DETAILED ACTION
This office action is in response to applicant’s RCE amendment filed on 08/01/2022.  Claims 1 and 15 have been amended.  Claims 1-17 are pending and are directed towards apparatus, system, method, and computer product for Password Generation and Verification. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	Applicant’s arguments filed 08/01/2022 have been fully considered.
A) Applicant’s arguments, with respect to the amended limitation of claims 1 and 15, that Xia, Machani, and Henry fail to teach “a user id to identify the user at a password generator device” (page 9-10 of the present response) have been fully considered but they are not persuasive.
Regarding A) Xia teaches a password generation device (para 39, line 1-14; password management system, located remotely with processor 32 and repository 34, create passwords) comprising: a user identifier indicating a user of the user device, and a user password (para 42, line 1-13; Fig. 1 shows the authentication management system 8 including the password management system receives user ID token 40 and password 42 from a client device for user authentication).  Specifically, the user id 40 used to authenticate the user with the password management system in Xia corresponds to user identifier indicating a user in the claimed limitation.  Therefore, the prior art Xia at least suggests the feature in the claimed limitation.
B) Applicant’s argues, with respect to the amended limitation of claims 1 and 15, that Henry fails to teach a “user id used to identify the user at a password generator device” and “unique user system-identifier is assigned to the user identifier” (page 9-10 of the present response) have been fully considered but they are not persuasive.
Regarding B) in page 5-6 of Non-Final Action dated 04/01/2022, Xia is stated as teaching the features in question.  For example, Xia teaches a user identifier indicating a user of the user device, and a user password (para 42, line 1-13; Fig. 1 shows the authentication management system 8 including the password management system receives user ID token 40 and password 42 from a client device for user authentication). Furthermore, Xia teaches determine if the user identifier is registered with the identifier manager (para 43, line 1-9; check to verify the entered user ID), and if not, assign a unique user system-identifier to the user identifier, and (para 49, line 1-12 and para 50, line 1-4; a user ID token is extracted from the handle table 38 and is substituted for the entered user ID in user authentication process).  Specifically, the extracted user ID token for user authentication in prior art Xia corresponds to the registered user identifier or unique user system-identifier in the claimed limitation.  Therefore, the prior art Xia at least suggests the feature in the claimed limitation.
C) Applicant’s arguments, with respect to the amended limitation of claims 1 and 15, that Xia and Machani fail to teach a “the user identifier together with the user system-identifier, and if so, obtain the user system-identifier” (page 10 of the present response) have been fully considered but they are not persuasive.
Regarding C) in page 6-7 of Non-Final Action dated 04/01/2022, Xia is stated as not teaching the exact limitation “store the user identifier together with the user system-identifier, and if so, obtain the user system-identifier”.  In addition, Machani is stated as teaching store the user identifier together with the user system-identifier, and if so, obtain the user system-identifier (para 42, line 1-23; temporary user identifier that is generated by the system 32 is registered in a temporary user identifier store along with the identity of the registered user associated with the mobile device).  Specifically, prior art Machani is brought in to teach the storage of a temporary user identifier and registered user id of the system, where the temporary user identifier and registered user id of the system correspond to the user id and user system-identifier in the claimed limitation.  Therefore, the prior art Machani at least suggest the features in the claimed limitation.
D) Applicant’s arguments, with respect to the amended limitation of claims 1 and 15, that Xia, Machani, Henry, and Shen fail to teach “a first combined identifier is determined by applying a first combined identifier function taking as input the base address system-identifier, the user system-identifier, and the user password” and “the final password depending on the user system-identifier so that the final password of the user indicated by the user identifier is renewed by changing the user system-identifier” (page 10-12 of the present response) have been fully considered but they are not persuasive.
Regarding D) Xia teaches the base address system-identifier (para 41, line 1-17; multiple network addresses for accessing a single secure service 10 are accommodated by assigning all the addresses to a single service handle included in address table 36).  Xia and Machani do not teach determine a first combined identifier by applying a first combined identifier function taking as input address identifier, the user system-identifier, and the user password, and determine a final password from the first combined identifier.  Henry teaches determine a first combined identifier by applying a first combined identifier function taking as input address identifier, the user system-identifier, and the user password, and determine a final password from the first combined identifier (col. 3, line 60-67 and col. 4, line 1-8 and 54-67; generate a designated password through a password transform algorithm for Pd using URL or server name of service provider, unique user ID provided by a server or an account service provider, and user common password).  Furthermore, Henry teaches the final password depending on the user system-identifier so that the final password of the user indicated by the user identifier is renewed by changing the user system-identifier (col. 4, line 1-8, 54-67 and col. 5, line 47-67; updating a designated password for any one or more of a user’s existing multiple accounts, where the new designated password is calculated based partly on the provided unique user ID provided by a server).  Specifically, a change in the provided unique user id will result in a different input into the calculations for the new designated password. It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia and Machani to incorporate the teachings of Henry to provide generating a designated password through a password transform algorithm for Pd using URL of service provider, unique user ID provided by a server or an account service provider, and user common password.  Doing so would allow for providing access to multiple Web-based accounts via a secure password, as recognized by Henry.
Claim Rejections - 35 USC § 103
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
3.	Claims 1-11 and 14-17 are rejected under 35 U.S.C. 103 as being unpatentable over Xia et al. (US Pub. 2003/0005299), hereinafter Xia, filed on Jun. 29, 2001 in view of Machani (US Pub. 2010/0287606) filed on Jul. 10, 2009 and Henry et al. (US Patent 6,996,718), hereinafter Henry, filed on Aug. 11, 2000. 
Regarding claim 1, Xia teaches a password generation device (para 39, line 1-14; password management system, located remotely with processor 32 and repository 34, create passwords) comprising: 
an input interface arranged to receive, from a user device (para 42, line 1-13 and para 46, line 1-13; authentication management system 8 receives user inputs),
a computer address for accessing a computer resource (para 46, line 1-13; identify and intercept authentication responses directed towards network addresses), 
a user identifier indicating a user of the user device, and a user password (para 42, line 1-13; Fig. 1 shows the authentication management system 8 including the password management system receives user ID token 40 and password 42 from a client device for user authentication); and 
a memory and a processor configured to execute software stored in the memory, the software comprising parts for (para 39, line 1-18; processor 32 implements algorithms for information stored in repository 34):
a computer address unit arranged to map the computer address to a base address, so that multiple computer addresses are mapped to the same base address (para 41, line 1-17; multiple network addresses for accessing a single secure service 10 are accommodated by assigning all the addresses to a single service handle included in address table 36); 
an identifier manager arranged to 
determine if the base address is registered with the identifier manager, and if not, assign a unique base address system-identifier to the base address, and store the base address together with the base address system-identifier, and if so, obtain the base address system-identifier (para 51, line 1-8 and para 52, line 1-23; if it is recognized that the network address is not in the address table 36, provide the user with an appropriate address handle to associate with the network address and is included in the handle table 38 of the repository), 
determine if the user identifier is registered with the identifier manager (para 43, line 1-9; check to verify the entered user ID), and 
if not, assign a unique user system-identifier to the user identifier, and (para 49, line 1-12 and para 50, line 1-4; a user ID token is extracted from the handle table 38 and is substituted for the entered user ID in user authentication process), and 
Xia does not teach store the user identifier together with the user system-identifier, and if so, obtain the user system-identifier, and
Machani teaches store the user identifier together with the user system-identifier, and if so, obtain the user system-identifier (para 42, line 1-23; temporary user identifier that is generated by the system 32 is registered in a temporary user identifier store along with the identity of the registered user associated with the mobile device), and
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia to incorporate the teachings of Machani to provide temporary user identifier that is generated by the system is registered in a temporary user identifier store along with the identity of the registered user associated with the mobile device.  Doing so would allow for authenticating a user of a mobile device with a system, as recognized by Machani.
Xia teaches the base address system-identifier (para 41, line 1-17; multiple network addresses for accessing a single secure service 10 are accommodated by assigning all the addresses to a single service handle included in address table 36)
Xia and Machani do not teach determine a first combined identifier by applying a first combined identifier function taking as input address identifier, the user system-identifier, and the user password, and determine a final password from the first combined identifier,
the final password depending on the user system-identifier so that the final password of the user indicated by the user identifier is renewed by changing the user system-identifier.
Henry teaches determine a first combined identifier by applying a first combined identifier function taking as input address identifier, the user system-identifier, and the user password, and determine a final password from the first combined identifier (col. 3, line 60-67 and col. 4, line 1-8 and 54-67; generate a designated password through a password transform algorithm for Pd using URL or server name of service provider, unique user ID provided by a server or an account service provider, and user common password),
the final password depending on the user system-identifier so that the final password of the user indicated by the user identifier is renewed by changing the user system-identifier (col. 4, line 1-8, 54-67 and col. 5, line 47-67; updating a designated password for any one or more of a user’s existing multiple accounts, where the new designated password is calculated based partly on the provided unique user ID provided by a server).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia and Machani to incorporate the teachings of Henry to provide generating a designated password through a password transform algorithm for Pd using URL of service provider, unique user ID provided by a server or an account service provider, and user common password.  Doing so would allow for providing access to multiple Web-based accounts via a secure password, as recognized by Henry.
Regarding claim 2, Xia, Machani, and Henry teach apparatus of claim 1.
Xia and Machani do not teach the identifier manager is further arranged to 	
determine if the first combined identifier is registered with the identifier manager, and 3Attorney Docket No.: 5061-0043Preliminary Amendmentif not, assign a unique first combined system-identifier to the first combined identifier, and store the first combined identifier together with the first combined system-identifier, if so, obtain the first combined system-identifier assigned to the first combined identifier, and 
the password unit is further arranged to determine a second combined identifier from at least the first combined system-identifier, and to determine the final password from the second combined and/or first combined identifier.
Henry teaches the identifier manager is further arranged to 	
determine if the first combined identifier is registered with the identifier manager, and 3Attorney Docket No.: 5061-0043Preliminary Amendmentif not, assign a unique first combined system-identifier to the first combined identifier, and store the first combined identifier together with the first combined system-identifier, if so, obtain the first combined system-identifier assigned to the first combined identifier (col. 5, line 3-17; the computed designed password is submitted to a server and the server saves the hash value of the designated password), and 
the password unit is further arranged to determine a second combined identifier from at least the first combined system-identifier, and to determine the final password from the second combined and/or first combined identifier (col. 5, line 47-67; updating a designed password by generating a new designated password P’d using the user’s user id, common password and server name).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia and Machani to incorporate the teachings of Henry to provide updating a designed password by generating a new designated password P’d using the user’s user id, common password and server name.  Doing so would allow for providing access to multiple Web-based accounts via a secure password, as recognized by Henry.
Regarding claim 3, Xia, Machani, and Henry teach apparatus of claim 1.
Xia teaches the password unit is further arranged to retrieve password constraints for the computer resource and to determine a final password satisfying the retrieved password constraints (para 67, line 1-8 and para 70, line 1-8; password rules, providing bounds on the allowable format of the password, are extracted from the password rules column of the handles table 38 and password updating protocol uses the old password as an input).
Regarding claim 4, Xia, Machani, and Henry teach apparatus of claim 1.
Xia teaches the identifier manager is arranged to 
change the base address system-identifier, thus renewing all passwords for the computer resource (para 53, line 1-12; update the address table 36 to include the new address and the handle association and any future authorization response directed towards this network address will have the password modifications perform automatically), and/or 
change the user system-identifier, thus renewing all passwords for the user identifier.
Regarding claim 5, Xia, Machani, and Henry teach apparatus of claim 1.
Xia teaches a login provider unit arranged to interface between a first login provider and the user device, the first login provider providing a first original user identifier, the login provider unit being arranged to obtain the user identifier from the first original user identifier and sent it to the user device (para 50, line 14-26; the dialog box, displayed on the display 20, shows that extracted user ID token and user then transfer it to the user authentication form).
Regarding claim 6, Xia, Machani, and Henry teach apparatus of claim 1.
Xia teaches the login provider unit is arranged to interface between a second login provider and the user device, the second login provider providing a second original user identifier, the login provider unit being arranged to obtain a further user identifier from the second original user identifier and sent it to the user device, the identifier manager being arranged to store a user identifier correction factor, the password generation device applying the user identifier correction factor to the further user identifier to map it to the user identifier (para 43, line 14-17 and para 45, line 1-7 and para 58, line 1-13; user authentication system 8 supports multiple users, each user is assigned a master user ID 404 associated with a particular repository 34, and permits multiple users to use the same user interface 16 for secure transaction where the entered user ID is different from the master user ID).
Regarding claim 7, Xia, Machani, and Henry teach apparatus of claim 2.
Xia teaches the identifier manager stores a password correction factor, the password generation device applying the password correction factor to the second identifier to map it to a further second identifier previously generated for a different user identifier (para 43, line 14-19 and para 60, line 1-13; check to verify that the entered user ID is different from the corresponding master user ID and the appropriate password 410 is decoded from the handle table 38 of the repository 34).
Xia and Machani do not teach second combined identifier 
Henry teaches second combine identifier (col. 5, line 47-67; updating a designed password by generating a new designated password P’d using the user’s user id, common password and server name)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia and Machani to incorporate the teachings of Henry to provide updating a designed password by generating a new designated password P’d using the user’s user id, common password and server name.  Doing so would allow for providing access to multiple Web-based accounts via a secure password, as recognized by Henry.
Regarding claim 8, Xia, Machani, and Henry teach apparatus of claim 1.
Xia teaches the identifier manager is arranged to store a hash of a generated password, optionally together with the computer address or base address (para 40, line 1-13; the repository 34 includes links between network addresses and encoded passwords and are shown in handle table 38), the software further comprises a part for: 
a verification unit, the verification unit including an interface arranged to receive a password and optionally a computer address (para 42, line 1-13 and para 46, line 1-13; authentication management system 8 receives user inputs, such as password 42 and identify and intercept authentication responses directed towards network addresses), 
the verification unit being arranged to determine if the password was stored in hashed form and optionally if the received address matches the base address associated with the stored hashed password (para 39, line 1-16; detect authentication responses, where encoded passwords are stored in repository 34).
Regarding claim 9, Xia, Machani, and Henry teach apparatus of claim 8.
Xia teaches store the password in hashed form and optionally the computer address (para 39, line 1-16; encoded passwords are stored in repository 34), and  5Attorney Docket No.: 5061-0043 Preliminary Amendment 
determine if the same password is received multiple times (para 39, line 1-16; detect and intercept authentication responses from users and the password management system processor 32 identifies the passwords).
Regarding claim 10, Xia, Machani, and Henry teach apparatus of claim 1.
Xia teaches a ticket unit arranged to assign a ticket identifier to a generated password, and to store the ticket identifier, a ticket constraint, and the generated password, the ticket unit being arranged to send the ticket identifier to the user device (para 65, line 1-19 and para 69, line 1-16; password creation process includes algorithm that receives a system clock input 126, such as a time stamp, along with few digits of the clock as the seed value input, store time stamp for use in later password updates, and password creation is transparent to the user where timedate column can be used to determine elapsed time), 
the ticket unit being arranged to 
receive a received ticket identifier and a received computer address from the computer resource (para 68, line 1-30 and para 69, line 1-16; network address 520 is provided by user to service provider 10 along the date for password updates), and 
verify that ticket identifier was assigned by the ticket unit and that the received computer address matches the base address associated with the generated password, and the ticket constraint, and if so, send the generated password to the computer resource (para 68, line 1-30 and para 69, line 1-16 and para 70, line 1-8; upon confirmation of password update where the clock date was used for the update process, store the password information in the handles tables 38 and it is inputted into dialog box and transmitted via network 12 to service provider 10).
Regarding claim 11, Xia, Machani, and Henry teach apparatus of claim 10.
Xia teaches the password generation device stores a personal information associated with the user (para 44, line 25-33; system 8 update a user password in the repository 34), 
the ticket unit is arranged to generate a further ticket identifier, and to associate the further ticket identifier with the user, and is arranged to send the further ticket identifier to the computer resource after successful verification (para 68, line 1-30 and para 69, line 1-16; secure service provider 10 performs the password update for a user using the clock date and the network address 520), 
the ticket unit being arranged to 
receive a further received ticket identifier, verify that the further received ticket identifier matches the stored further ticket identifier, and if so send the personal information associated with the user to the computer resource (para 68, line 1-30 and para 69, line 1-16 and para 70, line 1-8; upon confirmation of password update where the cock date was used for the update process, store the password information in the handles tables 38 and it is inputted into dialog box and transmitted via network 12 to service provider 10).
Regarding claim 14, Xia teaches a password generation system comprising the password generation device according to claim 1 and the user device (see claim 1 rejection), the user device including a web browser (para 42, line 4-12; a user is presented with dialog box on display 20, where display is generated by web browser 18) arranged to 
receive an original user password (para 42, line 1-8 and para 46, line 5-9; identify user password 42), 
hash the original password, to obtain the user password (para 44, line 24-31; a password in the repository 34 is encoded), 
detect a password field in a web page (para 42, line 1-12; a dialog box on display 20, which is generated by web browser 18, requires a password 42), and 
send the user identifier, computer address of the web page, and the user password to the password generation device (para 49, line 1-12 and para 50, line 1-14; if a handle is found for the authentication response, an encoded password is obtained from the handle table 38 and is decoded for use in user authentication where information may be entered into a dialog box on the display 20).
Regarding claim 15, Xia teaches a password generation method (para 39, line 1-14; password management system, located remotely with processor 32 and repository 34, create passwords) comprising 
receiving from a user device (para 42, line 1-13 and para 46, line 1-13; authentication management system 8 receives user inputs) 
a computer address for accessing a computer resource (para 46, line 1-13; identify and intercept authentication responses directed towards network addresses), 
a user identifier indicating a user of the user device, and a user password (para 42, line 1-13; Fig. 1 shows the authentication management system 8 including the password management system receives user ID token 40 and password 42 from a client device for user authentication); 
mapping the computer address to a base address, so that multiple computer addresses are mapped to the same base address (para 41, line 1-17; multiple network addresses for accessing a single secure service 10 are accommodated by assigning all the addresses to a single service handle included in address table 36); 
determining if the base address is registered with the identifier manager, and if not, assigning a unique base address system-identifier to the base address, and store the base address together with the base address system-identifier, if so, obtaining the base address system-identifier (para 51, line 1-8 and para 52, line 1-23; if it is recognized that the network address is not in the address table 36, provide the user with an appropriate address handle to associate with the network address and is included in the handle table 38 of the repository); 
determining if the user identifier is registered with the identifier manager (para 43, line 1-9; check to verify the entered user ID), and 
if not, assigning a unique user system-identifier to the user identifier, and (para 49, line 1-12 and para 50, line 1-4; a user ID token is extracted from the handle table 38 and is substituted for the entered user ID in user authentication process), and 
Xia does not teach store the user identifier together with the user system-identifier, and if so, obtaining the user system-identifier, and
Machani teaches store the user identifier together with the user system-identifier, and if so, obtaining the user system-identifier (para 42, line 1-23; temporary user identifier that is generated by the system 32 is registered in a temporary user identifier store along with the identity of the registered user associated with the mobile device), and
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia to incorporate the teachings of Machani to provide temporary user identifier that is generated by the system is registered in a temporary user identifier store along with the identity of the registered user associated with the mobile device.  Doing so would allow for authenticating a user of a mobile device with a system, as recognized by Machani.
Xia teaches the base address system-identifier (para 41, line 1-17; multiple network addresses for accessing a single secure service 10 are accommodated by assigning all the addresses to a single service handle included in address table 36)
Xia and Machani do not teach determine a first combined identifier by applying a first combined identifier function taking as input address identifier, the user system-identifier, and the user password, and determine a final password from the first combined identifier,
the final password depending on the user system-identifier so that the final password of the user indicated by the user identifier is renewed by changing the user system-identifier.
Henry teaches determine a first combined identifier by applying a first combined identifier function taking as input address identifier, the user system-identifier, and the user password, and determine a final password from the first combined identifier (col. 3, line 60-67 and col. 4, line 1-8 and 54-67; generate a designated password through a password transform algorithm for Pd using URL or server name of service provider, unique user ID provided by a server or an account service provider, and user common password),
the final password depending on the user system-identifier so that the final password of the user indicated by the user identifier is renewed by changing the user system-identifier (col. 4, line 1-8, 54-67 and col. 5, line 47-67; updating a designated password for any one or more of a user’s existing multiple accounts, where the new designated password is calculated based partly on the provided unique user ID provided by a server).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia and Machani to incorporate the teachings of Henry to provide generating a designated password through a password transform algorithm for Pd using URL of service provider, unique user ID provided by a server or an account service provider, and user common password.  Doing so would allow for providing access to multiple Web-based accounts via a secure password, as recognized by Henry.
Regarding claim 16, Xia teaches a computer program comprising computer program instructions arranged to perform the method according to claim 15 (see claim 15 rejection) when the computer program is run on a computer (para 39, line 1-14; a program or software component of the client device 14 operating system.
Regarding claim 17, Xia, Machani, and Henry teach apparatus of claim 2.
Xia and Machani do not teach the identifier manager is arranged to change the first combined system-identifier, thus renewing the second combined identifier and/or final password for the user identifier and the computer resource.
Henry teaches the identifier manager is arranged to change the first combined system-identifier, thus renewing the second combined identifier and/or final password for the user identifier and the computer resource (col. 5, line 47-67; updating a designed password by generating a new designated password P’d using the user’s user id, common password and server name).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia and Machani to incorporate the teachings of Henry to provide updating a designed password by generating a new designated password P’d using the user’s user id, common password and server name.  Doing so would allow for providing access to multiple Web-based accounts via a secure password, as recognized by Henry.
4.	Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Xia in view of Machani, Henry, and Shen et al. (US Pub. 2012/0297190), hereinafter Shen, filed on May 19, 2011.
Regarding claim 12, Xia, Machani, and Henry teach apparatus of claim 1.
Xia, Machani, and Henry do not teach storing a list of registered device identifiers, the input interface is further arranged to receive a user device identifier, the software being arranged to refuse to generate a password if the user device identifier is not registered or blocked.
Shen teaches storing a list of registered device identifiers, the input interface is further arranged to receive a user device identifier, the software being arranged to refuse to generate a password if the user device identifier is not registered or blocked (para 21, line 1-6 and para 64, line 1-19; architecture includes mobile devices, register a device such as a mobile phone using a unique device ID, and uses the device ID to derive the credentials for user authentication).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia, Machani, and Henry to incorporate the teachings of Shen to provide for the registration of mobile device and credentials for user authentication using device ID.  Doing so would allow for multi-party security protocol that incorporates biometric based authentication on a mobile phone, as recognized by Shen.
Regarding claim 13, Xia, Machani, and Henry teach apparatus of claim 1.
Xia, Machani, and Henry do not teach the user password comprises attributes associated with the user or user device as a biometric identifier obtained from a biometric sensor.
Shen teaches the user password comprises attributes associated with the user or user device as a biometric identifier obtained from a biometric sensor (para 32, line 1-11; input biometric data, which are captured by sensors, send it to the cloud side for authentication and the cloud side provides the password for accessing the secure website).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Xia, Machani, and Henry to incorporate the teachings of Shen to provide for the capture of biometric data by sensors to cloud which provides the password for accessing secure website.  Doing so would allow for multi-party security protocol that incorporates biometric based authentication on a mobile phone, as recognized by Shen.
Conclusion
5.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following are relevant prior arts: Cavanagh et al. (US Patent 9,824,208) discloses periodically generating and managing passwords for one or more websites of users, where the users are provided with the ability to automatically replace their old passwords with new passwords for their one or more website accounts; Cavanagh et al. (US Pub. 2017/0011213) discloses users can set a pre-determined frequency at which their passwords are to be updated and replaced with new passwords, and the users can further define additional one or more rules based on which their passwords are updated; Karp (US Pub. 2013/0086655) discloses generates a new password for accessing a user account and/or computing system and inspires a change of an existing password for the user account and/or computing system to the new password.
6.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NHAN H NGUYEN whose telephone number is (571)272-6443.  The examiner can normally be reached on Monday-Friday 8:30am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/NHAN HUU NGUYEN/Examiner, Art Unit 2492


/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492