DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
This action is in reply to the first amendment to non-final filed on June 29, 2022.
Claims 1, 6, and 11 have been amended and are hereby entered.
Claims 1–11 are currently pending and have been examined.
This action is made FINAL.
Response to Amendment
The amendment filed June 29, 2022 has been entered.  Claims 1–11 remain pending in the application.
Claim Objections
Claims 6 and 11 are objected to because of the following informalities:
In claim 6, line 14; and claim 11, line 15, “by extracting content” should read “extracting content”.
Appropriate correction is required.
Claim Rejections - 35 USC § 101
The following is a quotation of 35 U.S.C. 101:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
	
Claims 1–11 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
First of all, claims must be directed to one or more of the following statutory categories: a process, a machine, a manufacture, or a composition of matter.  Claims 1–5 are directed to a process (“A method”), and claims 6–11 are directed to a machine (“A system” and “A computer program product”).  Thus, claims 1–11 satisfy Step One because they are all within one of the four statutory categories of eligible subject matter.
Claims 1–11, however, are directed to an abstract idea without significantly more.  For claim 1, the specific limitations that recite an abstract idea are:
receiving . . . a first data communication comprising an OTP associated with a requested . . . transaction;
identifying a validity period associated with the OTP;
receiving . . ., during the identified validity period associated with the OTP, a second data communication from a remote entity; 
detecting that the second data communication is received during the identified validity period associated with the OTP; 
in response to detecting that the second data communication is received during the identified validity period associated with the OTP, extracting content from the second data communication;
analyzing the extracted content and generating a risk decision based on output of the analysis of the extracted content, wherein the risk decision determines whether the remote entity comprises, or is controlled by, a malicious attacker; and
responsive to the risk decision determining that the remote entity comprises, or is controlled by, a malicious attacker, initiating a risk mitigation process..
The claims, therefore, recite risk mitigation for a transaction, which is the abstract idea of methods of organizing human activity because they recite a commercial interaction and the fundamental economic practice of mitigating risk.  The additional elements of the claims are various generic computer components to implement this abstract idea (“terminal device”, “electronic transaction”, “issuer server”, and “non-transitory computer readable medium”).
The additional elements are not integrated into a practical application because the invention merely applies the abstract idea to generic computer technology, using the computer to receive information and perform a risk analysis.  Because the invention is using the computer simply as a tool to perform the abstract idea on, the judicial exception is not integrated into a practical application.  
Finally, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, as discussed above, the additional elements are at a high level of generality such that they amount to no more than mere instructions to apply the abstract idea using generic components.  Because merely “applying” the exception using generic computer components cannot provide an inventive concept, claim 1 is not patent eligible.
Independent claims 6 and 11 are rejected as ineligible subject matter under 35 U.S.C. 101 for substantially the same reasons as independent method claim 1.  There are no additional elements recited in these claims other than the generic computer parts discussed above.  The only differences are that the steps of claim 1 are performed by a system in claim 6 and implemented by computer program instructions in claim 11.  Thus, because the same analysis should be used for all categories of claims, claims 6 and 11 are also not patent eligible.  See Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 134 S. Ct. 2347, 2354 (2014).
Dependent claims 2–5 and 7–10 have been given the full two part analysis, analyzing the additional limitations both individually and in combination.  The dependent claims, when analyzed individually and in combination, are also held to be patent ineligible under 35 U.S.C. 101.  
For claims 2 and 7, the additional recited limitations of these claims merely further narrow the abstract idea discussed above.  These dependent claims only narrow the risk mitigation recited in claims 1 and 6 by further specifying the validity period—“a time period within which the OTP is capable of identity authentication for the requested electronic transaction”.  The limitations of these claims fail to integrate the abstract idea into a practical application because these claims do not introduce additional elements other than the generic components discussed above.  These dependent claims, therefore, also amount to merely using a computer, in its ordinary capacity, as a tool to perform the abstract idea.  Finally, the additional recited limitations of these dependent claims fail to establish that the claims provide an inventive concept because claims that merely use a computer, in its ordinary capacity, as a tool to perform the abstract idea cannot provide an inventive concept.
For claims 3 and 8, the additional recited limitations of these claims merely further narrow the abstract idea discussed above.  These dependent claims only narrow the risk mitigation recited in claims 1 and 6 by further specifying the validity period determination—“based on content of the first data communication”.  The limitations of these claims fail to integrate the abstract idea into a practical application because these claims do not introduce additional elements other than the generic components discussed above.  These dependent claims, therefore, also amount to merely using a computer, in its ordinary capacity, as a tool to perform the abstract idea.  Finally, the additional recited limitations of these dependent claims fail to establish that the claims provide an inventive concept because claims that merely use a computer, in its ordinary capacity, as a tool to perform the abstract idea cannot provide an inventive concept.
For claims 4 and 9, the additional recited limitations of these claims merely further narrow the abstract idea discussed above.  These dependent claims only narrow the risk mitigation recited in claims 1 and 6 by further specifying the content analysis—“input to one or more risk scoring data models”.  The limitations of these claims fail to integrate the abstract idea into a practical application because these claims do not introduce additional elements other than the generic components discussed above.  These dependent claims, therefore, also amount to merely using a computer, in its ordinary capacity, as a tool to perform the abstract idea.  Finally, the additional recited limitations of these dependent claims fail to establish that the claims provide an inventive concept because claims that merely use a computer, in its ordinary capacity, as a tool to perform the abstract idea cannot provide an inventive concept.
For claims 5 and 10, the additional recited limitations of these claims merely further narrow the abstract idea discussed above.  These dependent claims only narrow the risk mitigation recited in claims 1 and 6 by further specifying the risk mitigation process—“initiating a display of a security threat alert”, “initiating transmission of a security threat alert”, “terminating the electronic transaction”, “invalidating the received OTP”, “terminating communication between the terminal device and the remote entity”, “adding the remote entity to a blacklist”, or “updating one or more risk scoring data models”.  The limitations of these claims fail to integrate the abstract idea into a practical application because these claims do not introduce additional elements other than the generic components discussed above.  These dependent claims, therefore, also amount to merely using a computer, in its ordinary capacity, as a tool to perform the abstract idea.  Finally, the additional recited limitations of these dependent claims fail to establish that the claims provide an inventive concept because claims that merely use a computer, in its ordinary capacity, as a tool to perform the abstract idea cannot provide an inventive concept.
Claim Rejections - 35 USC § 103
In the event that the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for determining obviousness under 35 U.S.C. 103 are summarized as follows:
(1)	Determining the scope and contents of the prior art.
(2)	Ascertaining the differences between the prior art and the claims at issue.
(3)	Resolving the level of ordinary skill in the pertinent art.
(4)	Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 4–7, and 9–11 are rejected under 35 U.S.C. 103 as being unpatentable over Gill et al., U.S. Patent App. No. 2015/0215310 (“Gill”) in view of Goodman et al., U.S. Patent App. No. 2006/0123464 (“Goodman”) and Kim et al., U.S. Patent App. No. 2007/0153733 (“Kim”).
For claim 1, Gill teaches:
A method for securing electronic transaction one-time-passwords (OTPs) against phishing attacks, comprising implementing at a terminal device, the steps of (¶ 40–41: example method at user device):
receiving at the terminal device, a first data communication comprising an OTP associated with a requested electronic transaction (¶ 13: customer receives one-time password for transaction);
identifying a validity period associated with the OTP (¶ 35: one-time password may expire after period of time) . . ..
Gill does not teach: receiving at the terminal device, during the identified validity period associated with the OTP, a second data communication from a remote entity; detecting that the second data communication is received during the identified validity period associated with the OTP; and in response to detecting that the second data communication is received during the identified validity period associated with the OTP, extracting content from the second data communication; analyzing the extracted content and generating a risk decision based on output of the analysis of the extracted content, wherein the risk decision determines whether the remote entity comprises, or is controlled by, a malicious attacker; responsive to the risk decision determining that the remote entity comprises, or is controlled by, a malicious attacker, initiating a risk mitigation process.
	Goodman, however, teaches:
receiving at the terminal device, . . . a second data communication from a remote entity (¶ 54: communication received);
 . . . extracting content from the second data communication (¶ 55: content of communication analyzed);
analyzing the extracted content and generating a risk decision based on output of the analysis of the extracted content, wherein the risk decision determines whether the remote entity comprises, or is controlled by, a malicious attacker (¶ 77, 57–58: various analyses to determine if content indicates phishing); and
responsive to the risk decision determining that the remote entity comprises, or is controlled by, a malicious attacker, initiating a risk mitigation process (¶ 38: warning provided to user if phishing determined).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill by adding the phishing analysis from Goodman.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of providing protections against phishing—a benefit explicitly disclosed by Goodman (¶ 3–4: risks from deceptive phishing communications; ¶ 5: invention provides phishing detection, prevention, and notification).
The combination of Gill and Goodman does not teach: during the identified validity period associated with the OTP; detecting that the second data communication is received during the identified validity period associated with the OTP; and in response to detecting that the second data communication is received during the identified validity period associated with the OTP.
	Kim, however, teaches:
during the identified validity period associated with the OTP (¶ 83: message received during valid period);
detecting that the second data communication is received during the identified validity period associated with the OTP (¶ 83: messages monitored and detected as being received during valid period); and
in response to detecting that the second data communication is received during the identified validity period associated with the OTP (¶ 77: process proceeds based on determining message received within valid period).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill and the phishing analysis in Goodman by adding the valid period from Kim.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of ensuring effectiveness of the temporary ID—a benefit explicitly disclosed by Kim (¶ 50: monitoring messages during valid period ensures temporary IDs work). 
For claim 2, Gill, Goodman, and Kim teach all the limitations of claim 1 above, and Gill further teaches:
The method as claimed in claim 1, wherein the validity period associated with the OTP is a time period within which the OTP is capable of identity authentication for the requested electronic transaction (¶ 35: one-time password may expire after period of time; ¶ 23: one-time password indicated user authentication).
For claim 4, Gill, Goodman, and Kim teach all the limitations of claim 1 above, and Goodman further teaches:
The method as claimed in claim 1, wherein analyzing the content extracted from the second data communication comprises presenting the extracted content as input to one or more risk scoring data models that are configured to score a likelihood that the remote entity comprises, or is controlled by, a malicious attacker (¶ 102: detection engine may obtain suspicion score indicating likelihood of phishing).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill and the valid period in Kim by adding the phishing analysis from Goodman.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of providing protections against phishing—a benefit explicitly disclosed by Goodman (¶ 3–4: risks from deceptive phishing communications; ¶ 5: invention provides phishing detection, prevention, and notification).
For claim 5, Gill, Goodman, and Kim teach all the limitations of claim 1 above, and Goodman further teaches:
The method as claimed in claim 1, wherein the risk mitigation process comprises any of: initiating a display of a security threat alert on a display of the terminal device; initiating transmission of a security threat alert to an issuer server involved in the electronic transaction; terminating the electronic transaction; invalidating the received OTP; terminating communication between the terminal device and the remote entity; adding the remote entity to a blacklist; and updating one or more risk scoring data models based on parameters of the second data communication. (¶ 38: warning provided to user if phishing determined; ¶ 24: user interface display).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill and the valid period in Kim by adding the phishing analysis from Goodman.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of providing protections against phishing—a benefit explicitly disclosed by Goodman (¶ 3–4: risks from deceptive phishing communications; ¶ 5: invention provides phishing detection, prevention, and notification).
For claim 6, Gill teaches:
A system for securing electronic transaction one-time-passwords (OTPs) against phishing attacks, comprising a terminal device configured for implementing the steps of (¶ 40–41: example system for implementing method through user device):
receiving at the terminal device, a first data communication comprising an OTP associated with a requested electronic transaction (¶ 13: customer receives one-time password for transaction);
identifying a validity period associated with the OTP (¶ 35: one-time password may expire after period of time) . . ..
Gill does not teach: receiving at the terminal device, during the identified validity period associated with the OTP, a second data communication from a remote entity; detecting that the second data communication is received during the identified validity period associated with the OTP; and in response to detecting that the second data communication is received during the identified validity period associated with the OTP, by extracting content from the second data communication; analyzing the extracted content and generating a risk decision based on output of the analysis of the extracted content, wherein the risk decision determines whether the remote entity comprises, or is controlled by, a malicious attacker; responsive to the risk decision determining that the remote entity comprises, or is controlled by, a malicious attacker, initiating a risk mitigation process.
	Goodman, however, teaches:
receiving at the terminal device, . . . a second data communication from a remote entity (¶ 54: communication received);
 . . . by extracting content from the second data communication (¶ 55: content of communication analyzed);
analyzing the extracted content and generating a risk decision based on output of the analysis of the extracted content, wherein the risk decision determines whether the remote entity comprises, or is controlled by, a malicious attacker (¶ 77, 57–58: various analyses to determine if content indicates phishing); and
responsive to the risk decision determining that the remote entity comprises, or is controlled by, a malicious attacker, initiating a risk mitigation process (¶ 38: warning provided to user if phishing determined).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill by adding the phishing analysis from Goodman.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of providing protections against phishing—a benefit explicitly disclosed by Goodman (¶ 3–4: risks from deceptive phishing communications; ¶ 5: invention provides phishing detection, prevention, and notification).
The combination of Gill and Goodman does not teach: during the identified validity period associated with the OTP; detecting that the second data communication is received during the identified validity period associated with the OTP; and in response to detecting that the second data communication is received during the identified validity period associated with the OTP.
	Kim, however, teaches:
during the identified validity period associated with the OTP (¶ 83: message received during valid period);
detecting that the second data communication is received during the identified validity period associated with the OTP (¶ 83: messages monitored and detected as being received during valid period); and
in response to detecting that the second data communication is received during the identified validity period associated with the OTP (¶ 77: process proceeds based on determining message received within valid period).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill and the phishing analysis in Goodman by adding the valid period from Kim.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of ensuring effectiveness of the temporary ID—a benefit explicitly disclosed by Kim (¶ 50: monitoring messages during valid period ensures temporary IDs work). 
For claim 7, Gill, Goodman, and Kim teach all the limitations of claim 6 above, and Gill further teaches:
The system as claimed in claim 6, wherein the validity period associated with the OTP is a time period within which the OTP is capable of identity authentication for the requested electronic transaction (¶ 35: one-time password may expire after period of time; ¶ 23: one-time password indicated user authentication).
For claim 9, Gill, Goodman, and Kim teach all the limitations of claim 6 above, and Goodman further teaches:
The system as claimed in claim 6, wherein analyzing the content extracted from the second data communication comprises presenting the extracted content as input to one or more risk scoring data models that are configured to score a likelihood that the remote entity comprises, or is controlled by, a malicious attacker (¶ 102: detection engine may obtain suspicion score indicating likelihood of phishing).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill and the valid period in Kim by adding the phishing analysis from Goodman.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of providing protections against phishing—a benefit explicitly disclosed by Goodman (¶ 3–4: risks from deceptive phishing communications; ¶ 5: invention provides phishing detection, prevention, and notification).
For claim 10, Gill, Goodman, and Kim teach all the limitations of claim 6 above, and Goodman further teaches:
The system as claimed in claim 6, wherein the risk mitigation process comprises any of initiating a display of a security threat alert on a display of the terminal device; initiating transmission of a security threat alert to an issuer server involved in the electronic transaction; terminating the electronic transaction; invalidating the received OTP; terminating communication between the terminal device and the remote entity; adding the remote entity to a blacklist; and updating one or more risk scoring data models based on parameters of the second data communication (¶ 38: warning provided to user if phishing determined; ¶ 24: user interface display).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill and the valid period in Kim by adding the phishing analysis from Goodman.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of providing protections against phishing—a benefit explicitly disclosed by Goodman (¶ 3–4: risks from deceptive phishing communications; ¶ 5: invention provides phishing detection, prevention, and notification).
For claim 11, Gill teaches:
A computer program product for securing electronic transaction one-time- passwords (OTPs) against phishing attacks, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for (¶ 48: instructions from memory executed by processor):
receiving at a terminal device, a first data communication comprising an OTP associated with a requested electronic transaction (¶ 13: customer receives one-time password for transaction);
identifying a validity period associated with the OTP (¶ 35: one-time password may expire after period of time) . . ..
Gill does not teach: receiving at the terminal device, during the identified validity period associated with the OTP, a second data communication from a remote entity; detecting that the second data communication is received during the identified validity period associated with the OTP; and in response to detecting that the second data communication is received during the identified validity period associated with the OTP, by extracting content from the second data communication; analyzing the extracted content and generating a risk decision based on output of the analysis of the extracted content, wherein the risk decision determines whether the remote entity comprises, or is controlled by, a malicious attacker; responsive to the risk decision determining that the remote entity comprises, or is controlled by, a malicious attacker, initiating a risk mitigation process.
	Goodman, however, teaches:
receiving at the terminal device, . . . a second data communication from a remote entity (¶ 54: communication received);
 . . . by extracting content from the second data communication (¶ 55: content of communication analyzed);
analyzing the extracted content and generating a risk decision based on output of the analysis of the extracted content, wherein the risk decision determines whether the remote entity comprises, or is controlled by, a malicious attacker (¶ 77, 57–58: various analyses to determine if content indicates phishing); and
responsive to the risk decision determining that the remote entity comprises, or is controlled by, a malicious attacker, initiating a risk mitigation process (¶ 38: warning provided to user if phishing determined).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill by adding the phishing analysis from Goodman.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of providing protections against phishing—a benefit explicitly disclosed by Goodman (¶ 3–4: risks from deceptive phishing communications; ¶ 5: invention provides phishing detection, prevention, and notification).
The combination of Gill and Goodman does not teach: during the identified validity period associated with the OTP; detecting that the second data communication is received during the identified validity period associated with the OTP; and in response to detecting that the second data communication is received during the identified validity period associated with the OTP.
	Kim, however, teaches:
during the identified validity period associated with the OTP (¶ 83: message received during valid period);
detecting that the second data communication is received during the identified validity period associated with the OTP (¶ 83: messages monitored and detected as being received during valid period); and
in response to detecting that the second data communication is received during the identified validity period associated with the OTP (¶ 77: process proceeds based on determining message received within valid period).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill and the phishing analysis in Goodman by adding the valid period from Kim.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of ensuring effectiveness of the temporary ID—a benefit explicitly disclosed by Kim (¶ 50: monitoring messages during valid period ensures temporary IDs work). 
Claims 3 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Gill et al., U.S. Patent App. No. 2015/0215310 (“Gill”) in view of Goodman et al., U.S. Patent App. No. 2006/0123464 (“Goodman”); Kim et al., U.S. Patent App. No. 2007/0153733 (“Kim”); and Agarwal et al., U.S. Patent App. No. 2019/0306159 (“Agarwal”).
For claim 3, Gill, Goodman, and Kim teach all the limitations of claim 1 above.  The combination of Gill, Goodman, and Kim does not teach: wherein the validity period associated with the OTP is determined based on content of the first data communication.
	Agarwal, however, teaches:
The method as claimed in claim 1, wherein the validity period associated with the OTP is determined based on content of the first data communication (¶ 31: time interval may be provided with time-based one-time password (TOTP)).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill, the phishing analysis in Goodman, and the valid period in Kim by adding the time interval communication from Agarwal.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of making authentication more secure—through the use of a time-based one-time password (TOTP)—a benefit explicitly disclosed by Agarwal (¶ 31: TOTP provides advantage over traditional authentications).  Gill and Agarwal are both related to one-time passwords, so one of ordinary skill in the art would have been motivated to make these passwords even more secure by combining these methods together.
For claim 8, Gill, Goodman, and Kim teach all the limitations of claim 6 above.  The combination of Gill, Goodman, and Kim does not teach: wherein the validity period associated with the OTP is determined based on content of the first data communication.
	Agarwal, however, teaches:
The system as claimed in claim 6, wherein the validity period associated with the OTP is determined based on content of the first data communication (¶ 31: time interval may be provided with time-based one-time password (TOTP)).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Gill, the phishing analysis in Goodman, and the valid period in Kim by adding the time interval communication from Agarwal.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of making authentication more secure—through the use of a time-based one-time password (TOTP)—a benefit explicitly disclosed by Agarwal (¶ 31: TOTP provides advantage over traditional authentications).  Gill and Agarwal are both related to one-time passwords, so one of ordinary skill in the art would have been motivated to make these passwords even more secure by combining these systems together.
Response to Arguments
Claim Rejections Under 35 U.S.C. § 101
Applicant’s arguments filed on June 29, 2022 have been fully considered but they are not persuasive.
Applicant argues that the claims are integrated into a practical application because they recite an improvement to the technological field of e-commerce and electronic payments security.  Applicant explains that the claims detect and extract a communication for risk analysis during a one-time-password validity period, which protects against phishing.  Applicant therefore concludes that the claims provide a method for securing electronic transaction one-time-passwords against phishing attacks, which is rooted in computer and network technologies.  The claimed invention, however, merely determines when a phishing analysis is performed—during the validity period.  The claims do not specify in any way how the one-time-password or phishing analysis themselves are improved.  Rather, these two processes are merely applied in conjunction, improving the abstract idea of risk mitigation.  The claims are therefore only using the technology as a tool to implement the risk mitigation, rather than improving the technology itself in any way.  Thus, claims 1–11 do not include additional elements sufficient to integrate the claims into a practical application.  
Claim Rejections Under 35 U.S.C. § 103
Applicant’s arguments with respect to claims 1–11 have been considered but are moot because the arguments do not apply to the references being used in the current rejection.
Applicant has amended claims 1, 6, and 11 and argues that the combination of Gill (U.S. Patent App. No. 2015/0215310) and Goodman (U.S. Patent App. No. 2006/0123464) does not disclose these additional limitations.  Claims 1, 6, and 11, however, are currently rejected under 35 U.S.C. 103 over Gill in view of Goodman and Kim (U.S. Patent App. No. 2007/0153733).  Thus, Applicant’s arguments with respect to claims 1, 6, and 11 are moot.
Applicant argues that the dependent claims are allowable by virtue of their dependence on claims 1 and 6, which were amended to overcome the rejection under 35 U.S.C. 103.  As discussed above, however, claims 1 and 6 are currently rejected under 35 U.S.C. 103 over Gill in view of Goodman and Kim.  Thus, Applicant’s arguments with respect to claims 2–5 and 7–10 are moot.
Prior Art Not Relied Upon
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Those prior art references are as follows:
Mardikar et al., U.S. Patent App. No. 2009/0172775, discloses one-time password generation for mitigating phishing risks.  
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DIVESH PATEL whose telephone number is (571) 272–3430.  The examiner can normally be reached on Monday–Friday 12:00 PM–8:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Namrata Boveja can be reached on (571) 272–8105.  The fax phone number for the organization where this application or proceeding is assigned is 571–273–8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866–217–9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800–786–9199 (IN USA OR CANADA) or 571–272–1000.



/DIVESH PATEL/Examiner, Art Unit 3696 

/JOSEPH W. KING/Primary Examiner, Art Unit 3696