DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
This action is responsive to the amendments filed on 09/27/2022. Claims 1, 8 and 14 are independent. Claims 1, 8 and 14 are amended. Claims 7 and 20 are cancelled. Claims 1-6 and 8-19 are pending, being considered and rejected.

Response to Arguments/Remarks
	Applicant’s arguments/remarks filed on 09/27/2022 have been fully considered and are rendered moot in view of new grounds of rejections outlined below. The arguments do not apply to the current arts being used. 

Claim Rejections - 35 U.S.C. 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1- 5, 8-12, 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht; Asaf (US 2020/0057848 A1), hereinafter (Hecht), in view of Sheets; John F. et al. (US 2010/0180327 A1), hereinafter (Sheets), and further in view of Norton; Stephen P. (US 6,572,015 B1), hereinafter (Norton), and Liu et al. (US 9,798,822 B2), hereinafter (Liu).

Regarding claim 1, Hecht teaches a system for providing electronically authorized access to resources, the system comprising (Hecht, Para. [0006], discloses systems, methods and non-transitory computer readable media […] to obtain access to one or more access-controlled network resources): a memory device with computer-readable program code stored thereon (Hecht, Fig. 1 and Para. [0051], discloses one or more memory devices of vault 108 that store information and are accessed and/or managed through security server 104 (hereinafter a processing device), or see also Para. [0033], discloses a tangible computer-readable media that store software instructions); a communication device (Hecht, Fig. 1 and Para. [0050], discloses that the security server 104 may interact with access-restricted network resources through, or by reference to, directory service 106 (hereinafter a communication device) that enforces security policies of network environment 102); and a processing device operatively coupled to the memory device and the communication device (Hecht, Fig. 1 and Para. [0050-0051], depicts and discloses security server 104 which is communicatively/operatively coupled to the one or more memory devices of vault 108 and the directory service 106), wherein the processing device is configured to execute the computer-readable program code to (Hecht, Para. [0051], discloses that the security server 104 may access and/or mange the information stored on one or more memory devices of vault 108, or see also Para. [0050], discloses that the security server may include one or more processors configured to, and as disclosed on Para. [0033], execute software instructions stored on the tangible computer-readable media to perform operations): 
detect an authorization request to access a resource (Hecht, Para. [0056], discloses that the step 302 (i.e., hash generation) may be performed upon demand (e.g., upon detection of a request for access to an access-restricted resource 110-118));
retrieve, from a historical database, historical data associated with the authorization code (Hecht, Para. [0020 or 0023], discloses a secure credential repository (hereinafter, a vault 108, as depicted in Fig. 1) that securely maintains the data (i.e., historical data) associated with the plurality of authentication credentials, and as disclosed in Fig. 1 and Para. [0051], wherein the vault 108 may include computing components (e.g., database management system, database server, etc.) configured to receive and process requests for data (i.e., historical data) stored in memory devices of vault 108 and to provide data (i.e., historical data) from vault 108), 
wherein the historical data comprises Hecht, Fig. 1 and Para. [0051], discloses a vault 108 that may be one or more databases storing credential information (i.e., historical data associated with the authorization code) for one or more access-restricted network resources in network environment 102 (e.g., servers 110, databases 112, workstation 114, user device 116, and user accounts 118, as disclosed in Fig. 1 and Para. [0050]). The one or more databases may include, for example, network resources accessed by an identity, an identity's attempt to access a network resource, and the like, and/or see also Para. [0029], discloses to securely maintain data (i.e., historical data) associated with a plurality of authentication credentials, the plurality of authentication credentials being useable by a plurality of identities to obtain access to one or more access-controlled network resources, and/or see also Para. [0017], discloses to monitor activity of an identity associated with the new authentication credential data);
Hecht, Fig. 3 and Para. [0060], discloses to form a new password 316 (hereinafter new authorization code)); and 
overwrite the authorization code with the new authorization code (Hecht, Para. [0062], discloses that the security server 104 may receive an indication to rotate a password according to the network environment 102's security policy. The security policy may require a periodic update of passwords, an event-based update (e.g., based on a potential security threat, a request for access to an access-restricted resource, etc.), or another type of update).  
Hecht teaches to create/form a new password, as disclosed above, however fails to explicitly disclose but Sheets teaches receive an authorization code from an authorization device associated with the authorization request (Sheets, Para. [0008], discloses that an access device receives from a consumer device an authentication code […]. The access device then sends the authentication request message to a service provider containing at least the authentication code (and/or see also Para. [0057])); 
input the authorization code, the historical data, one or more salt values, and a nonce value into a hash algorithm to generate a hash output (Sheets, Para. [0062], wherein the service provider needs to receive the authentication code and enough additional information and/or a different set of data so that the service provider (e.g., the issuer 28) can recreate the authentication code by utilizing the process, such as described in Para. [0083-0089 OR 0095-0100], wherein the set of data (such as, username, password/auth-code, transaction amount, terminal ID and a nonce) could be used as an input(s) to a SHA-256 hash function to generate a hash output of the inputted data. This hash output can then be truncated to create an authentication code. (herein, ‘username and terminal id’ represents one or more salt values and transaction amount (i.e., transactional information that is stored for later use (see Para. [0054 and 0110]) represents historical data)), wherein the one or more salt values comprises a user identifier and a device identifier associated with the authorization device (Sheets, Para. [0062 and/or 0064], discloses that the access device sends the username and authentication code from the consumer device along with a dynamic data element (nonce), transaction amount, and a terminal ID to the service provider, and/or as disclosed in Para. [0090], wherein a username and a portable consumer device ID can be sent from the portable consumer device (herein, username and terminal id/ portable consumer device ID represents one or more salt values)); 
perform one or more operations on the hash output to generate a new authorization code (Sheets, Para. [0060], discloses that in addition to applying a function such as a hashing function to scramble the data, other operations can also be taken on the output of the (hash) function to create the (i.e., new) authentication code, and/or see also Para. [0064 and 0066], discloses that the authentication code was re-created by the server computer by truncating the output of a hash of selected input data (such as, username, password, transaction amount, terminal ID, and dynamic data (a nonce)), and/or see also Para. [0089], discloses that the hash output can then be truncated to create an authentication code. For example, the authentication code might be the first sixteen characters of the hash); and 
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Sheets’ into the teachings of ‘Hecht’, with a motivation to input the authorization code, the historical data, one or more salt values, and a nonce value into a hash algorithm to generate a hash output, and perform one or more operations on the hash output to generate a new authorization code, as taught by Sheets, in order to reduce the ability of any participant (or an attacker) in the transaction to fake an authentication code; Sheets, Para. [0059].
Hecht as modified by Sheets fails to explicitly disclose but Norton teaches wherein the authorization device is an access card for unlocking an access control mechanism in one or more restricted areas within a facility (Norton, Col. 3 (Lines 60-65), discloses a system for enabling the operation of an automobile (e.g. facility) by using a proximity smart card for transmitting an authorization code to the automobile and preventing the automobile from being operated unless it receives the proper authorization code from the proximity Smart card, e.g., and as disclosed in Col. 12 (Lines 11-40), when the user of the vehicle 62 provides the proper authorization code by way of a smart card 10, the controller 71 enables the user to activate any one of the appropriate devices associated with the vehicle 62. Accordingly, in one embodiment, when the user provides the controller 71 with an authorization code by way of a contactless smart card 10, a contact smart card 52, a combination smart card 60 or an optical smart card 70 to the smart card reader 42 of the vehicle, the processor 72 looks up the authorization code in the storage 76 and provides control access to the user only if a match is found […]. Once the processor 72 grants authorization, control of one or more devices associated with the vehicle is provided through the interface 78. Those skilled in the art will appreciate that the interface may or may not be required based upon the control inputs available in each device. One example of the types of devices that can be controlled is any one, all or combination of a starter 80, a lock 82, a steering mechanism 84, a radio 86, a brake 88 system including an anti-lock brake system, a fuel injection mechanism 90, an engine speed controller 92, a transmission 94, a clutch 96, air pressure 98 and a keyless entry security system 100. However, the invention is not intended to be limited to such devices as other devices capable of being controlled by the controller 71 can be adapted to operate when the proper authorization code is provided to the vehicle 62 by way of a smart card);
wherein overwriting the authorization code comprises: erasing the authorization code from a memory of the access card; and storing the new authorization code within the memory of the access card (Norton, Col. 4 (Lines 22-26), discloses that the authorization code can be modified after a predetermined number of uses (or after each use) and the modified code is stored in the smart card, and/or see also Col. 11 (Lines 23-27), wherein the authorization code stored in the vehicle 62 and in the smart card 10 can be modified after a predetermined number uses (or after each use). Once modified, the new authorization code is stored in the vehicle storage 76 as well as the smart card memory 22).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Norton’ into the teachings of ‘Hecht’ as modified by ‘Sheets’, with a motivation to overwrite the authorization code with the new authorization code within the memory of the access card, as taught by Norton, in order to enhance the overall security aspect of the authorization system; Norton, Col. 11 (Lines 28-30).
Hecht teaches to securely maintain data (i.e., historical data) associated with a plurality of authentication credentials, wherein the plurality of authentication credentials being useable by a plurality of identities to obtain access to one or more access-controlled network resources, as disclosed above, however Hecht as modified by Sheets in view of Norton fails to explicitly disclose but Liu teaches wherein the historical data comprises authorization device location data, resource location data associated with the resource, and one or more timestamps associated with use of the authorization code to access the resource (Liu, Fig. 6 (Block 603) and Col. 9 (Lines 51-67), discloses to store URL of webpage (i.e., resource location data) as a record in a history of records for a browsing history, wherein each record in a browsing history may be a data structure including a URL accessed via a browser hosted by a device, a physical location indicating where the device was when the browser accessed the URL, and a timestamp indicating when the browser accessed the URL, or see also Fig. 1 and Col. 4 (Lines 1-36), wherein applications 107 may generate records for histories of records 113 (e.g. stored in a mass storage device, a memory, a flash memory, or other storage components etc.) over time. For example, applications 107 may include a web browser storing browsing histories based on web pages or URLs visited. Each record may be a data structure containing an application specific data (e.g. a URL), a timestamp and a location data. The location data may be GPS or geolocation-based information indicating where a corresponding record was collected. The timestamp may include date and/or time information indicating when the corresponding record was collected, such as when the location data was received for the corresponding record. For example, a browser running in a device may access a URL to generate a browsing record including the URL, the location data and the timestamp indicating where and when the browser in the device accessed the URL. For example, the timestamp may indicate when a request for the URL was sent from the device); 
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Liu’ into the teachings of ‘Hecht’ as modified by ‘Sheets’ in view of ‘Norton’, with a motivation wherein the historical data comprises authorization device location data, resource location data associated with the resource, and one or more timestamps, as taught by Liu, in order for a processing logic to retrieve a history of location based records from one or more locally or remotely coupled devices, for example, according to an identity determined from a request received. Wherein the identity may be associated with a user operating a device where the request originates from; Liu, Col. 10 (Lines 60-65).

Regarding claim 2, Hecht as modified by Sheets in view of Norton and Liu teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to update authorization data within an authorization database using the new authorization code (Hecht, Para. [0050], discloses that the security server 104 may be a system including one or more processors configured to interact with network environment 102 to update and manage credentials (such as passwords, keys, tokens, certificates, and other privilege data) for access-restricted resources (e.g., servers 110, databases 112, workstation 114, user device 116, and user accounts 118), and/or as disclosed in Para. [0062], for example, the security server 104 may receive an indication to rotate a password according to the network environment 102's security policy. The security policy may require a periodic update of passwords, an event-based update (e.g., based on a potential security threat, a request for access to an access-restricted resource, etc.), or another type of update).  

Regarding claim 3, Hecht as modified by Sheets in view of Norton and Liu teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to (See Hecht, Para. [0050]): 
Hecht as modified by Sheets fails to disclose but Norton further teaches attempt to validate the authorization code using an authorization database; determine that the authorization code matches the data within the authorization database; and grant the authorization request to access the resource (Norton, Fig. 10 and Col. 13 (Lines 56-67) and Col. 14 (Lines 1-2), discloses to ,at block 132, locate and validate authorization code to operate the one or more devices associated with the vehicle within a predetermined proximity of the vehicle. At block 135, reading the authorization code. At block 134, determining whether the authorization code matches a stored authorization code. At block 136, when the authorization code matches the stored authorization code, the method includes providing access for controlling the one or more devices, authorized).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Norton’ into the teachings of ‘Hecht’ as modified by ‘Sheets’, with a motivation to determine that the authorization code matches the data within the authorization database, and grant the authorization request to access the resource, as taught by Norton, in order to enhance the overall security aspect of the authorization system and by further preventing the automobile from being operated unless it receives the proper authorization code from the proximity Smart card; Norton, Col. 3 (Lines 60-65) and Col. 11 (Lines 28-30).

Regarding claim 4, Hecht as modified by Sheets in view of Norton and Liu teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to (Hecht, Para. [0050], discloses that the security server may include one or more processors configured to, and as disclosed on Para. [0033], execute software instructions stored on the tangible computer-readable media to): detect a second authorization request to access the resource (Hecht, Para. [0029] and/or claim 24, discloses to identifying an attempted privileged access session, and as further disclosed in Para. [0030] and/or claim 25, wherein the attempted privileged access session may include an attempt by an identity to access an access-restricted network resource); receive the new authorization code from the authorization device associated with the second authorization request (Hecht, Para. [0029] and/or claim 24, discloses that the attempted privileged access session including an attempted use of a second authentication credential, and as disclosed in Para. [0031] and/or claim 26, wherein the attempted use of the second authentication credential may include the identity providing the second authentication credential to be authenticated); attempt to validate the new authorization code using an authorization database; determine that the new authorization code matches the data within the authorization database (Hecht, Para. [0065], discloses that, at step 408, the security server 104 may validate the new password containing the secret data element. For example, if an account requests a password change on a domain controller (DC) (e.g., in response to an identity seeking access to an access-restricted network resource), the password may first be validated by a solution agent installed on the DC or on another target credential host, and as disclosed in Para. [0066], wherein the solution agent may query the vault 108 (i.e., database) for the secret data element "on-demand". The vault 108 may return the secret data element, which is in turn validated by the solution agent, and as further disclosed in Para. [0069], at step 410, the new password is validated (and/or matches the data received from vault 108)); and grant the authorization request to access the resource (Hecht, Para. [0049], discloses that a network resource may be, for example, any secure device, application, database, virtualized computing instance, or network that requires an identity to be authenticated before accessing the resource, such as disclosed in Para. [0031], wherein the second authentication credential, provided by the identity, to be authenticated/validated at step 408 of Fig. 4 and/or at step 510 of Fig. 5).  

Regarding claim 5, Hecht as modified by Sheets in view of Norton and Liu teaches the system according to claim 1, wherein Hecht further teaches the computer-readable program code further causes the processing device to (See Hecht, Para. [0050]): 
Hecht as modified by Sheets fails to disclose but Norton teaches attempt to validate the authorization code using an authorization database; determine that the authorization code does not match the data within the authorization database; and reject the authorization request to access the resource (Norton, Col. 12 (Lines 11-40), discloses when the user provides the controller 71 with an authorization code by way of a contactless smart card 10 to the smart card reader 42 of the vehicle (see Fig. 10), the processor 72 looks up the authorization code in the storage 76 and matches the received authorization code with the stored authorization code (see block 134 of Fig. 10) and provides control access to the user only if a match is found (see block 136 of Fig. 10), and as disclosed in Col. 3 (Lines 60-65), prevents the automobile (vehicle devices) from being operated unless it receives the proper authorization code from the Smart card).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Norton’ into the teachings of ‘Hecht’ as modified by ‘Sheets’, with a motivation to determine that the authorization code does not match the data within the authorization database, and reject the authorization request to access the resource, as taught by Norton, in order to enhance the overall security aspect of the authorization system and by further preventing the automobile from being operated unless it receives the proper authorization code from the proximity Smart card; Norton, Col. 3 (Lines 60-65) and Col. 11 (Lines 28-30).

Regarding claims 8-12, the claims are drawn to the computer program product corresponding to the system of using same as claimed in claims 1-5, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 1-5 is equally applicable to the claims 8-12 of the computer program product, respectively.

Regarding claims 14-18, the claims are drawn to the computer implemented-method corresponding to the system of using same as claimed in claims 1-5, respectively. Therefore, the rejection(s) set forth above with respect to the system claims 1-5 is equally applicable to the claims 14-18 of the computer implemented-method, respectively.

Claims 6, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hecht as modified by Sheets in view of Norton and Liu, as applied above, and further in view of DOLAN; Gerald et al. (US 2011/0185403 A1).

Regarding claim 6, Hecht as modified by Sheets in view of Liu and Dolan teaches the system according to claim 5, wherein Hecht further teaches the computer-readable program code further causes the processing device to transmit an alert to one or more users, wherein the alert indicates that the authorization device has been compromised (Hecht, Para. [0069], discloses that the system 100/200 (e.g., through security server 104) may generate an alert to send to one or more system administrators or a security team indicating that an unauthorized attempt to modify a password was made by a potential attacker, and as disclosed in Para. [0052], by compromising an identity 118 (i.e., machine, device, etc.) in network environment 102).  

Regarding claim 13, the claim is drawn to the computer program product corresponding to the system of using same as claimed in claim 6. Therefore, the rejection(s) set forth above with respect to the system claim 6 is equally applicable to the claim 13 of the computer program product.

Regarding claim 19, the claim is drawn to the computer implemented-method corresponding to the system of using same as claimed in claim 6. Therefore, the rejection(s) set forth above with respect to the system claim 6 is equally applicable to the claim 19 of the computer implemented-method.

 	Regarding claims 7 and 20, (cancelled).


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose telephone number is 571-272-1239. The examiner can normally be reached on 8AM-4PM (EST) Monday-Friday. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 571-272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ALI CHEEMA/
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496