DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 11/15/2022.
In the instant Amendment, claims 1, 13 and 17 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.

Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 11/15/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “Yedidi and Goodwin fail to disclose or suggest "receiv[ing],from a first browser of a first user device associated with a user, a request to access one or more resources, wherein the request comprises a first salted password, wherein the first salted password comprising a first password, a first user device identifier, and a first browser identifier" as recited in Claim 1 and analogously cited in Claim 17.”
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Yedidi discloses receive, from a first browser of a first user device associated with a user, a request to access one or more resources, wherein the request comprises a first salted password, wherein the first salted password comprising a first password, a first user device identifier, and a first browser identifier (Yedidi: ¶0056 at step 402, content management system 106 can receive a login request for a user account from a user device [] the login request can include a password; ¶0057 at step 404, content management system 106 can obtain login context data from the user device; ¶0043 each record [] in login context database 300 can correspond to a [] browser identifier (e.g., name, version, etc.) []  an operating system identifier (e.g., name version, etc.) for the operating system of the client device, a device type (e.g., manufacturer, model, etc.) for the client device). More specifically, Yedidi discloses content management system 106 can manage multiple user accounts associated with multiple users. Content management system 106 can receive a log in request from a client device (e.g., user device 220, user device 230) []. The login request can identify an account identifier that uniquely identifies a user account managed by content management system 106. The login request can include a password that can be used by authenticator module 126 to authenticate the user as the owner of the identified user account [0056] and login context database 300 will typically include login context data for each of the user accounts managed by content management system 106. Each record (e.g., records 302-312) in login context database 300 can correspond to a respective login event and/or authentication attempt for the identified user account. Each record can include a timestamp corresponding to the login event, an IP address corresponding to the client device, a browser identifier (e.g., name, version, etc.), a client application identifier (e.g., name, version, etc.), an operating system identifier (e.g., name version, etc.) for the operating system of the client device, a device type (e.g., manufacturer, model, etc.) for the client device, and/or a session identifier for the current login session between the client device (e.g., CMS client application) and content management system 106 [0043]. Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.
Applicant’s arguments: “Yedidi and Goodwin fail to disclose or suggest "extract[ing] the first password, the first user device identifier, and the first browser identifier from the first salted password" as recited in Claim 1 and analogously recited in Claim 17.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Yedidi discloses extract the first password, the first user device identifier, and the first browser identifier from the first salted password (Yedidi: ¶0059 at step 408, content management system 106 can generate a login metric. For example, content management system 106 can generate one or more login metrics based on the login context data stored in login context database 204). More specifically, Yedidi discloses content management system 106 can obtain and store login context information that can be used to generate a unique signature of fingerprint for each client device that is used to log in to content management system 106 [0052]. Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.
Applicant’s arguments: “Yedidi, Goodwin, Maxilom, and Bemmel fail to disclose or suggest "receiving a salted code comprising a second code, a second user device identifier, and a second browser identifier" as recited in Claim 4.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Yedidi discloses browser identifier (Yedidi: ¶0043 a browser identifier). More specifically Yedidi discloses login context database 300 will typically include login context data for each of the user accounts managed by content management system 106 [].Each record can include a timestamp corresponding to the login event, an IP address corresponding to the client device, a browser identifier (e.g., name, version, etc.), a client application identifier (e.g., name, version, etc.), an operating system identifier (e.g., name version, etc.) for the operating system of the client device, a device type (e.g., manufacturer, model, etc.) for the client device, and/or a session identifier for the current login session between the client device (e.g., CMS client application) and content management system 106 [0043]. However, Maxilom discloses receiving a salted code comprising a second code, a second user device identifier (Maxilom: ¶0024 the one-time-only code; ¶0025 the support manager 131 can interact with the agent 111 to identify a device identifier). More specifically, Maxilom discloses the wireless connection between the mobile device 130 and the enterprise services device 110 uses multifactor authentication managed by the agent 111; the first factor includes a user-provided identifier and password and the second factor includes a one-time only randomly generated code by the agent 111 that is delivered to the mobile device [] such as though a text message to the mobile device 130 []. The user/operator of the mobile device 130 then enters the code received through the out-of-band text message into a code enter screen rendered within the support manager 131. The agent 111 validates the entered codes as a second form of authentication [0023]. [NOTE: relational terms such as first and second, top and bottom, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.] Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

Applicant’s arguments: “Yedidi, Goodwin, Maxilom, and Bemmel fail to disclose or suggest "extracting the second code, the second user device identifier, and the second browser identifier from the salted code" as recited in Claim 4.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Yedidi discloses browser identifier (Yedidi: ¶0043 a browser identifier). More specifically Yedidi discloses login context database 300 will typically include login context data for each of the user accounts managed by content management system 106 [].Each record can include a timestamp corresponding to the login event, an IP address corresponding to the client device, a browser identifier (e.g., name, version, etc.), a client application identifier (e.g., name, version, etc.), an operating system identifier (e.g., name version, etc.) for the operating system of the client device, a device type (e.g., manufacturer, model, etc.) for the client device, and/or a session identifier for the current login session between the client device (e.g., CMS client application) and content management system 106 [0043]. However, Maxilom discloses extracting the second code, the second user device identifier, from the salted code (Maxilom: ¶0025 when the support personnel activates the link provided by the support manager 131 a connection between the support personnel's device and the enterprise services device 110 is established and the agent sends the random remote code back to the support personnel and displays a code-input screen into which the support personnel enters the received code). More specifically, Maxilom discloses the remote mobile support manager performs a first factor authentication using an identifier and a password combination, and the remote mobile support manager performs a second factor authentication using a one-time only randomly generated out-of-band code [0035]. [NOTE: relational terms such as first and second, top and bottom, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.] Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.
Applicant’s arguments: “Yedidi, Johnson, and Goodwin fail to disclose or suggest " generate a first salt based on the user device identifier and the first browser identifier," as recited in Claim 13.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Johnson discloses generate a first salt based on the user device identifier and the first browser identifier (Johnson: col. 9 lines 3-12 at operation 312, the edge server 120 generates a cookie that includes a hash of [] one or more other values [] the one or more other values may include [] a browser identifier, [] a device identifier). More specifically Johnson discloses at operation 205, an edge server 120 generates a first token value that includes a hash value generated by hashing a secret key and one or more other values using a hash algorithm. The secret key may be a uniform shared secret for all websites or each website may have its own unique secret key. Where each website has its own secret key, the edge server 120 may store the secret key in a profile associated with the corresponding website. The secret key may be a value used for symmetric encryption [] the one or more other values may include one or more of: an expiration time and metadata, including an IP address, a browser identifier, a host origin name, geo-location data, a device identifier, a user agent string, and other authentication data (col. 5 lines 18-32). Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.
Applicant’s arguments: “Yedidi, Johnson, and Goodwin fail to disclose or suggest "apply[ing] the first salt to the first password to generate a first salted password without displaying an indication to the user device that the first salt was applied to the first password" as recited in Claim 13.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Johnson discloses apply the first salt to the first password to generate a first salted password without displaying an indication to the user device that the first salt was applied to the first password (Johnson: col. 9 lines 7-9 the token value may include a hash value that may be generated by hashing the secret key). More specifically Johnson discloses at the client computing device 110, causes the client computing device 110 to transmit the token value (equal to the value of the "CSRF Cookie" 316) as part of the request. This token value may be submitted automatically as an HTTP request header, or as part of HTML form data by 35 adding a hidden field to all HTML forms on the resource (col. 9 lines 33-36). Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

The Examiner respectfully suggests that the claims be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 270 7857 to schedule an interview.   
A substantially similar rejection to the previous non-final rejection follows below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-3 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Goodwin et al. (“Goodwin,” US 8,234,302).

Regarding claim 1: Yedidi discloses a system, comprising:
one or more processors (Yedidi: fig. 5 item 510); and
a memory in communication with the one or more processors and storing instructions (Yedidi: fig. 5 items 512, 515) that, when executed by the one or more processors, are configured to cause the system to:
receive, from a first browser of a first user device associated with a user, a request to access one or more resources, wherein the request comprises a first salted password, wherein the first salted password comprising a first password, a first user device identifier, and a first browser identifier (Yedidi: ¶0056 at step 402, content management system 106 can receive a login request for a user account from a user device [] the login request can include a password; ¶0057 at step 404, content management system 106 can obtain login context data from the user device; ¶0043 each record [] in login context database 300 can correspond to a [] browser identifier (e.g., name, version, etc.) []  an operating system identifier (e.g., name version, etc.) for the operating system of the client device, a device type (e.g., manufacturer, model, etc.) for the client device);
retrieve a stored first password, a stored first user device identifier, and a stored first browser identifier (Yedidi: ¶0058 content management system 106 can store login context data in login context database 204. For example, login context database 204 (i.e., database 300) can store a database entry (e.g., record) that includes login context data collected for each attempt to log in to a user account);
extract the first password, the first user device identifier, and the first browser identifier from the first salted password (Yedidi: ¶0059 at step 408, content management system 106 can generate a login metric. For example, content management system 106 can generate one or more login metrics based on the login context data stored in login context database 204);
determine whether the first password, the first user device identifier, and the first browser identifier respectively match the stored first password, the stored first user device identifier, and the stored first browser identifier beyond a predetermined threshold (Yedidi: ¶0060 at step 410, content management system 106 can determine that the generated login metric exceeds a threshold value. For example, each login metric generated by content management system 106 can have a corresponding threshold value that can be used to determine when a user account is being accessed by multiple users); and
when the first password, the first user device identifier, or the first browser identifier do not respectively match the stored first password, the stored first user device identifier, or the stored first browser identifier beyond the predetermined threshold, perform one or more actions (Yedidi: ¶0062 content management system 106 can be configured with a use policy that specifies that a single user account can only be accessed or used by a single user. When content management system 106 determines that multiple users are sharing login credentials and accessing a single user account, content management system 106 can present a warning (e.g., when a user attempts to log in to the user account) indicating that the users are in violation of content management system policy and prompting the users to create different, individual accounts with content management system 106).
Yedidi does not explicitly disclose respectively compare the first password, the first user device identifier, and the first browser identifier to the stored first password, the stored first user device identifier, and the stored first browser identifier and when the first password, the first user device identifier, and the first browser identifier respectively match the stored first password, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold, grant the request to access the one or more resources for the first user device.
However, Goodwin discloses respectively compare the first password, the first user device identifier, and the first browser identifier to the stored first password, the stored first user device identifier, and the stored first browser identifier (Goodwin: col. 5 lines 11-18 the content provider 210 may process the received request [] such instructions may include verification of the received user data, for example, the user account ID, password, and the unique device ID, by comparing it to the data stored in the user information data store 220); and
when the first password, the first user device identifier, and the first browser identifier respectively match the stored first password, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold, grant the request to access the one or more resources for the first user device (Goodwin: col. 5 lines 26-29 if the total number of identified devices associated with the account ID plus the current device, which requested access, does not exceed the predetermined limit, the service provider grants access to the content).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Goodwin with the system/method of Yedidi to include when the first password, the first user device identifier, and the first browser identifier respectively match the stored first password, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold, grant the request to access the one or more resources for the first user device.
One would have been motivated for controlling access to electronic content stored on a content provider's server (Goodwin: col. 1 lines 52-53).
Regarding claim 2: Yedidi in view of Goodwin discloses the system of claim 1.
Goodwin further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to generate and transmit the first password to the user via the first user device (Goodwin: col. 3 lines 59-61 a user may be provided or specify a user name and password that is associated with the user account).
The motivation is the same that of claim 1 above.

Regarding claim 3: Yedidi in view of Goodwin discloses the system of claim 1.
Yedidi further discloses wherein the first stored password is received from the first user device during a device registration process and subsequently stored in a database associated with the system (Yedidi: ¶0017 user account database 150 can store profile information for registered users).

Regarding claim 17: Yedidi discloses a system, comprising:
one or more processors (Yedidi: fig. 5 item 510); and
a memory in communication with the one or more processors and storing instructions (Yedidi: fig. 5) that, when executed by the one or more processors, are configured to cause the system to:
receive, from a first user device associated with a user, a first salted password associated with a website, wherein the first salted password comprising a first password, a first user device identifier, and a first browser identifier (Yedidi: ¶0056 at step 402, content management system 106 can receive a login request for a user account from a user device [] the login request can include a password; ¶0057 at step 404, content management system 106 can obtain login context data from the user device; ¶0043 each record [] in login context database 300 can correspond to a [] browser identifier (e.g., name, version, etc.) []  an operating system identifier (e.g., name version, etc.) for the operating system of the client device, a device type (e.g., manufacturer, model, etc.) for the client device);
extract the first password, the first user device identifier, and the first browser identifier from the first salted password (Yedidi: ¶0059 at step 408, content management system 106 can generate a login metric. For example, content management system 106 can generate one or more login metrics based on the login context data stored in login context database 204);
store the first password, the first user device identifier, and the first browser identifier (Yedidi: ¶0058 content management system 106 can store login context data in login context database 204. For example, login context database 204 (i.e., database 300) can store a database entry (e.g., record) that includes login context data collected for each attempt to log in to a user account);
receive, from a second user device associated with a user, a request to access the website comprising a second salted password, wherein the second salted password Page 49 of 53Attorney Docket No.: COF0147 (029424.002531) comprising a second password, a second user device identifier, and a second browser identifier (Yedidi: ¶0056 at step 402, content management system 106 can receive a login request for a user account from a user device; ¶0057 At step 404, content management system 106 can obtain login context data from the user device; fig. 3 login context database);
extract the second password, the second user device identifier, and the second browser identifier from the second salted password (Yedidi: ¶0059 at step 408, content management system 106 can generate a login metric. For example, content management system 106 can generate one or more login metrics based on the login context data stored in login context database 204);
retrieve the first password, the first user device identifier, and the first browser identifier (Yedidi: ¶0058 content management system 106 can store login context data in login context database 204. For example, login context database 204 (i.e., database 300) can store a database entry (e.g., record) that includes login context data collected for each attempt to log in to a user account);
determine whether the second password, the second user device identifier, and the second browser identifier respectively match the first password, the first user device identifier, and the first browser identifier beyond a predetermined threshold (Yedidi: ¶0060 at step 410, content management system 106 can determine that the generated login metric exceeds a threshold value. For example, each login metric generated by content management system 106 can have a corresponding threshold value that can be used to determine when a user account is being accessed by multiple users); and
when the second password, the first user device identifier, or the first browser identifier do not respectively match the first password beyond the predetermined threshold, the first user device identifier, or the first browser identifier, perform one or more actions (Yedidi: ¶0062 content management system 106 can be configured with a use policy that specifies that a single user account can only be accessed or used by a single user. When content management system 106 determines that multiple users are sharing login credentials and accessing a single user account, content management system 106 can present a warning (e.g., when a user attempts to log in to the user account) indicating that the users are in violation of content management system policy and prompting the users to create different, individual accounts with content management system 106).
Yedidi does not explicitly disclose when the second password, the second user device identifier, and the second browser identifier respectively match the first password, the first user device identifier, and the first browser identifier beyond the predetermined threshold, grant the request to access the website for the first user device.
However, Goodwin discloses when the second password, the second user device identifier, and the second browser identifier respectively match the first password, the first user device identifier, and the first browser identifier beyond the predetermined threshold, grant the request to access the website for the first user device (Goodwin: col. 5 lines 26-29 if the total number of identified devices associated with the account ID plus the current device, which requested access, does not exceed the predetermined limit, the service provider grants access to the content).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Goodwin with the system/method of Yedidi to include when the first password, the first user device identifier, and the first browser identifier respectively match the stored first password, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold, grant the request to access the website for the first user device.
One would have been motivated for controlling access to electronic content stored on a content provider's server (Goodwin: col. 1 lines 52-53).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Goodwin et al. (“Goodwin,” US 8234302), Maxilom et al. (“Maxilom,” US 2020/0007607) and Bemmel (US 2009/0006861).

Regarding claim 4: Yedidi in view of Goodwin discloses the system of claim 1.
Yedidi further discloses a second browser identifier (Yedidi: ¶0043 a browser identifier).
Yedidi in view of Goodwin does not disclose randomly generating a first code comprising numbers, transmitting the first code to the user via email or text message, prompting the user to enter a code via the first browser of the first user device, receiving a salted code comprising a second code, a second user device identifier, and extracting the second code, the second user device identifier.
However, Maxilom discloses randomly generating a first code comprising numbers (Maxilom: ¶0023 randomly generated code by the agent 111);
transmitting the first code to the user via email or text message (Maxilom: ¶0023 randomly generated code [] is delivered to the mobile device [] such as though a text message to the mobile device 130);
prompting the user to enter a code via the first browser of the first user device (Maxilom: ¶0023 the user/operator of the mobile device 130 then enters the code received through the out-of-band text message into a code enter screen rendered within the support manager 131);
receiving a salted code comprising a second code, a second user device identifier (Maxilom: ¶0024 the one-time-only code; ¶0024 the support manager 131 can interact with the agent 111 to identify a device identifier);
extracting the second code, the second user device identifier from the salted code (Maxilom: ¶0024 when the support personnel activates the link provided by the support manager 131 a connection between the support personnel's device and the enterprise services device 110 is established and the agent sends the random remote code back to the support personnel and displays a code-input screen into which the support personnel enters the received code).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Maxilom with the system/method of Yedidi and Goodwin to include transmitting the first code to the user via email or text message, prompting the user to enter a code via the first browser of the first user device.
One would have been motivated for establishing a secure session with the portal (Maxilom: ¶0002).
Yedidi in view of Goodwin and Maxilom does not explicitly disclose prompting the user for a second password or block further password attempts depending on whether the second code, the second user device identifier, and the second browser identifier respectively match the first code, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold.
However Bemmel discloses prompting the user for a second password or block further password attempts depending on whether the second code, the second user device identifier, and the second browser identifier respectively match the first code, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold (Bemmel: ¶0053 the pass-phrase creation page may include a statement requesting that the user enter a pass-phrase in a corresponding pass-phrase entry field. The pass-phrase creation page may include one or more suggested pass-phrases, thereby enabling the user to select one of the suggested pass-phrases).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bemmel with the system/method of Yedidi, Goodwin and Maxilom to include whether the second code, the second user device identifier, and the second browser identifier respectively match the first code, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold.
One would have been motivated for providing a more secure, user-friendly technique by which users may prevent phishing attacks while using the Internet (Bemmel: ¶0015).

Claims 5-12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Goodwin et al. (“Goodwin,” US 8234302) and Bemmel (US 2009/0006861).

Regarding claim 5: Yedidi in view of Goodwin discloses the system of claim 1.
Yedidi in view of Goodwin does not disclose when the first password does not match the stored first password beyond the predetermined threshold, but the first user device identifier and the first browser identifier respectively match the stored first user device identifier and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, transmit a password mismatch error to the first user device, or transmit a notification via text or email to the user reporting a password mismatch, or a combination thereof.
However, Bemmel discloses when the first password does not match the stored first password beyond the predetermined threshold, but the first user device identifier and the first browser identifier respectively match the stored first user device identifier and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, transmit a password mismatch error to the first user device, or transmit a notification via text or email to the user reporting a password mismatch, or a combination thereof (Bemmel: ¶0035 if the pass-phrase is not valid, method 200 proceeds to step 230. At step 230, the user device transmits an alert to the web server [] method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bemmel with the system/method of Yedidi and Goodwin to include match the stored first user device identifier and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device.
One would have been motivated for providing a more secure, user-friendly technique by which users may prevent phishing attacks while using the Internet (Bemmel: ¶0015).

Regarding claim 6: Yedidi in view of Goodwin and Bemmel discloses the system of claim 5.
Bemmel further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password does not match the stored first password beyond the predetermined threshold, the first browser identifier does not match the stored first browser identifier beyond the predetermined threshold, but the first user device identifier matches the stored first user device identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, block a future access associated with the stored first password, the stored first user device identifier, remotely uninstall a first browser associated with the first browser identifier, record future keystrokes of the first user device, transmit the password mismatch error to the first user device, transmit a first browser identifier mismatch error to the first user device, or transmit the notification via text or email to the user reporting the password mismatch and a browser mismatch, or a combination thereof (Bemmel: ¶0033 if [] the identifiers do not match, method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page).
The motivation is the same that of claim 5 above.

Regarding claim 7: Yedidi in view of Goodwin and Bemmel discloses the system of claim 6.
Bemmel further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password does not match the stored first password beyond the predetermined threshold, the first user device identifier does not match the stored first user device identifier beyond the predetermined threshold, but the first browser identifier matches the stored first browser identifier beyond the predetermined threshold, perform the one or more actions comprising:
deny the request to access the one or more resources for the first user device, block the future access associated with the stored first password, the stored first user device identifier, transmit a password mismatch error to the first user device, transmit a first user device identifier mismatch error to the first user device, or transmit the notification via text or email to the user reporting the password mismatch and a first user device identifier mismatch, or a combination thereof (Bemmel: ¶0034 a determination is made as to whether the pass-phrase (of the pass-phrase page) is valid [] the determination as to whether the pass-phrase displayed in the pass-phrase page is valid is a determination as to whether the pass-phrase displayed in the pass-phrase page matches the pass-phrase created by the user for the requested web page; ¶0033 if either the decryption is not valid or the identifiers do not match, method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page).
The motivation is the same that of claim 5 above.
 
Regarding claim 8: Yedidi in view of Goodwin and Bemmel discloses the system of claim 7.
Bemmel further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to:Page 45 of 53Attorney Docket No.: COF0147 (029424.002531) when the first password, the first user device identifier, and the first browser identifier do not respectively match the stored first password, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold, perform the one or more actions comprising:
deny the request to access the one or more resources for the first user device, block the future access associated with the stored first password, the stored first user device identifier, transmit the password mismatch error to the first user device, transmit the first user device identifier mismatch error to the first user device, transmit the first browser identifier mismatch error to the first user device, transmit the notification via text or email to the user reporting the password mismatch, the browser mismatch, and a first user device identifier mismatch, or transmit a message to law enforcement, or a combination thereof (Bemmel: ¶0051 at step 322, the web server receives the login information from the user device; ¶0052 if the login information is not valid, method 300 proceeds to step 354, at which point the web server blocks the attempt to access the web page).
The motivation is the same that of claim 5 above.

Regarding claim 9: Yedidi in view of Goodwin and Bemmel discloses the system of claim 8.
Goodwin further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first user device identifier matches the stored first user device identifier beyond the predetermined threshold, but the first browser identifier does not match the stored first browser identifier beyond the predetermined threshold, grant the request to access the one or more resources for the first user device (Goodwin: col. 5 lines 18-33 if the user account ID/password matches an account ID/password stored in the user information data store, the server executes the matching of the unique device IDs to the ones, if any, stored in the user information data store and associated with that account ID. If a match is not found, the total number of different devices that have been previously used to access that particular content via that account, including the current one, is determined and compared to a predetermined limit or threshold. If the total number of identified devices associated with the account ID plus the current device, which requested access, does not exceed the predetermined limit, the service provider grants access to the content. However, if the total number exceeds the predetermined limit, access will be denied. If a match is found between the received unique device identifier and the device identifiers currently associated with the account, access will be granted).
The motivation is the same that of claim 1 above.
Bemmel further discloses transmit the first browser identifier mismatch error to the first user device, remotely uninstall the first browser associated with the first browser identifier after the user closes the first browser, or transmit the notification via text or email to the user reporting the browser mismatch, or a combination thereof (Bemmel: ¶0049 if the web server is not valid, method 300 proceeds to step 362 where method 300 ends. In other words, the user device aborts the attempt to access the web page).
The motivation is the same that of claim 5 above.

Regarding claim 10: Yedidi in view of Goodwin and Bemmel discloses the system of claim 8.
Bemmel further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first user device identifier matches the stored first user device identifier beyond the predetermined threshold, but the first browser identifier does not match the stored first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, transmit the first browser identifier mismatch error to the first user device, and remotely uninstall the first browser associated with the first browser identifier (Bemmel: ¶0049 if the web server is not valid, method 300 proceeds to step 362 where method 300 ends. In other words, the user device aborts the attempt to access the web page).
The motivation is the same that of claim 5 above.

Regarding claim 11: Yedidi in view of Goodwin and Bemmel discloses the system of claim 9. Goodwin further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first browser identifier matches the stored first browser identifier beyond the predetermined threshold, but the first user device identifier does not match the stored first user device identifier beyond the predetermined threshold, grant the request to access the one or more resources for the first user device and perform the one or more actions comprising: transmit a user device mismatch error to the first user device or transmit the notification via text or email to the user reporting a user device mismatch, or both (Goodwin: col. 4 lines 2-5 a browser identifier ("ID") is a type of unique device identifier due to the fact that it may contain HTTP information, such as a cookie, which may be used to uniquely identify a particular device; col. 5 lines 18-31 if the user account ID/password matches an account ID/password stored in the user information data store, the server executes the matching of the unique device IDs to the ones, if any, stored in the user information data store and associated with that account ID. If a match is not found [] access will be denied).
The motivation is the same that of claim 1 above.

Regarding claim 12: Yedidi in view of Goodwin and Bemmel discloses the system of claim 10. Goodwin further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first browser identifier matches the stored first browser identifier beyond the predetermined threshold, but the first user device identifier does not match the stored first user device identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, block the future access associated with the stored first password, transmit a user device mismatch error to the first user device, transmit the notification via text or email to the user reporting a user device mismatch (Goodwin: col. 5 lines 18-31 if the user account ID/password matches an account ID/password stored in the user information data store, the server executes the matching of the unique device IDs to the ones, if any, stored in the user information data store and associated with that account ID. If a match is not found [] access will be denied).
The motivation is the same that of claim 1 above.

Regarding claim 19: Yedidi in view of Goodwin discloses the system of claim 17.
Yedidi in view of Goodwin does not explicitly disclose when the second password does not match the first password beyond the predetermined threshold, but the first user device identifier and the first browser identifier respectively match the first user device identifier and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the website for the first user device, transmit a password mismatch error to the first user device, or transmit a notification via text or email to the user reporting a password mismatch, or a combination thereof, when the second password does not match the first password beyond the predetermined threshold, the first browser identifier does not match the first browser identifier beyond the predetermined threshold, but the first user device identifier matches the first user device identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the website for the first user device, block a future access associated with the first password and the first user device identifier, transmit the password mismatch error to the second user device, transmit a first browser identifier mismatch error to the second user device, or transmit the notification via text or email to the user reporting both the password mismatch and a browser mismatch, or a combination thereof, when the second password does not match the first password beyond the predetermined threshold, the first user device identifier does not match the first user device identifier beyond the predetermined threshold, but the first browser identifier matches the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the website for the first user device, block the future access associated with the first password, the first user device identifier, transmit a password mismatch error to the first user device, transmit a first user device identifier mismatch error to the first user device, or transmit the notification via text or email to the user reporting both the password mismatch and a first user device identifier mismatch, or a combination thereof, and when the second password, the first user device identifier, and the first browser identifier do not respectively match the first password, the first user device identifier, and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the website for the first user device, block the future access associated with the first password and the first user device identifier, transmit the password mismatch error to the second user device, transmit the first user device identifier mismatch error to the second user device, transmit the first browser identifier mismatch error to the second user device, transmit the notification via text or email to the user reporting the password mismatch, the browser mismatch, and a first user device identifier mismatch, or transmit a message to law enforcement, or a combination thereof.
However, Bemmel discloses when the second password does not match the first password beyond the predetermined threshold, but the first user device identifier and the first browser identifier respectively match the first user device identifier and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the website for the first user device, transmit a password mismatch error to the first user device, or transmit a notification via text or email to the user reporting a password mismatch, or a combination thereof (Bemmel: ¶0035 if the pass-phrase is not valid, method 200 proceeds to step 230. At step 230, the user device transmits an alert to the web server [] method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page);Page 50 of 53Attorney Docket No.: COF0147 (029424.002531)
when the second password does not match the first password beyond the predetermined threshold, the first browser identifier does not match the first browser identifier beyond the predetermined threshold, but the first user device identifier matches the first user device identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the website for the first user device, block a future access associated with the first password and the first user device identifier, transmit the password mismatch error to the second user device, transmit a first browser identifier mismatch error to the second user device, or transmit the notification via text or email to the user reporting both the password mismatch and a browser mismatch, or a combination thereof (Bemmel: ¶0033 if [] the identifiers do not match, method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page);
when the second password does not match the first password beyond the predetermined threshold, the first user device identifier does not match the first user device identifier beyond the predetermined threshold, but the first browser identifier matches the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the website for the first user device, block the future access associated with the first password, the first user device identifier, transmit a password mismatch error to the first user device, transmit a first user device identifier mismatch error to the first user device, or transmit the notification via text or email to the user reporting both the password mismatch and a first user device identifier mismatch, or a combination thereof (Bemmel: ¶0034 a determination is made as to whether the pass-phrase (of the pass-phrase page) is valid [] the determination as to whether the pass-phrase displayed in the pass-phrase page is valid is a determination as to whether the pass-phrase displayed in the pass-phrase page matches the pass-phrase created by the user for the requested web page; ¶0033 if either the decryption is not valid or the identifiers do not match, method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page); and
when the second password, the first user device identifier, and the first browser identifier do not respectively match the first password, the first user device identifier, and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the website for the first user device, block the future access associated with the first password and the first user device identifier, transmit the password mismatch error to the second user device, transmit the first user device identifier mismatch error to the second user device, transmit the first browser identifier mismatch error to the second user device, transmit the notification via text or email to the user reporting the password mismatch, the browser mismatch, and a first user device identifier mismatch, or transmit a message to law enforcement, or a combination thereof (Bemmel: ¶0051 at step 322, the web server receives the login information from the user device; ¶0052 if the login information is not valid, method 300 proceeds to step 354, at which point the web server blocks the attempt to access the web page).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bemmel with the system/method of Yedidi and Goodwin to include the user device to receive deny the request to access the website for the first user device.
One would have been motivated for providing a more secure, user-friendly technique by which users may prevent phishing attacks while using the Internet (Bemmel: ¶0015).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Johnson (US 9755834) and Goodwin et al. (“Goodwin,” US 8234302).

Regarding claim 13: Yedidi discloses a user device, comprising:
one or more processors (Yedidi: fig. 5 item 510); and
a memory in communication with the one or more processors and storing instructions (Yedidi: fig. 5) that, when executed by the one or more processors, are configured to cause the user device to:
navigate a first browser to a login page for a website (Yedidi: ¶0040 a user logs in to a user account on content management system 106);
receive a first password inputted by a user of the user device via the first browser at the website (Yedidi: ¶0039 the user can provide input to user device 220 to provide the account identifier and password for the user's user account on content management system 106);
retrieve a user device identifier and a first browser identifier (Yedidi: ¶0044 login context database 300 can include browser configuration settings, device configuration settings, client application configuration settings, device performance statistics, and/or other device-specific information).
Yedidi does not explicitly disclose generate a first salt based on the user device identifier and the first browser identifier, apply the first salt to the first password to generate a first salted password without displaying an indication to the user device that the first salt was applied to the first password, and transmit the first salted password to an authentication system.
However, Johnson discloses generate a first salt based on the user device identifier and the first browser identifier (Johnson: col. 9 lines 3-12 at operation 312, the edge server 120 generates a cookie that includes a hash of [] one or more other values [] the one or more other values may include [] a browser identifier, [] a device identifier);
apply the first salt to the first password to generate a first salted password without displaying an indication to the user device that the first salt was applied to the first password (Johnson: col. 9 lines 7-9 the token value may include a hash value that may be generated by hashing the secret key); and
transmit the first salted password to an authentication system (Johnson: col. 9 lines 31-36 the client computing device 110, causes the client computing device 110 to transmit the token value (equal to the value of the "CSRF Cookie" 316) as part of the request. This token value may be submitted automatically as an HTTP request header, or as part of HTML form data by 35 adding a hidden field to all HTML forms on the resource).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Johnson with the system/method of Yedidi to include generate a first salt based on the user device identifier and the first browser identifier transmit the first salted password to an authentication system.
One would have been motivated for using a hash value to verify requests to prevent unauthorized data accessing (Johnson: col. 1 lines 8-10).
Yedidi in view of Johnson does not explicitly disclose gain access to the website when the first password, the first browser identifier, and the user device identifier of the first salted password matches a stored password, a stored first browser identifier, and a stored user device identifier beyond a predetermined threshold.
However, Goodwin discloses gain access to the website when the first password, the first browser identifier, and the user device identifier of the first salted password matches a stored password, a stored first browser identifier, and a stored user device identifier beyond a predetermined threshold (Goodwin: col. 5 lines 26-29 if the total number of identified devices associated with the account ID plus the current device, which requested access, does not exceed the predetermined limit, the service provider grants access to the content).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Goodwin with the system/method of Yedidi and Johnson to include gain access to the website when the first password, the first browser identifier, and the user device identifier of the first salted password matches a stored password, a stored first browser identifier, and a stored user device identifier beyond a predetermined threshold.
One would have been motivated for controlling access to electronic content stored on a content provider's server (Goodwin: col. 1 lines 52-53).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Johnson (US 9755834), Goodwin et al. (“Goodwin,” US 8234302) and Bemmel (US 2009/0006861).

Regarding claim 14: Yedidi in view of Johnson and Goodwin discloses the user device of claim 13.
Yedidi in view of Johnson and Goodwin does not explicitly disclose wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the user device to receive an access denial message from the authentication system when the first password, the first browser identifier, and the user device identifier of the first salted password do not match the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold,
However, Bemmel discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the user device to receive an access denial message from the authentication system when the first password, the first browser identifier, and the user device identifier of the first salted password do not match the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold (Bemmel: ¶0051 at step 322, the web server receives the login information from the user device; ¶0052 if the login information is not valid, method 300 proceeds to step 354, at which point the web server blocks the attempt to access the web page).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bemmel with the system/method of Yedidi, Johnson and Goodwin to include the user device to receive an access denial message from the authentication system.
One would have been motivated for providing a more secure, user-friendly technique by which users may prevent phishing attacks while using the Internet (Bemmel: ¶0015).

Claims 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Johnson (US 9755834), Goodwin et al. (“Goodwin,” US 8234302), Bemmel (US 2009/0006861) and Maxilom et al. (“Maxilom,” US 2020/0007607).

Regarding claim 15: Yedidi in view of Johnson, Goodwin and Bemmel discloses the user device of claim 14.
Yedidi in view of Johnson, Goodwin and Bemmel does not explicitly disclose wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the user device to receive a first prompt to enter a first code, via the first browser, that is randomly generated when the first password, the first browser identifier, and the user device identifier of the first salted password do not match the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold.
However, Maxilom discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the user device to receive a first prompt to enter a first code, via the first browser, that is randomly generated when the first password, the first browser identifier, and the user device identifier of the first salted password do not match the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold (Maxilom: ¶0023 the user/operator of the mobile device 130 then enters the code received through the out-of-band text message into a code enter screen rendered within the support manager 131).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Maxilom with the system/method of Yedidi, Johnson, Goodwin and Bemmel to include the user device to receive a first prompt to enter a first code, via the first browser, that is randomly generated.
One would have been motivated for establishing a secure session with the portal (Maxilom: ¶0002).
Regarding claim 16: Yedidi in view of Johnson, Goodwin, Bemmel and Maxilom discloses the user device of claim 15.
Johnson further discloses generate a second salt based on the user device identifier and the first browser identifier (Johnson: col. 9 lines 3-12 at operation 312, the edge server 120 generates a cookie that includes a hash of [] one or more other values [] the one or more other values may include [] a browser identifier, [] a device identifier);
apply the second salt to the second code to generate a salted code without displaying an indication to the user device that the second salt was applied to the second code (Johnson: col. 9 lines 7-9 the token value may include a hash value that may be generated by hashing the secret key);
transmit the salted code to the authentication system (Johnson: col. 9 lines 31-36 the client computing device 110, causes the client computing device 110 to transmit the token value (equal to the value of the "CSRF Cookie" 316) as part of the request. This token value may be submitted automatically as an HTTP request header, or as part of HTML form data by 35 adding a hidden field to all HTML forms on the resource);
generate a third salt based on the user device identifier and the first browser identifier (Johnson: col. 9 lines 3-12 at operation 312, the edge server 120 generates a cookie that includes a hash of [] one or more other values [] the one or more other values may include [] a browser identifier, [] a device identifier);
apply the third salt to the second password to generate a second salted password without displaying an indication to the user device that the first salt was applied to the second password (Johnson: col. 9 lines 7-9 the token value may include a hash value that may be generated by hashing the secret key); and
transmit the second salted password to the authentication system (Johnson: col. 9 lines 31-36 the client computing device 110, causes the client computing device 110 to transmit the token value (equal to the value of the "CSRF Cookie" 316) as part of the request. This token value may be submitted automatically as an HTTP request header).
The motivation is the same that of claim 13 above.
Goodwin further discloses gain access to the website when the second salted password matches the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold (Goodwin: col. 5 lines 26-29 if the total number of identified devices associated with the account ID plus the current device, which requested access, does not exceed the predetermined limit, the service provider grants access to the content).
The motivation is the same that of claim 13 above.
Bemmel further discloses receive a second prompt to enter a second password when the salted code matches the first code, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold (Bemmel: ¶0053 the pass-phrase creation page may include a statement requesting that the user enter a pass-phrase in a corresponding pass-phrase entry field. The pass-phrase creation page may include one or more suggested pass-phrases, thereby enabling the user to select one of the suggested pass-phrases); and
receive the second password inputted by the user of the user device via the first browser at the website (Bemmel: ¶0055 At step 336, the web server receives the pass-phrase).
The motivation is the same that of claim 14 above.
Maxilom further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the user device to:
receive a second code inputted by the user (Maxilom: ¶0023 the user/operator of the mobile device 130 then enters the code received through the out-of-band text message into a code enter screen rendered within the support manager 131).
The motivation is the same that of claim 15 above.

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Goodwin et al. (“Goodwin,” US 8234302) and Johnson (US 9755834).

Regarding claim 18: Yedidi in view of Goodwin discloses the system of claim 17.
Yedidi in view of Goodwin does not explicitly disclose wherein the first password is salted by the first user device without displaying an indication to the first user device that a first salt was applied to the first password.
However, Johnson discloses wherein the first password is salted by the first user device without displaying an indication to the first user device that a first salt was applied to the first password (Johnson: col. 9 lines 7-9 the token value may include a hash value that may be generated by hashing the secret key).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Johnson with the system/method of Yedidi and Goodwin to the first password is salted by the first user device without displaying an indication to the first user device that a first salt was applied to the first password.
One would have been motivated for using a hash value to verify requests to prevent unauthorized data accessing (Johnson: col. 1 lines 8-10).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Goodwin et al. (“Goodwin,” US 8234302), Bemmel (US 2009/0006861) and Johnson (US 9755834).

Regarding claim 20: Yedidi in view of Goodwin and Bemmel discloses the system of claim 19.
Goodwin further discloses when the second password matches the first password and the second browser identifier matches the first browser identifier beyond the predetermined threshold, but the second user device identifier does not match the first user device identifier beyond the predetermined threshold, grant the request to access the website for the second user device (Goodwin: col. 5 lines 18-33 if the user account ID/password matches an account ID/password stored in the user information data store, the server executes the matching of the unique device IDs to the ones, if any, stored in the user information data store and associated with that account ID. If a match is not found, the total number of different devices that have been previously used to access that particular content via that account, including the current one, is determined and compared to a predetermined limit or threshold. If the total number of identified devices associated with the account ID plus the current device, which requested access, does not exceed the predetermined limit, the service provider grants access to the content. However, if the total number exceeds the predetermined limit, access will be denied. If a match is found between the received unique device identifier and the device identifiers currently associated with the account, access will be granted).
The motivation is the same that of claim 17 above.
Bemmel further discloses Page 51 of 53Attorney Docket No.: COF0147 (029424.002531)when the second password matches the first password and the second user device identifier matches the first user device identifier beyond the predetermined threshold, but the second browser identifier does not match the first browser identifier beyond the predetermined threshold, grant the request to access the website for the first user device and perform the one or more actions comprising transmit the first browser identifier mismatch error to the second user device, or transmit the notification via text or email to the user reporting the browser mismatch, or a combination thereof (Bemmel: ¶0049 if the web server is not valid, method 300 proceeds to step 362 where method 300 ends. In other words, the user device aborts the attempt to access the web page).
The motivation is the same that of claim 19 above.
Yedidi in view of Goodwin and Bemmel does not explicitly disclose perform the one or more actions comprising transmit a user device mismatch error to the second user device, or transmit the notification via text or email to the user reporting a user device mismatch, or a combination thereof.
However, Johnson discloses perform the one or more actions comprising transmit a user device mismatch error to the second user device, or transmit the notification via text or email to the user reporting a user device mismatch, or a combination thereof (Johnson: col. 8 lines 18-23 at operation 245, the edge server 120 compares the first token value and the third token value to determine whether the first token value and the second token value both match the third token value. When the first token value and the second token value do not match the third token value, the flow continues to operation 255; lines 25-29 at operation 255, when the first token value and/or the second token value do not match the third token value [] the edge server 120 may return an error indication and does not process the request received from the client computing device 110).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Johnson with the system/method of Yedidi, Goodwin and Bemmel to include transmit a user device mismatch error to the second user device.
One would have been motivated for using a hash value to verify requests to prevent unauthorized data accessing (Johnson: col. 1 lines 8-10).









Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439              



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439