the first request to the server, the first request including a Hypertext Transfer Protocol (HTTP) request; and receiving, by the device, the response from the server, the response including an HTTP response” (Authentication Page with additional parameters added to the URL that contain the information of the posting fields, preferably in encrypted form under an SSL session/https posting Hammad[Col.25/lines 20-24]).
Regarding claim 9 in view of claim 8, the references combined disclose “further comprising: modifying, by the device, the HTTP response from the server to include the URL; and providing, by the device to the first client, the HTTP response with the URL.” (Authentication Page with additional parameters added to the URL that contain the information of the posting fields, preferably in encrypted form under an SSL session/https posting Hammad[Col.25/lines 20-24]).
Regarding claim 10, Hammad discloses “a system comprising: a device intermediary(validation entity 80 [Fig.1])  to a plurality of clients(user device 1[Fig.1], also see portable consumer device 5[Fig.1], user’s com device 7[Fig.1])  and a plurality of servers” -(Validation entity 80 comprises a system having one or more servers coupled to a communications network [Col.33/lines 26-29]), “the device comprising one or more processors coupled to memory; and
wherein the device is configured to: receive a first request from a first client of the plurality of clients to a server of the plurality of servers via a connection between the device and the first client” (establish a link between verification token and computer having network facility [Fig.8/item 140]); “include, into a response from the server to the first client, a uniform resource locator (URL) comprising one or more randomly generated characters within a predetermined character space” (In action #6, the MPI sends a Payer Authentication Request (PAReq) to the Access Control Server (ACS) via the card holder's computing device using the URL for the ACS provided to it by the Directory Server [Col.11/lines 61-64]).

Hammad does not explicitly disclose “determine that the first client has an autonomous program responsive to receiving a second request from the first client using the URL; and terminate, responsive to the determination, the connection to the first client” 
However, Shepler in an analogous art discloses “determine that the first client has an autonomous program responsive to receiving a second request(request email address Shepler[Fig.4/item 404]) from the first client using the URL” (generate URL with token Shepler[Fig.4/item 414]); “and terminate, responsive to the determination, the connection to the first client” (a determination is made by module 320 whether IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an error message is returned. If so, the method proceeds to block 440 Shepler[Col.7/lines 36-39]). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Hammad’s URL identification process with Shepler’s authentication process in which an access request is received from a user for a secure resource via the transmission of a uniform resource locator (URL) to the user via an electronic mail message in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Hammad teaches a URL identification process, Shepler discloses an authentication process requiring an access request being received from a user for a secure resource via the transmission of a uniform resource locator (URL) to the user via an electronic mail message, and both are from the same field of endeavor.
Regarding claim 11 in view of claim 10, the references combined disclose “wherein the device is further configured to: generate the URL to include one or more random alphanumeric characters” (generate URL with token Shepler[Fig.4/item 414]).
Regarding claim 12 in view of claim 10, the references combined disclose “wherein the device is further configured to: generate the URL to be one of blank or invisible on a web page displayed on one or more clients of the plurality of clients” (a determination is made by module 320 whether IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an error message is returned. If so, the method proceeds to block 440 [Col.7/lines 36-39]).
Regarding claim 13 in view of claim 10, the references combined disclose “wherein the device is further configured to: generate a plurality of URLs within a web page” (verification tokens 40 may store the URIDs to their respective associated validation entities 80 Hammad[Col.22lines 20-23], “the plurality of URLs including the URL comprising the one or more randomly generated characters and one or more URLs corresponding to one or more valid addresses of one or more other web pages” (URID – verification token comprising URL Hammad[Col.22/lines 20-23]).
Regarding claim 14 in view of claim 10, the references combined disclose “wherein the device is further configured to: generate a session associated with the URL having a time out value” (module 320 utilizes timing data 324 to limit the availability of a particular URL 362 Shepler[Col.6/lines 59-60]); “determine the URL has been available to the first client for a period of time equal to the time out value” (record timestamp for URL transmission Shepler[Fig.4/item 420]); “and terminate the session and the URL.” (a determination is made by module 320 whether IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an error message is returned. If so, the method proceeds to block 440 Shepler[Col.7/lines 36-39]).
Regarding claim 15 in view of claim 14, the references combined disclose “wherein the device is further configured to: include a subsequent URL in a subsequent response to the first client, the subsequent URL associated with a subsequent session” (record timestamp of URL access request Shepler[Fig.4/item 424]).
Regarding claim 16 in view of claim 10, the references combined disclose “wherein the device is further configured to: provide the first request to the server, the first request including a Hypertext Transfer Protocol (HTTP) request; and receive the response from the server, the response including an HTTP response” (Authentication Page with additional parameters added to the URL that contain the information of the posting fields, preferably in encrypted form under an SSL session/https posting Hammad[Col.25/lines 20-24])
Regarding claim 17 in view of claim 16, the references combined disclose “wherein the device is further configured to: modify the HTTP response from the server to include the URL; and provide, to the first client, the HTTP response with the URL” (Authentication Page with additional parameters added to the URL that contain the information of the posting fields, preferably in encrypted form under an SSL session/https posting Hammad[Col.25/lines 20-24]


Regarding claim 18, Hammad discloses “a non-transitory computer readable medium storing program instructions for causing one or more processors to: receive a first request from a first client of a plurality of clients (user device 1[Fig.1], also see portable consumer device 5[Fig.1], user’s com device 7[Fig.1]) to a server of a plurality of servers-(Validation entity 80 comprises a system having one or more servers coupled to a communications network [Col.33/lines 26-29]) via a connection to the first client”  (establish a link between verification token and computer having network facility [Fig.8/item 140]; “include, into a response from the server to the first client, a uniform resource locator (URL) comprising one or more randomly generated characters within a predetermined character space” (In action #6, the MPI sends a Payer Authentication Request (PAReq) to the Access Control Server (ACS) via the card holder's computing device using the URL for the ACS provided to it by the Directory Server [Col.11/lines 61-64]).
Hammad does not explicitly disclose “determine that the first client has an autonomous program responsive to receiving a second request from the first client using the URL; and terminate, responsive to the determination, the connection to the first client.”
However, Shepler in an analogous art discloses “determine that the first client has an autonomous program responsive to receiving a second request(request email address Shepler[Fig.4/item 404]) from the first client using the URL”(generate URL with token Shepler[Fig.4/item 414]); “and terminate, responsive to the determination, the connection to the first client” (a determination is made by module 320 whether IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an error message is returned. If so, the method proceeds to block 440 Shepler[Col.7/lines 36-39]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Hammad’s URL identification process with Shepler’s authentication process in which an access request is received from a user for a secure resource via the transmission of a uniform resource locator (URL) to the user via an electronic mail message in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Hammad teaches a URL identification process, Shepler discloses an authentication process requiring an access request being received from a user for a secure resource via the transmission of a uniform resource locator (URL) to the user via an electronic mail message, and both are from the same field of endeavor.
Regarding claim 19 in view of claim 18, the references combined disclose “wherein the program instructions further cause the one or more processors to: generate a session associated with the URL having a time out value” (module 320 utilizes timing data 324 to limit the availability of a particular URL 362 Shepler[Col.6/lines 59-60]); “determine the URL has been available to the first client for a period of time equal to the time out value; and terminate the session and the URL” (a determination is made by module 320 whether IP address 344 matches IO address 342. If not, the method proceeds to block 410, where an error message is returned. If so, the method proceeds to block 440 Shepler[Col.7/lines 36-39]).

Regarding claim 20 in view of claim 19, the references combined disclose “wherein the program instructions further cause the one or more processors to: include a subsequent URL in a subsequent response to the first client, the subsequent URL associated with a subsequent session” (record timestamp of URL access request Shepler[Fig.4/item 424]).


Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL D ANDERSON/Examiner, Art Unit 2433          

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433