Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Amendment
This is in response to the amendments filed on 8/22/2022. Claims 1, 4, and 5 have been amended. Claims 1-5 are currently pending and have been considered below. Amendments to claims 1, 4, and 5 have addressed and rectified the Examiner’s objections made in the previous office action. 

Response to Arguments
Applicant's arguments filed 8/22/2022 have been fully considered but they are not persuasive. On pages 5 and 6 of Remarks, Applicant contends that “… Examiner essentially argues the term “user computer” as used in Judell is so broad that it could mean the user’s application and server’s application both reside on the user computer and thus perform the same functions”. The examiner respectfully disagrees.
First, the examiner respectfully notes that claims 1, 4, and 5 do not recite a “server’s application” and instead recite a “service client’s application”, which may reside on a user’s computer.
Second, the examiner did not interpret both the “user’s application” and the “service client’s application” as residing on Judell’s user computer, but instead referred to the “user’s application” as the programmable function carried out within Judell’s online merchant. Thus, for purposes of further discussion, it should be noted that the “user’s application” was being interpreted as being within Judell’s online merchant while the “service client’s application” was being interpreted as being within Judell’s user computer. This interpretation was also supported by the prior mapping of each of the claims respective “transmitting the challenge string … though (sic) the user’s application” limitation in Fig. 7, message 710 and paragraph 114 of Judell. Specifically, these citations of Judell expressly disclose that the challenge request can be sent from an online security server (i.e., the authorizing party of Fig. 7) via the online merchant to the user’s computer. This mapping thus supports the examiner’s above assertion that the user computer was not relied on for both the “user’s application” and the “service client’s application” limitation, but instead only relied on for disclosing the “service client’s application”. 
As such, the above assertion made by Applicant is found not persuasive, and thus the interpretation of Judell in view of the claims is maintained.
Applicant continues on page 7 of Remarks to state, “The present claimed invention, viewed in light of exemplary Fig. 2-4 … discloses a similar layout of the elements as compared to Judell”, however this is inaccurate Fig. 2-4 of Applicant’s Drawings discloses a flow chart that depicts elements such as “end user”, “client”, and “service provider”, none of which are expressly shown by Fig. 7 of Judell. Further, Applicant also recites on page 7 that, “In contrast to Judell, and of particular importance to Applicant’s invention, the response to the challenge is received by the service provider from the client, not the user. This is a critical difference between the claimed invention and Judell”, however such a difference is not defined within the claim, as no “user” is found as performing any of the claimed steps. Specifically, claims 1, 4, and 5 merely describe that a response string is received through “the at least one interface from the service client’s application” but make no mention of the response string not being received from a user.  As such, the examiner maintains the rejection.
Further, on page 8, Applicant summarizes that, “It would be improper to interchange user computer and online merchant in Judell, thus, it is impermissibly broad and improper to assert Judell teaches receipt of the response string from the client when Judell expressly teaches it receives a response from the user computer”, however no such assertion was made. As shown above, the examiner mapped the “user’s application” to Judell’s online merchant and the “service client’s application” to Judell’s user computer, and therefore no terms were interchanged. Thus, because the response string of Judell is received at the authorizing party from the user’s computer via the “user’s installation program” (i.e., the claimed “service client’s application”), then Judell fully discloses that “the response to the challenge is received by the service provider from the client”, and the rejection is maintained.

Claim Objections
Claims 1, 4, and 5 are objected to because of the following informalities:
Claim 1 recites “transmitting the challenge string and the image though the user’s user’s application” which should be changed to --transmitting the challenge string and the image through the user’s application-- (emphasis added).
Claim 4 recites  “transmitting the challenge string and the image though the user’s application” which should be changed to --transmitting the challenge string and the image through the user’s application-- (emphasis added).
Claim 5 recites “transmitting the challenge string and one of the plurality of images though the user’s application” which should be changed to --transmitting the challenge string and one of the plurality of images through the user’s application-- (emphasis added).  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claim 4 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over “Judell” (US 2012/0239928) in view of “Singhal” (US 8220030).

Regarding Claim 4:
Judell teaches:
A method for authenticating for authenticating the identity of a requester of access to a secured resource (Fig. 7) comprising the steps of: 
providing at least one interface (Fig. 4, element 410; ¶0055, “The I/O interface 410 includes a connector 412 that can include a LAN, WAN, or other connection for coupling to the communications network 100. In this manner, electronic information can be sent to and received by the verification server 400 via the I/O interface 410”) adapted to receive and transmit data in communication with a user's application (¶0080, “The request 702 can be made to an online merchant after the user has selected the item for purchase and proceeds to complete the transaction in a "checkout" window presented to the user computer by the online merchant's website”), a service client's application (¶0074, “The user can receive an authentication installation program 604 by downloading the program from the authorizing party's website”), or both; 
receiving an authorization request message to authorize access to the secured resource by the service client (¶0080, “The method 700 can commence with a transaction authorization request 702 initiated form an electronic device such as a user computer to perform an online transaction, for example to purchase an item from an online merchant’s website… where the user is requested to enter an identification such as a user-name and authorizing issuer ID…”), the authorization request message having been received through the at least one interface from the service client's application (Fig. 7 details that request message 702 is sent to authorizing party via the online merchant at step 704); 
generating a challenge string (¶0082, “The authorizing party generates a challenge request 706, and transmits the challenge request 708 to the user computer… In a preferred embodiment, the challenge request 706 includes a random challenge…”); 
…
transmitting the challenge string … though the user's application (Fig. 7, message 710 can be sent to the user computer by way of the online merchant, as detailed in paragraphs 114 and 125. For example, paragraph 114 states, “The challenge request 1206 is output 1208 from the online security server 910 directly to the user computer 902, or via the online merchant 904 to the user computer 902”); 
…
receiving a response string corresponding to the challenge string, the response string having been received through the at least one interface from the service client's application (¶0075, “For example, the user can create a phrase, alphanumeric sequence, and the like, for user as a password, and enter it into the user interface. The installation program processes the password, so that it can be provided in response to a challenge request…”; ¶0055, “… electronic information can be sent to and received by the verification server 400 via the I/O interface 410”; i.e., receive the response from the user’s installation program via the at least one interface); and 
validating the service client's request to access the secured resource by determining if the response string answers the challenge string (Fig. 7, step 718; ¶0085, “The authorizing party decrypts 718 the challenge request using the public key, and compares the decrypted challenge request to the original challenge request. The authorizing party outputs a verification result 720 to the user computer, either verifying the user or denying the request”).
Judell does not disclose:
selecting an image from predetermined image database and associating the image with a publicly accessible Universal Resource Locator (URL); 
transmitting the challenge string and the image though the user's application; 
transmitting the publicly accessible URL to the service client's application; 
Singhal teaches:
selecting an image (Figure 1, element 60; Col. 5, lines 44-48, “In Step 5, secure web server 30 embeds the RAA code 24C in the login webpage. Alternatively, the secure web server embeds the code image link 24F in the login web page”) from predetermined image database (Figure 6, element 24F is within database element 24) and associating the image with a publicly accessible Universal Resource Locator (URL) (Figure 1, URL element 52 is associated with the image element 60, which is shown as element 24F in Figure 6);
transmitting the challenge string and the image through the user’s application (Col. 5, lines 44-48, “In Step 5, secure web server 30 embeds the RAA code 24C in the login webpage. Alternatively, the secure web server embeds the code image link 24F in the login web page”);
transmitting the publicly accessible URL to the service client’s application (Col. 5, line 46-51, “The login web page is then sent to the connection request from client 12. In Step 6, client 12’s operating system (OS) receives the login web page from secure server 30 and displays as webpage 54 on the client screen”; Figure 1 further details login web page showing URL element 52) ;
At the time of the invention it would have been obvious to one with ordinary skill in the art to modify Judell’s authentication system by enhancing Judell’s authentication method to transmit a unique image along with a password challenge, as taught by Singhal, in order to prevent a user from entering login credentials into a fraudulent website.
	The motivation is to assure that a user is interacting with a valid webpage by providing image data that indicates that the webpage is not fraudulent (Singhal, Abstract), thus preventing theft of the user’s credentials or other private information (Singhal, Col. 1, lines 19-23).

Claim 5 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over “Judell” (US 2012/0239928) in view of “Fang” (US 8732089).

Regarding Claim 5:
Judell teaches:
A method for authenticating for authenticating the identity of a requester of access to a secured resource (Fig. 7) comprising the steps of: 
providing at least one interface (Fig. 4, element 410; ¶0055, “The I/O interface 410 includes a connector 412 that can include a LAN, WAN, or other connection for coupling to the communications network 100. In this manner, electronic information can be sent to and received by the verification server 400 via the I/O interface 410”) adapted to receive and transmit data in communication with a user's application (¶0080, “The request 702 can be made to an online merchant after the user has selected the item for purchase and proceeds to complete the transaction in a "checkout" window presented to the user computer by the online merchant's website”), a service client's application (¶0074, “The user can receive an authentication installation program 604 by downloading the program from the authorizing party's website”), or both; 
receiving an authorization request message to authorize access to the secured resource by the service client (¶0080, “The method 700 can commence with a transaction authorization request 702 initiated form an electronic device such as a user computer to perform an online transaction, for example to purchase an item from an online merchant’s website… where the user is requested to enter an identification such as a user-name and authorizing issuer ID…”), the authorization request message having been received through the at least one interface from the service client's application (Fig. 7 details that request message 702 is sent to authorizing party via the online merchant at step 704); 
generating a challenge string (¶0082, “The authorizing party generates a challenge request 706, and transmits the challenge request 708 to the user computer… In a preferred embodiment, the challenge request 706 includes a random challenge…”); 
	…
transmitting the challenge string … though the user's application (Fig. 7, message 710 can be sent to the user computer by way of the online merchant, as detailed in paragraphs 114 and 125. For example, paragraph 114 states, “The challenge request 1206 is output 1208 from the online security server 910 directly to the user computer 902, or via the online merchant 904 to the user computer 902”); 
…
receiving a response string corresponding to the challenge string …, the response string … having been received through the at least one interface from the service client's application (¶0075, “For example, the user can create a phrase, alphanumeric sequence, and the like, for user as a password, and enter it into the user interface. The installation program processes the password, so that it can be provided in response to a challenge request…”; ¶0055, “… electronic information can be sent to and received by the verification server 400 via the I/O interface 410”; i.e., receive the response from the user’s installation program via the at least one interface); and 
validating the service client's request to access the secured resource by determining if the response string answers the challenge string (Fig. 7, step 718; ¶0085, “The authorizing party decrypts 718 the challenge request using the public key, and compares the decrypted challenge request to the original challenge request. The authorizing party outputs a verification result 720 to the user computer, either verifying the user or denying the request”) … .
Judell does not disclose:
selecting a plurality of images from predetermined image database and associating each of the plurality of images with a unique publicly accessible Universal Resource Locator (URL); 
transmitting the challenge string and one of the plurality of images though the user's application; 
transmitting the publicly accessible URL to the service client's application; 
receiving a response string corresponding to the challenge string and a response image, the response string and response image having been received through the at least one interface from the service client's application; and 
validating the service client's request to access the secured resource by determining if the response string answers the challenge string and the response image matches the one of the plurality of images.
Fang teaches:
selecting a plurality of images from predetermined image database (Col. 6, lines 1-17; Col. 10, lines 26-35 disclose selecting images to include in a security challenge message via using a user’s transaction database) and associating each of the plurality of images with a unique publicly accessible URL (Col. 10, lines 14-18, “For example, trigger module 314a may have monitored data received from one of terminals 140-160 from which the user has access an Internet site”; i.e., the images are associated with an Internet site); 
transmitting the challenge string (Col. 10, lines 18-25, “Triggering of the security challenge question may follow viewing or attempting to view a certain page…”) and one of the plurality of images though the user's application (Col. 3, lines 10-20, “The method may receive, from the user, a selection of one … items in the group and determine whether the selected one … item are included in the transaction history”; i.e., transmit a single image for selection to the user); 
transmitting the publicly available URLs to the service client's application (Col. 5, lines 3-5, “Users may access retail server 110 over network 130 though any Internet browser … For example, the retail server 110 may transmit a document (e.g., a web page) that is accessible by an Internet browser”); 
receiving a response string corresponding to the challenge string (Col. 8, lines 13-14, “Challenge module 314d may receive and evaluate user selections of items included in a security challenge question”) and a response image  (Col. 3, lines 10-20, “The method may receive, from the user, a selection of one … items in the group and determine whether the selected one … item are included in the transaction history”; i.e., transmit a single image for selection to the user), the response string and response image having been received through the at least one interface from the service client's application (Col. 7, lines 55-56, “Display module 314c may format and transmit data for a security challenge question to one of terminals 140-160”; i.e., the response to the challenge originates from the user terminals 140-160); and 
validating the service client's request to access the secured resource by determining if the response string answers the challenge string and the response image matches the one of the plurality of images  (Col. 3, lines 10-20, “The method may receive, from the user, a selection of one … items in the group and determine whether the selected one … item are included in the transaction history”; i.e., validate whether the user selected the correct image via the challenge response).
At the time of the invention it would have been obvious to one with ordinary skill in the art to modify Judell’s authentication system by enhancing Judell’s authentication challenge to include a plurality of unique image, as taught by Fang, in order to prevent a user from entering login credentials into a fraudulent website.
	The motivation is to assure that a user is interacting with a valid webpage by providing image data that indicates that the webpage is not fraudulent while preserving the user experience with the webpage (Fang, Col. 2, lines 1-5).

Claims 1-3 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over “Judell” (US 2012/0239928) in view of “O’Gorman” (US 2007/0094497) in further view of “Singhal” (US 8220030).

Regarding Claim 1:
Judell teaches:
A method for authenticating the identity of a requester of access to a secured resource (Fig. 7) comprising the steps of: 
providing at least one interface (Fig. 4, element 410; ¶0055, “The I/O interface 410 includes a connector 412 that can include a LAN, WAN, or other connection for coupling to the communications network 100. In this manner, electronic information can be sent to and received by the verification server 400 via the I/O interface 410”) adapted to receive and transmit data in communication with a user's application (¶0080, “The request 702 can be made to an online merchant after the user has selected the item for purchase and proceeds to complete the transaction in a "checkout" window presented to the user computer by the online merchant's website”) and a service client's application (¶0074, “The user can receive an authentication installation program 604 by downloading the program from the authorizing party's website”); 
receiving an authorization request message to authorize access to the secured resource by the service client (¶0080, “The method 700 can commence with a transaction authorization request 702 initiated form an electronic device such as a user computer to perform an online transaction, for example to purchase an item from an online merchant’s website… where the user is requested to enter an identification such as a user-name and authorizing issuer ID…”), the authorization request message having been received through the at least one interface from the service client's application (Fig. 7 details that request message 702 is sent to authorizing party via the online merchant at step 704); 
generating a challenge string with the challenge string being at least a partially random string having a plurality of symbols (¶0082, “The authorizing party generates a challenge request 706, and transmits the challenge request 708 to the user computer… In a preferred embodiment, the challenge request 706 includes a random challenge…”), …; 
…
transmitting the challenge string … through the user's application (Fig. 7, message 710 can be sent to the user computer by way of the online merchant, as detailed in paragraphs 114 and 125. For example, paragraph 114 states, “The challenge request 1206 is output 1208 from the online security server 910 directly to the user computer 902, or via the online merchant 904 to the user computer 902”);
…
receiving a response string corresponding to the challenge string, the response string having been received through the at least one interface from the service client’s application (¶0075, “For example, the user can create a phrase, alphanumeric sequence, and the like, for user as a password, and enter it into the user interface. The installation program processes the password, so that it can be provided in response to a challenge request…”; ¶0055, “… electronic information can be sent to and received by the verification server 400 via the I/O interface 410”; i.e., receive the response from the user’s installation program via the at least one interface); and 
validating the service client's request to access the secured resource by determining if the response string answers the challenge string (Fig. 7, step 718; ¶0085, “The authorizing party decrypts 718 the challenge request using the public key, and compares the decrypted challenge request to the original challenge request. The authorizing party outputs a verification result 720 to the user computer, either verifying the user or denying the request”).
Judell does not disclose:
… wherein at least one of the symbols of the challenge string is a specially-designated symbol indicating the absence from the random string of a single randomly-selected symbol; 
selecting an image from predetermined image database and associating the image with a publicly accessible Universal Resource Locator (URL);
transmitting the challenge string and the image through the user’s application;
transmitting the publicly acessible URL to the service client’s application;
O’Gorman teaches:
… wherein at least one of the symbols of the challenge string (¶0048, “… system 310 can transmit the entire transmitted sequence T before expecting the returned sequence R to be received form the user”; ¶0042, “In generating the challenge and camouflage elements, system 310 forms transmitted sequence T, which is made up of challenge elements … and camouflage elements ….”) is a specially-designated symbol (¶0037, “For example, if the secret string is “4296” … then the system 310 might have the user memorize “red=4, green=2, blue=9, yellow=6”, wherein the substitution symbols “red”, “green”, “blue”, and “yellow” …”) indicating the absence from the random string of a single randomly-selected symbol (¶0014, “… the user memorizes N randomly generated substitutions… For instance, the sequence that is transmitted as voice signals to the user might be “3, Yellow, 0, 5, Red, Green”, which would mean that the correct string returned as voice signals from the user would be “3, 6, 0, 6, 4, 2””; i.e., a user receives a challenge string comprising of special, substitution symbols (colors) that correspond to randomly-selected alphanumeric characters of a PIN or password, and thus each color indicates the absence of said randomly-selected alphanumeric character); 
	At the time of the invention it would have been obvious to one with ordinary skill in the art to modify Judell’s authentication system by enhancing Judell’s challenge string to include at least one specially-designated symbol indicating an absence of a single randomly-selected symbol, as taught by O’Gorman, in order to prevent eavesdroppers from intercepting challenge/reply authentication messages.
	The motivation is to utilize symbols in a challenge string that are randomly-selected and memorized by a user so that only the user in which the challenge string is sent to can send a reply that verifies the user. This prevents man-in-the-middle attacks on a challenge/response protocol as an eavesdropper could not intercept and replay the challenge or response without shared knowledge of the user’s memorized randomly-selected symbols.
Judell in view of O’Gorman does not disclose:
	selecting an image from predetermined image database and associating the image with a publicly accessible URL;
	transmitting the challenge string and the image through the user’s application;
	transmitting the publicly available URL to the service client’s application;
Singhal teaches:
selecting an image (Figure 1, element 60; Col. 5, lines 44-48, “In Step 5, secure web server 30 embeds the RAA code 24C in the login webpage. Alternatively, the secure web server embeds the code image link 24F in the login web page”) from predetermined image database (Figure 6, element 24F is within database element 24) and associating the image with a publicly accessible URL (Figure 1, URL element 52 is associated with the image element 60, which is shown as element 24F in Figure 6);
transmitting the challenge string and the image through the user’s application (Col. 5, lines 44-48, “In Step 5, secure web server 30 embeds the RAA code 24C in the login webpage. Alternatively, the secure web server embeds the code image link 24F in the login web page”);
transmitting the publicly available URL to the service client’s application (Col. 5, line 46-51, “The login web page is then sent to the connection request from client 12. In Step 6, client 12’s operating system (OS) receives the login web page from secure server 30 and displays as webpage 54 on the client screen”; Figure 1 further details login web page showing URL element 52) ;
At the time of the invention it would have been obvious to one with ordinary skill in the art to modify Judell in view of O’Gorman’s authentication system by enhancing Judell in view of O’Gorman’s authentication method to transmit a unique image along with a password challenge, as taught by Singhal, in order to prevent a user from entering login credentials into a fraudulent website.
	The motivation is to assure that a user is interacting with a valid webpage by providing image data that indicates that the webpage is not fraudulent (Singhal, Abstract), thus preventing theft of the user’s credentials or other private information (Singhal, Col. 1, lines 19-23).

Regarding Claim 2:
The method of claim 1, wherein Judell in view of O’Gorman in further view of Singhal further teaches the response string comprises a replacement plurality of symbols inserted for the at least one of the specially-designated symbol (O’Gorman, ¶0037, “For example, if the secret string is “4296” … then the system 310 might have the user memorize “red=4, green=2, blue=9, yellow=6”, wherein the substitution symbols “red”, “green”, “blue”, and “yellow” …”; i.e., insert the corresponding numerals memorized for camouflaged elements “red”, “green”, “blue”, and “yellow” within challenge string). 
The examiner notes that the motivation to combine O’Gorman to Judell for the purposes of rejecting claim 2 are the same as those stated above for the rejection of claim 1.

Regarding Claim 3:
The method of claim 2 wherein Judell in view of O’Gorman in further view of Singhal further teaches determining if the response string answers the challenge string comprise the step of comparing the replacement plurality of symbols to a private string (O’Gorman, Figure 5, step 507; ¶0056, “At task 507, system 310 determines if returned sequence R is correct for the particular user. As those who are skilled in the art will appreciate, various criteria exist for determining whether the sequence is correct, such as matching all of the elements, matching a majority of the elements, and so forth. If returned sequence R is correct, task execution proceeds to task 508”).
The examiner notes that the motivation to combine O’Gorman to Judell for the purposes of rejecting claim 3 are the same as those stated above for the rejection of claim 1.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491