DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
This Office Action is in response to the application 17/323450 filed on 05/18/2021.
Claims 1-20 have been examined and are pending in this application. 

Priority
Applicant priority to U.S. Provisional application No. 61/588084, filed on 01/18/2012, U.S. Patent Application No. 13/745354 (Now Patent 9344413), filed on 01/18/2013, U.S. Patent Application No. 15/155264 (Now Abandoned), filed on 05/16/2016, and U.S. Patent Application No. 16/002990 (Now Patent 11012240), filed on 06/07/2018l, is acknowledged. 

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 05/18/2021, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1, 9 and 16 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 8 and 15 of U.S. Patent No. 9344413. Although the claims at issue are not identical, they are not patentably distinct from each other because all limitations recited in claims 1, 9 and 16 of the instant application are encompassed all limitations recited in claims 1, 8 and 15 of the patent ‘413, respectively.  Refer to the comparison table below for details.

Instant Application 17/323450


Patent No. 9344413


Claim 1:  A method for disabling a device associated with a virtual identity, the method comprising:
receiving, from the device, a request to use the virtual identity, the request comprising:

a passcode guess; and
a device identifier;












determining that the passcode guess docs not authorize use of the virtual identity;


incrementing a number of incorrect passcode guesses received within a time interval;


determining that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold;

storing an indication that subsequent requests associated with the device identifier should not authorize use of the virtual identity.



Claim 1: A method for disabling a device associated with a virtual identity, the method comprising:
receiving, at an identity repository computer system and from the device, a request to use the virtual identity, wherein:
the request comprises a passcode guess and
a device identifier, wherein the passcode guess comprises a hash of a salted password; and
the identity repository computer system stores device identifiers for a plurality of registered devices that have previously been paired with the virtual identity;
determining, by the identity repository computer system, that the device identifier received from the device matches at least one of the device identifiers of the plurality of registered devices that are paired with the virtual identity, thereby indicating that the device is a registered device that was previously paired with the virtual identity;
determining, by the identity repository computer system, that the passcode guess does not authorize use of the virtual identity even though it is received from a registered device;
incrementing, by the identity repository computer system, a number of incorrect passcode guesses received within a time interval that is specific to the device;
determining, by the identity repository computer system, that the number of incorrect passcode guesses received from the device within the time interval is greater than or equal to a threshold; and
storing, by the identity repository computer system, an indication that subsequent requests associated with the device identifier should not authorize use of the virtual identity, while still allowing any of the other registered devices in the plurality of registered devices to authorize use of the virtual identity.

Claim 9:  A method for disabling a device associated with a virtual identity, the method comprising:

receiving, from the device, a request to register an unregistered device, the request comprising:
a passcode guess; and
a device identifier;












determining that the passcode guess does not authorize registration of the unregistered device;


incrementing a number of incorrect passcode guesses received within a time interval;


determining that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold;

storing an indication that subsequent requests associated with the device identifier should not register unregistered devices.







Claim 16:  An identity repository comprising:
one or more interfaces that receive requests from user devices;
one or more processors; and
one or more memories communicatively coupled to the one or more processors, having instructions stored thereon, which, when executed by the one or more processors, cause the one or more processors to:
receive a request from the device through the one or more interfaces, the request comprising:


a passcode guess; and
a device identifier;













determine that the passcode guess is incorrect;


increment a number of incorrect passcode guesses received within a time interval;


determine that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold; and

generate an indication in the one or more memories that subsequent requests associated with the device identifier should not be granted.
        
Claim 8:  A non-transitory, computer-readable medium comprising instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising:
receiving, at an identity repository computer system and from the device, a request to use the virtual identity, wherein:
the request comprises a passcode guess and
a device identifier, wherein the passcode guess comprises a hash of a salted password; and
the identity repository computer system stores device identifiers for a plurality of registered devices that have previously been paired with the virtual identity;
determining, by the identity repository computer system, that the device identifier received from the device matches at least one of the device identifiers of the plurality of registered devices that are paired with the virtual identity, thereby indicating that the device is a registered device that was previously paired with the virtual identity;
determining, by the identity repository computer system, that the passcode guess does not authorize use of the virtual identity even though it is received from a registered device;
incrementing, by the identity repository computer system, a number of incorrect passcode guesses received within a time interval that is specific to the device;
determining, by the identity repository computer system, that the number of incorrect passcode guesses received from the device within the time interval is greater than or equal to a threshold; and
storing, by the identity repository computer system, an indication that subsequent requests associated with the device identifier should not authorize use of the virtual identity, while still allowing any of the other registered devices in the plurality of registered devices to authorize use of the virtual identity.



Claim 15:  An identity repository computer system comprising:
one or more interfaces that receive requests from user devices;
one or more computer processors; and
one or more memories comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising:

receiving, at the identity repository computer system and from the device through the one or more interfaces, a request to use the virtual identity, wherein:
the request comprises a passcode guess and
a device identifier, wherein the passcode guess comprises a hash of a salted password; and
the identity repository computer system stores device identifiers for a plurality of registered devices that have previously been paired with the virtual identity;
determining, by the identity repository computer system, that the device identifier received from the device matches at least one of the device identifiers of the plurality of registered devices that are paired with the virtual identity, thereby indicating that the device is a registered device that was previously paired with the virtual identity;
determining, by the identity repository computer system, that the passcode guess does not authorize use of the virtual identity even though it is received from a registered device;
incrementing, by the identity repository computer system, a number of incorrect passcode guesses received within a time interval that is specific to the device;
determining, by the identity repository computer system, that the number of incorrect passcode guesses received from the device within the time interval is greater than or equal to a threshold; and

storing, by the identity repository computer system, an indication in the one or more memories that subsequent requests associated with the device identifier should not authorize use of the virtual identity, while still allowing any of the other registered devices in the plurality of registered devices to authorize use of the virtual identity.



Claims 1, 9 and 16 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 11 of U.S. Patent No. 11012240.  Although the claims at issue are not identical, they are not patentably distinct from each other because all limitations recited in claims 1, 9 and 16 of the instant application are encompassed all limitations recited in claims 1 and 11 of the patent ‘240, respectively. Refer to the comparison table below for details.

Instant Application 17/323450


Patent No. 11012240


Claims 1 and 9:  A method for disabling a device associated with a virtual identity, the method comprising:
receiving, from the device, a request to register an unregistered device, the request comprising:
a passcode guess; and


a device identifier;
determining that the passcode guess does not authorize registration of the unregistered device;
incrementing a number of incorrect passcode guesses received within a time interval;


determining that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold;
storing an indication that subsequent requests associated with the device identifier should not register unregistered devices.



Claim 1: A method for disabling a device associated with a virtual identity, the method comprising:
receiving, from the device, a request to register an unregistered device, the request associated with an electronic on-line transaction comprising:
a passcode guess, wherein the passcode guess comprises a digital signature derived from a user-provided passcode; and
a device identifier;
determining that the passcode guess does not authorize registration of the unregistered device; 
incrementing a number of incorrect passcode guesses received within a time interval, wherein the incrementing is based on predetermined values for a type of transaction;
determining that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold;
storing an indication that subsequent requests associated with the device identifier should not register unregistered devices;
disabling the device associated with the virtual identity based on the receiving, the determining that the passcode guess, the incrementing, the determining that the number of incorrect passcode guesses received, and the storing the indication;
receiving a request to register a second unregistered device, the request to register the second unregistered device comprising:
a second passcode guess; and
the device identifier; and
denying the request to register the second unregistered device based on the indication.

Claim 16:  An identity repository comprising:
one or more interfaces that receive requests from user devices;
one or more processors; and
one or more memories communicatively coupled to the one or more processors, having instructions stored thereon, which, when executed by the one or more processors, cause the one or more processors to:
receive a request from the device through the one or more interfaces, the request comprising:

a passcode guess; and


a device identifier;
determine that the passcode guess is incorrect;
increment a number of incorrect passcode guesses received within a time interval;


determine that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold; and
generate an indication in the one or more memories that subsequent requests associated with the device identifier should not be granted.
        
Claim 11:  An identity repository comprising: 

one or more interfaces that receive requests from a device;
one or more processors; and
one or more memories communicatively coupled to the one or more processors, having instructions stored thereon, which, when executed by the one or more processors, cause the one or more processors to:
receive a request from the device through the one or more interfaces, the request associated with an electronic on-line transaction comprising:
a passcode guess, wherein the passcode guess comprises a digital signature derived from a user-provided passcode; and
a device identifier;
determine that the passcode guess is incorrect; 

increment a number of incorrect passcode guesses received within a time interval, wherein the incrementing is based on predetermined values for a type of transaction;
determine that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold;
generate an indication in the one or more memories that subsequent requests associated with the device identifier should not be granted;
disable the device associated based on the receive, the determine that the passcode guess is incorrect, the increment, the determine that the number of incorrect passcode guesses received, and the generate the indication;
receive a request to register a second unregistered device, the request to register the second unregistered device comprising:
a second passcode guess; and
the device identifier; and
deny the request to register the second unregistered device based on the indication.





Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.


Claims 1-2, 9-11, 13 and 16-19 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over McDowell et al. (“McDowell,” US 2009/0260064) in view of Armingaud (US 2002/0108046).

Regarding claim 1: McDowell discloses a method for disabling a device associated with a virtual identity, the method comprising: 
receiving, from the device, a request to use the virtual identity (McDowell: fig. 3 step 50; ¶0034 at step 50, the user navigates to the account login interface 24), the request comprising: 
a passcode guess (McDowell: fig. 3 step 52; ¶0034 at step 52 the user provides username and password information); and
a device identifier (McDowell: fig. 3 step 52; ¶0034 submission of username and password information includes automatic collection of device identifier information); 
determining that the passcode guess does not authorize use of the virtual identity (McDowell: fig. 3 steps 56,58, and 60; ¶0035 if the information provided by the user does not match the stored username/password and device information data, then at step 60 verification system 14 determines that the login attempt was unauthorized); 
storing an indication that subsequent requests associated with the device identifier should not authorize use of the virtual identity (McDowell: ¶0050 at step 82, verification system 14 compares the data provided by user device 10b to records stored by user-side database 18 and, assuming the user is in fact attempting to login from an unregistered device, will determine that the device identifier provided does not match stored records, …, this may be indicated by a flag stored on the user's account, or may be based on the presence of an authorization code).
McDowell does not explicitly disclose incrementing a number of incorrect passcode guesses received within a time interval and determining that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold. 
However, Armingaud discloses incrementing a number of incorrect passcode guesses received within a time interval (Armingaud: ¶0017 to check the number of rejected access attempts for that user during a predefined time interval N);
determining that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold (Armingaud: ¶0017 if either the password does not match the expected one or the number of unsuccessful attempts to log is higher than the predetermined number, access is denied to the user and a new time stamp of the ungranted access is stored).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Armingaud with the system and method of McDowell to include incrementing a number of incorrect passcode guesses received within a time interval.  One would have been motivated to providing a method for controlling access to a computer resource consists in performing a user authentication procedure upon receiving a request from a user to access the computer resource (Armingaud: ¶0017).

Regarding claim 2: McDowell in view of Armingaud discloses the method of claim 1.
McDowell further discloses wherein one or more user devices associated with the virtual identity are allowed to provide correct passcode guesses and authorize use of the virtual identity (McDowell: fig. 3 steps 54, 56, 58, and 66; ¶0035 at step 54, the username/password and device identification data provided by the user device, …, at step 56, verification system 14 compares username/password information provided by the user and device identifiers to records stored in user-side database 18, …, at step 58, verification system 14 determines whether a match exists; ¶0037 at step 66, if the username/password combo and device identifier information is correct, …, then verification system 14 provides the user with access to account management interface 26 ).

Regarding claim 9: McDowell discloses a method for disabling a device associated with a virtual identity, the method comprising:
receiving, from the device, a request to register an unregistered device (McDowell: fig. 4; ¶0048 at step 80, the user sends an add device request from registered device 10a; ¶0023 register with a verification system one or more devices), the request comprising:
a passcode guess (McDowell: fig. 4; ¶0050 at step 80 the user provides username and password information from unregistered device 10b); and 
a device identifier (McDowell: fig. 4; ¶0050 unregistered user device 10b provides device identifier information); 
determining that the passcode guess does not authorize registration of the unregistered device (McDowell: fig. 4 steps 92, 94, and 86; ¶0052 if the authorization code does not match, then unregistered device 10b is not registered and the login attempt is identified as an unauthorized attempt at step 86); 
storing an indication that subsequent requests associated with the device identifier should not register unregistered devices (McDowell: ¶0050 at step 82, verification system 14 compares the data provided by user device 10b to records stored by user-side database 18 and, assuming the user is in fact attempting to login from an unregistered device, will determine that the device identifier provided does not match stored records, …, this may be indicated by a flag stored on the user's account, or may be based on the presence of an authorization code).
McDowell does not explicitly discloses incrementing a number of incorrect passcode guesses received within a time interval and determining that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold.
However Armingaud discloses incrementing a number of incorrect passcode guesses received within a time interval (Armingaud: ¶0017 to check the number of rejected access attempts for that user during a predefined time interval N); and
determining that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold (Armingaud: ¶0017 if either the password does not match the expected one or the number of unsuccessful attempts to log is higher than the predetermined number, access is denied to the user and a new time stamp of the ungranted access is stored).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Armingaud with the system and method of McDowell to include incrementing a number of incorrect passcode guesses received within a time interval.  One would have been motivated to providing a method for controlling access to a computer resource consists in performing a user authentication procedure upon receiving a request from a user to access the computer resource (Armingaud: ¶0017).

Regarding claim 10: McDowell in view of Armingaud discloses the method of claim 9.
McDowell further discloses sending the indication that subsequent requests associated with the device identifier should not register unregistered devices to a pairing repository (McDowell: fig. 4 steps 92, 94, 86; ¶0052 if the authorization code does not match, then unregistered device 10b is not registered and the login attempt is identified as an unauthorized attempt at step 86). 
Regarding claim 11: McDowell in view of Armingaud discloses the method of claim 9.
McDowell further discloses receiving a request to register a second unregistered device (McDowell: fig. 4; ¶0023 register with a verification system one or more devices), the request comprising:
a second passcode guess (McDowell: ¶0035 the user may be allowed multiple chances (defined by the verification system or selected by the user) to correctly provide username/password information); and 
the device identifier (McDowell: fig. 4; ¶0050 unregistered user device 10b provides device identifier information); 
denying the request to register the second unregistered device based on the stored indication (McDowell: fig. 4 steps 82, 84, and 86; ¶0050 at step 82, verification system 14 compares the data provided by user device 10b to records stored by user-side database 18, …, then at step 86 the login attempt is regarded as an unauthorized login attempt from an unregistered device and notifications are provided). 
Regarding claim 13: McDowell in view of Armingaud discloses the method of claim 9.
McDowell further discloses wherein the unregistered device comprises a smart phone (McDowell: ¶0025 user device 10b is represented as a cell phone). 
Regarding claim 16: McDowell discloses an identity repository comprising: 
one or more interfaces that receive requests from user devices (McDowell: fig. 1; ¶0031 the interface provided by verification system 14 is displayed on user device 10a (or 10b) and includes data fields or modules that allow a user to enter information at step 32); 
one or more processors (McDowell: ¶0025 device type (e.g., computer, cell phone, cell phone brand, etc.)); and 
one or more memories communicatively coupled to the one or more processors (McDowell: ¶0025 device type (e.g., computer, cell phone, cell phone brand, etc.)), having instructions stored thereon, which, when executed by the one or more processors, cause the one or more processors to: 
receive a request from the device through the one or more interfaces (McDowell: fig. 3 step 50; ¶0034 at step 50, the user navigates to the account login interface 24), the request comprising: 
a passcode guess (McDowell: fig. 3 step 52; ¶0034 at step 52 the user provides username and password information); and 
a device identifier (McDowell: fig. 3 step 52; ¶0034 submission of username and password information includes automatic collection of device identifier information); 
determine that the passcode guess is incorrect (McDowell: fig. 3 steps 56,58, and 60; ¶0035 if the information provided by the user does not match the stored username/password and device information data, then at step 60 verification system 14 determines that the login attempt was unauthorized); 
generate an indication in the one or more memories that subsequent requests associated with the device identifier should not be granted (McDowell: ¶0050 at step 82, verification system 14 compares the data provided by user device 10b to records stored by user-side database 18 and, assuming the user is in fact attempting to login from an unregistered device, will determine that the device identifier provided does not match stored records, …, this may be indicated by a flag stored on the user's account, or may be based on the presence of an authorization code).
McDowell does not explicitly discloses increment a number of incorrect passcode guesses received within a time interval and determine that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold.
However Armingaud discloses increment a number of incorrect passcode guesses received within a time interval (Armingaud: ¶0017 to check the number of rejected access attempts for that user during a predefined time interval N); and
determine that the number of incorrect passcode guesses received within the time interval is greater than or equal to a threshold (Armingaud: ¶0017 if either the password does not match the expected one or the number of unsuccessful attempts to log is higher than the predetermined number, access is denied to the user and a new time stamp of the ungranted access is stored).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Armingaud with the system and method of McDowell to include incrementing a number of incorrect passcode guesses received within a time interval.  One would have been motivated to providing a method for controlling access to a computer resource consists in performing a user authentication procedure upon receiving a request from a user to access the computer resource (Armingaud: ¶0017).

Regarding claim 17: McDowell in view of Armingaud discloses the identity repository of claim 16.
McDowell further discloses wherein the one or more memories further store encrypted personal information associated with a virtual identity, wherein the device identifier is associated with the virtual identity (McDowell: ¶0069 the combination of information provided by the user (e.g., entity/device data) and information specific to the merchant (e.g., price info) is combined and encrypted before being transmitted to verification system 104).

Regarding claim 18: McDowell in view of Armingaud discloses the identity repository of claim 16.
McDowell further discloses wherein the request from the device comprises a request to use a virtual identity (McDowell: fig. 3 step 50; ¶0034 at step 50, the user navigates to the account login interface 24). 
Regarding claim 19: McDowell in view of Armingaud discloses the identity repository of claim 16.
McDowell further discloses wherein the request from the device comprises a request to pair an unregistered device with a virtual identity (McDowell: ¶0061 the user is attempting to access the media content from an unregistered device).


Claims 3 and 5-8 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over McDowell et al. (“McDowell,” US 2009/0260064) in view of Armingaud (US 2002/0108046) and Obereiner et al. (“Obereiner,” US 2009/0249014).

Regarding claim 3: McDowell in view of Armingaud discloses the method of claim 1.
McDowell in view of Armingaud does not explicitly disclose wherein the passcode guess is based on a PIN.
However Obereiner discloses wherein the passcode guess is based on a PIN (Obereiner: ¶0026 the authentication data can comprise, for example, a password, pass phrase, personal identification number (PIN)).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Obereiner with the system and method of McDowell and Armingaud to include the passcode guess is based on a PIN.  One would have been motivated to providing an access management component that can be employed to facilitate controlling access to one or more memory regions and can facilitate controlling the setting of an authentication credential of a respective user (Obereiner: ¶0007).

Regarding claim 5: McDowell in view of Armingaud discloses the method of claim 1.
McDowell in view of Armingaud does not explicitly disclose sending, to one or more user devices associated with the virtual identity, an indication that the device cannot authorize the use of the virtual identity.
However Obereiner discloses sending, to one or more user devices associated with the virtual identity, an indication that the device cannot authorize the use of the virtual identity (Obereiner: ¶0086 the access management component can facilitate providing an indication and/or prompt to the user indicating that the attempt to set the authentication credential failed).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Obereiner with the system and method of McDowell and Armingaud to include sending an indication that the device cannot authorize the use of the virtual identity.  One would have been motivated to facilitate securing the memory region, the access management component can control access to the memory region by only granting access rights to the memory region if the particular access credential is presented (Obereiner: ¶0037).

Regarding claim 6: McDowell in view of Armingaud and Obereiner discloses the method of claim 5.
McDowell further discloses wherein the indication that the device cannot authorize the use of the virtual identity comprises a push notification to a smart phone (McDowell: fig. 3 step 64; ¶0035 at step 62 verification system 14 sends notification to the user device denying access to the account management interface). 
Regarding claim 7: McDowell in view of Armingaud discloses the method of claim 1.
McDowell in view of Armingaud does not explicitly disclose wherein the number of incorrect passcode guesses is reset when a valid passcode guess is received.
However Obereiner discloses wherein the number of incorrect passcode guesses is reset when a valid passcode guess is received (Obereiner: fig. 8 steps 810 and 820; ¶0096 at 810, it is determined that each of the respective sets of received authentication information match the authentication information associated with the memory region, at 820, the count can be reset).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Obereiner with the system and method of McDowell and Armingaud to include the number of incorrect passcode guesses is reset when a valid passcode guess is received.  One would have been motivated to providing an access control component that can facilitate controlling the setting of an authentication credential of a respective user (Obereiner: ¶0007).
Regarding claim 8: McDowell in view of Armingaud discloses the method of claim 1.
McDowell further discloses receiving, from an authorized user device: a second passcode guess (McDowell: ¶0035 the user may be allowed multiple chances (defined by the verification system or selected by the user) to correctly provide username/password information); and
determining that the subsequent requests associated with the device identifier can authorize the use of the virtual identity (McDowell: fig. 3 steps 54-66; ¶0037 At step 66, if the username/password combo and device identifier information is correct, indicating that a valid user is attempting to access his/her account from a registered device, then verification system 14 provides the user with access to account management interface 26).
McDowell in view of Armingaud does not explicitly disclose an indication that the device should be reauthorized and determining that the second passcode guess authorizes the use of the virtual identity.
However Obereiner discloses an indication that the device should be reauthorized (Obereiner: fig. 8 steps 804-814; ¶0094 methodology 800 can return to reference numeral 804, where a first set of authentication information can be received, and methodology 800 can proceed from that point); and
determining that the second passcode guess authorizes the use of the virtual identity (Obereiner: fig. 8; ¶0097 at 822, access can be enabled).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Obereiner with the system and method of McDowell and Armingaud to include an indication that the device should be reauthorized.  One would have been motivated to facilitate securing the memory region, the access management component can control access to the memory region by only granting access rights to the memory region if the particular access credential is presented (Obereiner: ¶0037).

Claims 4, 12, and 14 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over McDowell et al. (“McDowell,” US 2009/0260064) in view of Armingaud (US 2002/0108046) and Schneider (US 2009/0300364).

Regarding claim 4: McDowell in view of Armingaud discloses the method of claim 1.
McDowell in view of Armingaud does not explicitly disclose wherein the passcode guess comprises a hash of a salted password.
However Schneider discloses wherein the passcode guess comprises a hash of a salted password (Schneider: fig. 1; ¶0017 Client 202 then takes the salt value and the password, and calculates the hashed password value).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Schneider with the system and method of McDowell and Armingaud to include the passcode guess comprises a hash of a salted password.  One would have been motivated to make it harder for an attacker to perform a class of brute force attacks (Schneider: ¶0002).

Regarding claim 12: McDowell in view of Armingaud discloses the method of claim 9.
McDowell in view of Armingaud does not explicitly disclose wherein the passcode guess comprises a digital signature derived from a user-provided passcode.
However Schneider discloses wherein the passcode guess comprises a digital signature derived from a user-provided passcode (Schneider: fig. 1; ¶0025 the response can include among others the username, the message authentication code, the random string, the timestamp, and the signature value).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Schneider with the system and method of McDowell and Armingaud to include the passcode guess comprises a digital signature derived from a user-provided passcode.  One would have been motivated to make it harder for an attacker to perform a class of brute force attacks (Schneider: ¶0002).

Regarding claim 14: McDowell in view of Armingaud discloses the method of claim 9.
McDowell further discloses wherein the request to register the unregistered device further comprises [authorization code] (McDowell: fig. 4; ¶0050-0052 at step 92 the user provides username and password information from unregistered device 10b).
McDowell in view of Armingaud does not explicitly disclose comprises an encrypted salt value.
However, Schneider discloses wherein the request to register the unregistered device further comprises an encrypted salt value (Schneider: fig. 1; ¶0014 an encrypted password 110 can be hashed by concatenating the calculated salt value 106 and a password 108).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Schneider with the system and method of McDowell and Armingaud to include an encrypted salt value. One would have been motivated to make it harder for an attacker to perform a class of brute force attacks (Schneider: ¶0002).

Claims 15 and 20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over McDowell et al. (“McDowell,” US 2009/0260064) in view of Armingaud (US 2002/0108046) and Zerr et al. (“Zerr,” US 2012/0324076).

Regarding claim 15: McDowell in view of Armingaud discloses the method of claim 9.
McDowell further discloses wherein the request to register the unregistered device further comprises [authorization code] (McDowell: fig. 4; ¶0050-0052 at step 92 the user provides username and password information from unregistered device 10b).
McDowell in view of Armingaud discloses devices maybe paired with select entity information but does not explicitly disclose a pairing code.
However Zerr discloses a pairing code (Zerr: ¶0005 the user enters a request for a pairing code via the interactive system or equipment).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Zerr with the system and method of McDowell and Armingaud to include a pairing code.  One would have been motivated to provide methods and systems for pairing a mobile device to an output device and enabling control of an output device by a mobile device (Zerr: ¶0002).
Regarding claim 20: McDowell in view of Armingaud discloses the identity repository of claim 16.
McDowell in view of Armingaud does not explicitly disclose wherein the instructions, when executed by the one or more processors, further cause the one or more processors to: send the indication to a pairing repository that is physically separate from the identity repository.
However Zerr discloses wherein the instructions, when executed by the one or more processors, further cause the one or more processors to: send the indication to a pairing repository that is physically separate from the identity repository (Zerr: fig. 2 item 100 system).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate teaching of Zerr with the system and method of McDowell and Armingaud to include send the indication to a pairing repository that is physically separate from the identity repository.  One would have been motivated to provide methods and systems for pairing a mobile device to an output device and enabling control of an output device by a mobile device (Zerr: ¶0002).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439 


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439