DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
The present action is responsive to communications that was filed on 11/03/2025. Claims 1, 3-8, 10-15, and 17 have been amended. Claims 18 has been newly added. Claims 1-18 are currently pending.
Applicant’s arguments, filed 10/28/2025 , with respect to the rejections of claims 1,3, 6-12, and 17 under Kottahachchi et al. (US PGPub No. 20170359327-A1) in view of Mahaffey et al. (US PGPub No. 20140189808-A1) , Shah et al. (US PG Pub No. 20190384917-A1) , and Bolotin et al. (US PGPub No. 20180357406-A1) specifically with the amended limitations have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in in view of Rockwell et al. (US PGPub No. 20130276078-A1), Li et al. (US PGPub No. US-20160352723-A1), Yang et al. (US PGPub No. 20160212119-A1), Belov et al. (US PGPub No. 20200382495-A1), and Li et al. (US PGPub No. 20210099295-A1).
The office action has been updated reflecting the claims as currently presented.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1, 2, 6-11, 14, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Rockwell et al. (US PGPub No. 20130276078-A1) in view of Li et al. (US PGPub No. US-20160352723-A1) and Yang et al. (US PGPub No. 20160212119-A1).
With respect to claim 1, Rockwell teaches a communication device comprising a controller, wherein the controller is configured to: (¶0019: Figure 1 illustrates a system 100 for online commerce according to one embodiment. A user 102 (generally a consumer or consumer user of FSP services) may communicate via a computing device 104 (e.g., a computer, cell phone, computing tablet, or other consumer electronic device) with financial service provider (FSP) 120 via communication networks 106, )
accept a predetermined instruction for changing a password [of the communication device] from a user; (¶0037-0038: In Figure 4, it further illustrates a method 400 for providing authentication for resetting passwords. At step 401, an operator of a customized API for resetting passwords (e.g., FSP 120, merchant website 108, or login host website 130) ( accepting predetermined instruction for changing a password from user ) may receive an existing username or email address and phone number from, for example, a merchant on behalf of a consumer user 102 via the network 106 in response to a password reset prompt displayed to the user 102. );
in a case where the predetermined instruction is accepted, send a change instruction including identification information for [identifying the communication device] to a server, wherein the server generates an authentication code, (¶0034: As seen in Figure 3, step 302, in the background in response to receiving the phone number to FSP account (e.g., using database 126 and accounts information. On finding a match, FSP 120 may generate a one-time password, set a pre-defined expiration period for the one-time password, and send the one-time password to the phone number (e.g., to the mobile device having that phone number such as mobile device 105).) after receiving the change instruction from the communication device, (¶0037-0038: For example, operator FSP 120 may provide a web flow for helping consumer users (e.g., user 102) reset passwords based on mobile phone numbers in their profile (e.g., accounts information 128). At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) (generated authentication code) (in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device. );
the change instruction instructing the server to determine whether the identification information and a target user information corresponding to a terminal device operated by the user are associated with each other in the memory, (¶0037: For example, operator FSP 120 may provide a web flow for helping consumer users (e.g., user 102) reset passwords based on mobile phone numbers (target user information corresponding to a terminal device) in their profile (e.g., accounts information 128) (identification information). The consumer 102 may enter the consumer's existing username (e.g. email address is commonly used) and a phone number in a dialog box or separate frame of the webpage.);
wherein the target user information is stored in the memory in advance and the identification information and the target user information are associated with each other after receiving a registration request from the communication device, (¶0022: Figure 2 illustrates method 200 for providing authentication services. In one embodiment a financial service provider may create (or otherwise provide) a series of API's for registration, login, or password reset (not all APIs may be needed by all customers, e.g., merchant websites or service providers. At step 201, a service provider (e.g., FSP 120) may provide an API (e.g., one of APIs 125) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130) that, when customized by the customer, e.g., merchant website 108, may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102, of the website) that at the least gathers and verifies the user's mobile number (target user information). The merchant may integrate the API into the merchant's website as an alternative to a traditional merchant-hosted registration flow.);
which is associated with the identification information included in the change instruction; after the authentication code has been sent from the server to the terminal device, accept input of the authentication code to the communication device; (¶0038: The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed.);
in a case where the input of the authentication code is accepted, send the authentication code and the identification information to the server; (¶0038: At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device.);
in a case where the authentication code and the identification information are sent to the server and the authentication code and the identification information are stored in the memory which associates the authentication code with the identification information, receive a change permission notification from the server; and in a case where the change permission notification is received from the server, change the password of the communication device. (¶0039: At step 404, once the consumer user 102 is authenticated, the FSP 120 may (by executing the password reset API) may either allow the user to establish a new password on the merchant website or send a new password (for use with the username) in a text message (e.g., via SMS) to the consumer user 102, and notify the customer (e.g., merchant website 108) of the new password.);
Rockwell does not disclose:
changing a password of the communication device
identification information for identifying the communication device
However, Li teaches changing a password the communication device (¶0071: Alternatively, the accessed may periodically change the access password, or change the access password of the accessed device after receiving an instruction of changing access sent by the login terminal corresponding to the accessed device ( In ¶0043 discloses that the accessed device 120 may be a smart device with Wi-Fi, and the smart device may be a camera, router, a smart TV, and the like which is akin to a communication device) (changing a password the communication device));
identification information for identifying the communication device(¶0073: The device identification herein which uniquely identifies the accessed device may be generated when the accessed device is generated. In a practical application, the device identification may be a string which may be composed of at least one of numbers, letters, or other types of characters.);
Although Rockwell does teach the concept of changing a password , but Rockwell does not specifically teach the changing password for a communication device. However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute the teachings of Li regarding changing a password the communication device to the of method of Rockwell because the modification merely substitutes one known protected entity (user’s account) with another known protected entity (communication device) while using the same conventional update mechanism.
Rockwell in view of Li does not disclose:
stores the authentication code and the identification information in a memory of the server which associates the authentication code with the identification information after generating the authentication code by the server,
However, Yang teaches stores the authentication code and the identification information in a memory of the server which associates the authentication code with the identification information after generating the authentication code by the server, (¶0101-0103: As illustrated in Figure 5, in step S203, the register/change unit 211 of the authentication server apparatus 20 has the encryption unit 213 encrypt the respective strings of the group IDs generated in step S202, and thereby generates the authentication codes. Then, the register/change unit 211 stores the generated authentication codes in the authentication information table 24D, where the authentication codes are associated with the user ID included in the password register request or the password change request and the pattern IDs.);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Yang regarding storing authentication codes to the of method Rockwell in view of Li in order to prevent illegal acquisition of user’s password by a third party caused by password prying (e.g., snooping, illicit observing, etc.) (Yang: ¶0006).
With respect to claim 2, the combination of Rockwell in view of Li and Yang teaches the device of claim 1 (see rejection of claim 1 above) wherein the controller is further configured to: in the case where the change permission notification is received from the server, cause a display unit to display an input screen for input of a new password, and in a case where the new password is inputted in the input screen, the controller is configured to change the password of the communication device from its old password to the new password. (Rockwell ¶0025: Once the consumer is authenticated, the password reset API would send a new password via SMS to the consumer, and notify the merchant of the new password. The merchant can present a "change your password" flow of its own choosing at this point.
With respect to claim 6, the combination of Rockwell in view of Li and Yang teaches the device of claim 1 (see rejection of claim 1 above), further comprising an output unit, wherein the controller is further configured to: in the case where the predetermined instruction is accepted, cause the output unit to output notification information to prompt the user to log in to the server, (Rockwell ¶0028-0030: As seen in Figure 3, at step 301, a service provider (e.g., FSP 120 or login host website 130) may receive a phone number from a user 102 via the network 106 in response to a login prompt displayed to the user 102. For example, the user 102 may go to the merchant website 108 from any device (e.g., computing device 104 or mobile device (phone) 105) and clicks "Sign in" (e.g., the displayed login prompt). In a first login option example, FSP 120 may host the login. The FSP 120 may provide computer code (e.g., an API 125) to the merchant website 108, which the merchant website 108 may place on their website (similar to experience with OpenID or OAuth) for their customers to log in. Once the customer completes the login session, the FSP 120 may pass certain information (e.g., from accounts information 128) such as email address and user identification);
and in a case where the server is logged in by the terminal device after the notification information has been outputted, the authentication code is sent to the terminal device. (Rockwell ¶0033-0035: Regardless of login option chosen, user 102 may enter the mobile phone number of the user's mobile device (e.g., phone number for mobile device 105). For example, the user may enter the user's mobile device phone number in the field that asks for it and click "submit". As At step 302, in the background and in response to receiving the phone number, FSP 120 may match the phone number to an FSP account (e.g., using database 126 and accounts information 128). On finding a match, FSP 120 may generate a one-time password, set a pre-defined expiration period for the one-time password, and send the one-time password to the phone number (e.g., to the mobile device having that phone number such as mobile device 105). At step 303, user 102 may enter the one-time password (by entering in the proper field in the dialog or web flow provided, for example, and clicking submit). In response to receiving the one-time password from the user 102 via the network 106 before the expiration period for the one-time password passes or runs out, the user 102 is now logged in (e.g., authenticated) and may start shopping, for example, on the merchant website 108. );
With respect to claim 7, the combination of Rockwell in view of Li and Yang teaches the device of claim 1 (see rejection of claim 1 above), further comprising an operation unit, wherein the controller is configured to accept the input of the authentication code by the operation unit being operated by the user. (Rockwell ¶0039: As seen in Figure 4, At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device. The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage.).
With respect to claim 8, the combination of Rockwell in view of Li and Yang teaches the device of claim 1 (see rejection of claim 1 above), wherein the communication device has a web server function, and (Rockwell ¶0019-0020: As seen in Figure 1, merchant website 108 may sell goods online and may communicate with user 102, for example, by operating a server 110 (e.g., a computer processor) that presents a website for selling goods. The server 110 may respond responding to client devices (e.g., client 111 running on device 104) by communicating over network 106. e. FSP server 122 may execute various application programming interfaces (APIs) that may enable various different types of relationships between FSP 120 and the different parties shown in FIG. 1. In addition, FSP may provide various APIs 125 to its customers such as website 108 (e.g., API 112) and website 130 (e.g., API 112) that enable those websites to implement embodiments of authentication, authorization, and password reset services.);
the controller is configured to accept the input of the authentication code via the web server function of the communication device by a first external device different from the communication device being used by the user. (Rockwell ¶0019-0020: Figure 1 furthers shows a system 100 for online commerce according to one embodiment. A user 102 (generally a consumer or consumer user of FSP services) may communicate via a computing device 104 (e.g., a computer, cell phone, computing tablet, or other consumer electronic device) with financial service provider (FSP) 120 via communication networks 106, which may include the Internet as well as phone networks such as Public Switched Telephone Network (PSTN). User 102 may also communicate over communication networks 106 using a mobile device 105, e.g., a mobile phone of any kind, that can receive messages such as Short Message Service (SMS) messages.);
With respect to claim 9, the combination of Rockwell in view of Li and Yang teaches the device of claim 1 (see rejection of claim 1 above), wherein the controller is further configured to: send a registration request including the identification information and specifying information for specifying the target user information to the server, (Rockwell ¶0022-0023: As seen in Figure 2, At step 201, a service provider (e.g., FSP 120) may provide an API (e.g., one of APIs 125) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130) that, when customized by the customer, e.g., merchant website 108, may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102, of the website) that at the least gathers and verifies the user's mobile number. The merchant may integrate the API into the merchant's website as an alternative to a traditional merchant-hosted registration flow.);
wherein the registration request requests the server to store the identification information and the target user information specified by the specifying information in association with each other. (Rockwell ¶0020-0021: As further seen Figure 1, wherein website 130 may be a website that provides authorization services that enable a user (e.g., user 102) to login to other websites and services while only having to maintain one user account 134 at the authorization services website 130. For example, such an arrangement may be provided according to the OpenID and OAuth standards. Website 130 may communicate with FSP 120 and user 102, for example, over communication network 106 via server 136. Website 130 may offer authentication and authorization services through use and customization of an API 132 which may be provided by FSP 120.).
With respect to claim 10, Rockwell teaches a non-transitory computer-readable recording medium storing computer-readable instructions for a communication device, wherein the computer-readable instructions, when executed by a processor of the communication device, cause the communication device to: (¶0011: In a further embodiment, a computer program product comprises a non-transitory computer readable medium having computer readable and executable code for instructing a processor to perform a method. As further seen in ¶0019: Figure 1 illustrates a system 100 for online commerce according to one embodiment. A user 102 (generally a consumer or consumer user of FSP services) may communicate via a computing device 104 (e.g., a computer, cell phone, computing tablet, or other consumer electronic device) with financial service provider (FSP) 120 via communication networks 106);
accept a predetermined instruction for [changing a password of the communication device] from a user; (¶0037-0038: In Figure 4, it further illustrates a method 400 for providing authentication for resetting passwords. At step 401, an operator of a customized API for resetting passwords (e.g., FSP 120, merchant website 108, or login host website 130) ( accepting predetermined instruction for changing a password from the user) may receive an existing username or email address and phone number from, for example, a merchant on behalf of a consumer user 102 via the network 106 in response to a password reset prompt displayed to the user 102. );
in a case where the predetermined instruction is accepted, send a change instruction including [identification information for identifying the communication device] to a server, wherein the server generates an authentication code, (¶0034: As seen in Figure 3, step 302, in the background in response to receiving the phone number to FSP account (e.g., using database 126 and accounts information. On finding a match, FSP 120 may generate a one-time password, set a pre-defined expiration period for the one-time password, and send the one-time password to the phone number (e.g., to the mobile device having that phone number such as mobile device 105).) after receiving the change instruction from the communication device, (¶0037-0038: For example, operator FSP 120 may provide a web flow for helping consumer users (e.g., user 102) reset passwords based on mobile phone numbers in their profile (e.g., accounts information 128). At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) (generated authentication code) (in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device. );
the change instruction instructing the server to determine whether the identification information and a target user information corresponding to a terminal device operated by the user are associated with each other in the memory, (¶0037: For example, operator FSP 120 may provide a web flow for helping consumer users (e.g., user 102) reset passwords based on mobile phone numbers (target user information corresponding to a terminal device) in their profile (e.g., accounts information 128) (identification information). The consumer 102 may enter the consumer's existing username (e.g. email address is commonly used) and a phone number in a dialog box or separate frame of the webpage.);
wherein the target user information is stored in the memory in advance and the identification information and the target user information are associated with each other after receiving a registration request from the communication device, (¶0022: Figure 2 illustrates method 200 for providing authentication services. In one embodiment a financial service provider may create (or otherwise provide) a series of API's for registration, login, or password reset (not all APIs may be needed by all customers, e.g., merchant websites or service providers. At step 201, a service provider (e.g., FSP 120) may provide an API (e.g., one of APIs 125) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130) that, when customized by the customer, e.g., merchant website 108, may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102, of the website) that at the least gathers and verifies the user's mobile number (target user information). The merchant may integrate the API into the merchant's website as an alternative to a traditional merchant-hosted registration flow.);
wherein in the case that the target user information is associated with the identification information in the memory, (¶0022: Figure 2 illustrates method 200 for providing authentication services. In one embodiment a financial service provider may create (or otherwise provide) a series of API's for registration, login, or password reset (not all APIs may be needed by all customers, e.g., merchant websites or service providers. At step 201, a service provider (e.g., FSP 120) may provide an API (e.g., one of APIs 125) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130) that, when customized by the customer, e.g., merchant website 108, may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102, of the website) that at the least gathers and verifies the user's mobile number (target user information). The merchant may integrate the API into the merchant's website as an alternative to a traditional merchant-hosted registration flow.) the authentication code, generated by the server, is sent from the server to the terminal device by using the target user information, stored by the server, which is associated with the identification information included in the change instruction; accept input of the authentication code to the communication device after the authentication code has been sent from the server to the terminal device; (¶0038: The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password (authentication code) back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed.);
in a case where the input of the authentication code is accepted, send the authentication code and the identification information to the server; (¶0038: At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device.);
in a case where the authentication code and the identification information are sent to the server and the authentication code and the identification information are stored in the memory which associates the authentication code with the identification information, receive a change permission notification from the server; and in a case where the change permission notification is received from the server, change the password of the communication device. (¶0039: At step 404, once the consumer user 102 is authenticated, the FSP 120 may (by executing the password reset API) may either allow the user to establish a new password on the merchant website or send a new password (for use with the username) in a text message (e.g., via SMS) to the consumer user 102, and notify the customer (e.g., merchant website 108) of the new password.);
Rockwell does not disclose:
changing a password of the communication device
identification information for identifying the communication device
However, Li teaches changing a password the communication device (¶0071: Alternatively, the accessed may periodically change the access password, or change the access password of the accessed device after receiving an instruction of changing access sent by the login terminal corresponding to the accessed device ( In ¶0043 discloses that the accessed device 120 may be a smart device with Wi-Fi, and the smart device may be a camera, router, a smart TV, and the like which is akin to a communication device) (changing a password the communication device));
identification information for identifying the communication device(¶0073: The device identification herein which uniquely identifies the accessed device may be generated when the accessed device is generated. In a practical application, the device identification may be a string which may be composed of at least one of numbers, letters, or other types of characters.);
Although Rockwell does teach the concept of changing a password , but Rockwell does not specifically teach the changing password for a communication device. However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute the teachings of Li regarding changing a password the communication device to the method of Rockwell because the modification merely substitutes one known protected entity (user’s account) with another known protected entity (communication device) while using the same conventional update mechanism.
Rockwell in view of Li does not disclose:
stores the authentication code and the identification information in a memory of the server which associates the authentication code with the identification information after generating the authentication code by the server,
However, Yang teaches stores the authentication code and the identification information in a memory of the server which associates the authentication code with the identification information after generating the authentication code by the server, (¶0101-0103: As illustrated in Figure 5, in step S203, the register/change unit 211 of the authentication server apparatus 20 has the encryption unit 213 encrypt the respective strings of the group IDs generated in step S202, and thereby generates the authentication codes. Then, the register/change unit 211 stores the generated authentication codes in the authentication information table 24D, where the authentication codes are associated with the user ID included in the password register request or the password change request and the pattern IDs.);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Yang regarding storing authentication codes to the of method Rockwell in view of Li in order to prevent illegal acquisition of user’s password by a third party caused by password prying (e.g., snooping, illicit observing, etc.) (Yang: ¶0006).
With respect to claim 11, Rockwell teaches a non-transitory computer-readable recording medium storing computer-readable instructions for a server, (¶0011: In a further embodiment, a computer program product comprises a non-transitory computer readable medium having computer readable and executable code for instructing a processor to perform a method. As further seen in ¶0019: Figure 1 illustrates a system 100 for online commerce according to one embodiment. User 102 may also communicate via network 106 with a website 108 that may be a merchant website that is a seller of retail goods, for example. Merchant website 108 may sell goods online and may communicate with user 102, for example, by operating a server 110 (e.g., a computer processor) that presents a website for selling goods.);
the server comprising: a memory configured to store identification information for [identifying a communication device], and a target user information corresponding to a terminal device operated by a user, (¶0021: Website 130 may be a website that provides authorization services that enable a user (e.g., user 102) to login to other websites and services while only having to maintain one user account 134 at the authorization services website 130.);
wherein identification information and the target user information are stored in association with each other; and a processor, (¶0038: The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed.);
wherein the computer-readable instructions, when executed by the processor, cause the server to: receive a change instruction including the identification information from the communication device; generate an authentication code after receiving the change instruction from the communication device, (¶0037-0038: For example, operator FSP 120 may provide a web flow for helping consumer users (e.g., user 102) reset passwords based on mobile phone numbers (target user information corresponding to a terminal device) in their profile (e.g., accounts information 128) (identification information). The consumer 102 may enter the consumer's existing username (e.g. email address is commonly used) and a phone number in a dialog box or separate frame of the webpage. Figure 4 illustrates a method 400 for providing authentication for resetting passwords. At step 401, an operator of a customized API for resetting passwords (e.g., FSP 120, merchant website 108, or login host website 130) may receive an existing username or email address and phone number from, for example, a merchant on behalf of a consumer user 102 via the network 106 in response to a password reset prompt displayed to the user 102. At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device. );
wherein the memory stores the target user information corresponding to the terminal device operated by the user in advance and stores the identification information and the target user information corresponding to the terminal device operated by the user in the memory which associates the identification information and the target user information with each other in advance after receiving a registration request from the communication device; (¶0022: Figure 2 illustrates method 200 for providing authentication services. In one embodiment a financial service provider may create (or otherwise provide) a series of API's for registration, login, or password reset (not all APIs may be needed by all customers, e.g., merchant websites or service providers. At step 201, a service provider (e.g., FSP 120) may provide an API (e.g., one of APIs 125) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130) that, when customized by the customer, e.g., merchant website 108, may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102, of the website) that at the least gathers and verifies the user's mobile number (target user information). The merchant may integrate the API into the merchant's website as an alternative to a traditional merchant-hosted registration flow.);
determine whether the identification information and the target user information are associated with each other in the memory in response to the change instruction; in a case where the change instruction is received from the communication device and the target user information is associated with the identification information in the memory, send the authentication code, (¶0038: (¶034: As seen in Figure 3, step 302, in the background and in response to receiving the phone number, FSP 120 may match the phone number to an FSP account (e.g., using database 126 and accounts information 128). On finding a match, FSP 120 may generate a one-time password, set a pre-defined expiration period for the one-time password, and send the one-time password to the phone number (e.g., to the mobile device having that phone number such as mobile device 105). ) generated by the server, to the terminal device by using the target user information stored, by the server, which is associated with the identification information included in the change instruction, (¶0038: As further elaborated in Figure 4, the consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed.);
wherein the authentication code is inputted to the communication device by the user of the terminal device after the authentication code has been sent to the terminal device; in a case where the authentication code is inputted to the communication device, receive the authentication code and the identification information from the communication device; (¶0038: At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device.);
and in a case where the authentication code and the identification information are received from the communication device and the authentication code and the identification information are stored in the memory which associates the authentication code with the identification information, send a change permission notification to the communication device, (¶0038: At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device. The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed. ) wherein the change permission notification is a notification to permit the communication device to [change a password of the communication device.] (¶0039: At step 404, once the consumer user 102 is authenticated, the FSP 120 may (by executing the password reset API) may either allow the user to establish a new password on the merchant website or send a new password (for use with the username) in a text message (e.g., via SMS) to the consumer user 102, and notify the customer (e.g., merchant website 108) of the new password.);
Rockwell does not disclose:
change a password of the communication device
identification information for identifying the communication device
However, Li teaches change a password of the communication device (¶0071: Alternatively, the accessed may periodically change the access password, or change the access password of the accessed device after receiving an instruction of changing access sent by the login terminal corresponding to the accessed device ( In ¶0043 discloses that the accessed device 120 may be a smart device with Wi-Fi, and the smart device may be a camera, router, a smart TV, and the like which is akin to a communication device) (changing a password the communication device));
identification information for identifying the communication device(¶0073: The device identification herein which uniquely identifies the accessed device may be generated when the accessed device is generated. In a practical application, the device identification may be a string which may be composed of at least one of numbers, letters, or other types of characters.);
Although Rockwell does teach the concept of changing a password , but Rockwell does not specifically teach the changing password for a communication device. However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute the teachings of Li regarding changing a password the communication device to the method of Rockwell because the modification merely substitutes one known protected entity (user’s account) with another known protected entity (communication device) while using the same conventional update mechanism.
Rockwell in view of Li does not disclose:
store the authentication code and the identification information in the memory which associates the authentication code with the identification information after generating the authentication code,
However, Yang teaches store the authentication code and the identification information in a memory of the server which associates the authentication code with the identification information after generating the authentication code by the server, (¶0101-0103: As illustrated in Figure 5, in step S203, the register/change unit 211 of the authentication server apparatus 20 has the encryption unit 213 encrypt the respective strings of the group IDs generated in step S202, and thereby generates the authentication codes. Then, the register/change unit 211 stores the generated authentication codes in the authentication information table 24D, where the authentication codes are associated with the user ID included in the password register request or the password change request and the pattern IDs.);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Yang regarding storing authentication codes to the of method Rockwell in view of Li in order to prevent illegal acquisition of user’s password by a third party caused by password prying (e.g., snooping, illicit observing, etc.) (Yang: ¶0006).
With respect to claim 14, the combination of Rockwell in view of Li and Yang teaches the non-transitory computer-readable recording medium of claim 11 (as seen in claim 11 above), wherein in a case where the server is logged in by the terminal device, the authentication code is sent to the terminal device. (Rockwell ¶0033-0035: Regardless of login option chosen, user 102 may enter the mobile phone number of the user's mobile device (e.g., phone number for mobile device 105). For example, the user may enter the user's mobile device phone number in the field that asks for it and click "submit". As At step 302, in the background and in response to receiving the phone number, FSP 120 may match the phone number to an FSP account (e.g., using database 126 and accounts information 128). On finding a match, FSP 120 may generate a one-time password, set a pre-defined expiration period for the one-time password, and send the one-time password to the phone number (e.g., to the mobile device having that phone number such as mobile device 105). At step 303, user 102 may enter the one-time password (by entering in the proper field in the dialog or web flow provided, for example, and clicking submit). In response to receiving the one-time password from the user 102 via the network 106 before the expiration period for the one-time password passes or runs out, the user 102 is now logged in (e.g., authenticated) and may start shopping, for example, on the merchant website 108.).
With respect to claim 16, the combination of Rockwell in view of Li and Yang teaches the non-transitory computer-readable recording medium of claim 11 (as seen in claim 11 above),, wherein the computer-readable instructions, when executed by the processor, further cause the server to: receive a registration request including the identification information and specifying information for specifying the target user information from a second external device; (Rockwell ¶0023: As seen in Figure 2, at step 201, a service provider (e.g., FSP 120) may provide an API (e.g., one of APIs 125) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130) that, when customized by the customer, e.g., merchant website 108, may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102, of the website) that at the least gathers and verifies the user's mobile number.);
and in a case where the registration request is received from the second external device, store the identification information and the target user information specified by the specifying information in association with each other in the memory. (Rockwell ¶0019-0020: Figure 1 furthers shows a system 100 for online commerce according to one embodiment. A user 102 (generally a consumer or consumer user of FSP services) may communicate via a computing device 104 (e.g., a computer, cell phone, computing tablet, or other consumer electronic device) with financial service provider (FSP) 120 via communication networks 106, which may include the Internet as well as phone networks such as Public Switched Telephone Network (PSTN). User 102 may also communicate over communication networks 106 using a mobile device 105, e.g., a mobile phone of any kind, that can receive messages such as Short Message Service (SMS) messages.);
With respect to claim 17, Rockwell teaches a server comprising: (¶0019:As seen in Figure 1, user 102 may also communicate via network 106 with a website 108 that may be a merchant website that is a seller of retail goods, for example. Merchant website 108 may sell goods online and may communicate with user 102, for example, by operating a server 110 (e.g., a computer processor) that presents a website for selling goods. The server 110 may respond responding to client devices (e.g., client 111 running on device 104) by communicating over network 106.);
a memory configured to store [identification information for identifying a communication device], (¶0021: Website 130 may be a website that provides authorization services that enable a user (e.g., user 102) to login to other websites and services while only having to maintain one user account 134 at the authorization services website 130. For example, such an arrangement may be provided according to the OpenID and OAuth standards. Website 130 may communicate with FSP 120 and user 102, for example, over communication network 106 via server 136. ) an authentication code associated with the identification information, and a target user information corresponding to a terminal device operated by a user, wherein identification information, the authentication code and the target user information are stored in association with each other; (¶0008: The user provides the user's mobile phone number to login to a service provider's site, and receives a one-time password (e.g., via a text message) on the mobile device to which the phone number belongs. If the user enters the one-time password within its limited lifespan, the user is then logged into the service provider's site.);
and a controller, wherein the controller is configured to: receive a change instruction including the identification information from the communication device; generate an authentication code after receiving the change instruction from the communication device, (¶0037-0038: Figure 4 illustrates a method 400 for providing authentication for resetting passwords. At step 401, an operator of a customized API for resetting passwords (e.g., FSP 120, merchant website 108, or login host website 130) may receive an existing username or email address and phone number from, for example, a merchant on behalf of a consumer user 102 via the network 106 in response to a password reset prompt displayed to the user 102. At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device. );
wherein the memory stores the target user information corresponding to the terminal device operated by the user in advance and stores the identification information and the target user information corresponding to the terminal device operated by the user in the memory which associates the identification information and the target user information with each other in advance after receiving a registration request from the communication device; (¶0022: Figure 2 illustrates method 200 for providing authentication services. In one embodiment a financial service provider may create (or otherwise provide) a series of API's for registration, login, or password reset (not all APIs may be needed by all customers, e.g., merchant websites or service providers. At step 201, a service provider (e.g., FSP 120) may provide an API (e.g., one of APIs 125) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130) that, when customized by the customer, e.g., merchant website 108, may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102, of the website) that at the least gathers and verifies the user's mobile number (target user information). The merchant may integrate the API into the merchant's website as an alternative to a traditional merchant-hosted registration flow.);
determine whether the identification information and the target user information are associated with each other in the memory in response to the change instruction; in a case where the change instruction is received from the communication device and the target user information is associated with the identification information in the memory, send the authentication code, generated by the server, to the terminal device by using the target user information stored, by the server, which is associated with the identification information included in the change instruction, (¶0038: The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed.);
wherein the authentication code is inputted to the communication device by the user of the terminal device after the authentication code has been sent to the terminal device; in a case where the authentication code is inputted to the communication device, receive the authentication code and the identification information from the communication device; and (¶0038: At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device.);
in a case where the authentication code and the identification information are received from the communication device and the authentication code and the identification information are stored in the memory which associates the authentication code with the identification information, send a change permission notification to the communication device, wherein the change permission notification is a notification to permit the communication device to [change a password of the communication device.] (¶0039: At step 404, once the consumer user 102 is authenticated, the FSP 120 may (by executing the password reset API) may either allow the user to establish a new password on the merchant website or send a new password (for use with the username) in a text message (e.g., via SMS) to the consumer user 102, and notify the customer (e.g., merchant website 108) of the new password.);
Rockwell does not disclose:
identification information for identifying a communication device
change a password of the communication device.
However, Li teaches identification information for identifying a communication device(¶0073: The device identification herein which uniquely identifies the accessed device may be generated when the accessed device is generated. In a practical application, the device identification may be a string which may be composed of at least one of numbers, letters, or other types of characters.);
change a password of the communication device. (¶0071: Alternatively, the accessed may periodically change the access password, or change the access password of the accessed device after receiving an instruction of changing access sent by the login terminal corresponding to the accessed device ( In ¶0043 discloses that the accessed device 120 may be a smart device with Wi-Fi, and the smart device may be a camera, router, a smart TV, and the like which is akin to a communication device) (changing a password the communication device));
Although Rockwell does teach the concept of changing a password , but Rockwell does not specifically teach the changing password for a communication device. However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute the teachings of Li regarding changing a password the communication device to the of method of Rockwell because the modification merely substitutes one known protected entity (user’s account) with another known protected entity (communication device) while using the same conventional update mechanism.
Rockwell in view of Li does not disclose:
store the authentication code and the identification information in the memory which associates the authentication code with the identification information after generating the authentication code,
However, Yang teaches store the authentication code and the identification information in the memory which associates the authentication code with the identification information after generating the authentication code, (¶0101-0103: As illustrated in Figure 5, in step S203, the register/change unit 211 of the authentication server apparatus 20 has the encryption unit 213 encrypt the respective strings of the group IDs generated in step S202, and thereby generates the authentication codes. Then, the register/change unit 211 stores the generated authentication codes in the authentication information table 24D, where the authentication codes are associated with the user ID included in the password register request or the password change request and the pattern IDs.);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Yang regarding storing authentication codes to the of method Rockwell in view of Li in order to prevent illegal acquisition of user’s password by a third party caused by password prying (e.g., snooping, illicit observing, etc.) (Yang: ¶0006).
With respect to claim 18, Rockwell teaches a communication system comprising a communication device and a server; (¶0019: Figure 1 illustrates a system 100 for online commerce according to one embodiment. A user 102 (generally a consumer or consumer user of FSP services) may communicate via a computing device 104 (e.g., a computer, cell phone, computing tablet, or other consumer electronic device) with financial service provider (FSP) 120 via communication networks 106, which may include the Internet as well as phone networks such as Public Switched Telephone Network (PSTN). User 102 may also communicate over communication networks 106 using a mobile device 105, e.g., a mobile phone of any kind, that can receive messages such as Short Message Service (SMS) messages. The server 110 may respond responding to client devices (e.g., client 111 running on device 104) by communicating over network 106.);
wherein the server comprises: a memory configured to store identification information for identifying a communication device and a target user information corresponding to a terminal device operated by a user, wherein identification information and the target user information are stored in association with each other; and a server controller, (¶0019: Website 130 may be a website that provides authorization services that enable a user (e.g., user 102) to login to other websites and services while only having to maintain one user account 134 at the authorization services website 130. For example, such an arrangement may be provided according to the OpenID and OAuth standards. Website 130 may communicate with FSP 120 and user 102, for example, over communication network 106 via server 136.);
wherein the communication device comprises a device controller configured to: accept a predetermined instruction for [changing a password of the communication device] from a user; in a case where the predetermined instruction is accepted, (¶0038: The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed.) send a change instruction including identification information for [identifying the communication device] to the server, (¶0037-0038: Figure 4 illustrates a method 400 for providing authentication for resetting passwords in accordance with an embodiment. At step 401, an operator of a customized API for resetting passwords (e.g., FSP 120, merchant website 108, or login host website 130) may receive an existing username or email address and phone number from, for example, a merchant on behalf of a consumer user 102 via the network 106 in response to a password reset prompt displayed to the user 102.) the change instruction instructing the server to determine whether the identification information and a target user information corresponding to a terminal device operated by the user are associated with each other in the memory, wherein the server controller is configured to: receive the change instruction including the identification information from the communication device; generate an authentication code after receiving the change instruction from the communication device, (¶0037-0038: Figure 4 illustrates a method 400 for providing authentication for resetting passwords. At step 401, an operator of a customized API for resetting passwords (e.g., FSP 120, merchant website 108, or login host website 130) may receive an existing username or email address and phone number from, for example, a merchant on behalf of a consumer user 102 via the network 106 in response to a password reset prompt displayed to the user 102. At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device. );
wherein the memory stores the target user information in advance and stores the identification information and the target user information in the memory which associates the identification information and the target user information with each other after receiving a registration request from the communication device; (¶0022: Figure 2 illustrates method 200 for providing authentication services. In one embodiment a financial service provider may create (or otherwise provide) a series of API's for registration, login, or password reset (not all APIs may be needed by all customers, e.g., merchant websites or service providers. At step 201, a service provider (e.g., FSP 120) may provide an API (e.g., one of APIs 125) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130) that, when customized by the customer, e.g., merchant website 108, may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102, of the website) that at the least gathers and verifies the user's mobile number (target user information). The merchant may integrate the API into the merchant's website as an alternative to a traditional merchant-hosted registration flow.);
determine whether the identification information and the target user information are associated with each other in the memory in response to the change instruction; and in a case where the change instruction is received from the communication device and the target user information is associated with the identification information in the memory, send the authentication code, generated by the server, to the terminal device by using the target user information stored, by the server, which is associated with the identification information included in the change instruction, (¶0038: The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed.);
wherein the device controller is further configured to: accept input of the authentication code; and in a case where the input of the authentication code is accepted, send the authentication code and the identification information to the server; the server controller is further configured to: receive the authentication code and the identification information from the communication device; and (¶0038: At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device.);
in a case where the authentication code and the identification information are received from the communication device and the authentication code and the identification information are stored in the memory which associates the authentication code with the identification information, (¶0038: As seen in Figure 4, at step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device. The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed. ) send a change permission notification to the communication device, wherein the change permission notification is a notification to permit the communication device to change a password of the communication device, wherein the device controller is further configured to: receive the change permission notification from the server; and in a case where the change permission notification is received from the server, change the password of the communication device. (¶0039: At step 404, once the consumer user 102 is authenticated, the FSP 120 may (by executing the password reset API) may either allow the user to establish a new password on the merchant website or send a new password (for use with the username) in a text message (e.g., via SMS) to the consumer user 102, and notify the customer (e.g., merchant website 108) of the new password.);
Rockwell does not disclose:
changing a password of the communication device
identification information for identifying the communication device
However, Li teaches changing a password the communication device (¶0071: Alternatively, the accessed may periodically change the access password, or change the access password of the accessed device after receiving an instruction of changing access sent by the login terminal corresponding to the accessed device ( In ¶0043 discloses that the accessed device 120 may be a smart device with Wi-Fi, and the smart device may be a camera, router, a smart TV, and the like which is akin to a communication device) (changing a password the communication device));
identification information for identifying the communication device(¶0073: The device identification herein which uniquely identifies the accessed device may be generated when the accessed device is generated. In a practical application, the device identification may be a string which may be composed of at least one of numbers, letters, or other types of characters.);
Although Rockwell does teach the concept of changing a password , but Rockwell does not specifically teach the changing password for a communication device. However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute the teachings of Li regarding changing a password the communication device to the of method of Rockwell because the modification merely substitutes one known protected entity (user’s account) with another known protected entity (communication device) while using the same conventional update mechanism.
Rockwell in view of Li does not disclose:
store the authentication code and the identification information in the memory which associates the authentication code with the identification information after generating the authentication code,
However, Yang teaches store the authentication code and the identification information in the memory which associates the authentication code with the identification information after generating the authentication code, (¶0101-0103: As illustrated in Figure 5, in step S203, the register/change unit 211 of the authentication server apparatus 20 has the encryption unit 213 encrypt the respective strings of the group IDs generated in step S202, and thereby generates the authentication codes. Then, the register/change unit 211 stores the generated authentication codes in the authentication information table 24D, where the authentication codes are associated with the user ID included in the password register request or the password change request and the pattern IDs.);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Yang regarding storing authentication codes to the of method Rockwell in view of Li in order to prevent illegal acquisition of user’s password by a third party caused by password prying (e.g., snooping, illicit observing, etc.) (Yang: ¶0006).
Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Rockwell et al. (US PGPub No. 20130276078-A1) in view of Li et al. (US-20160352723-A1), Yang et al. (US PGPub No. 20160212119-A1), and Belov et al. (US PGPub No. 20200382495-A1).
With respect to claim 3, the combination of Rockwell in view of Li and Yang teaches the device of claim 1 (see rejection of claim 1 above) but does not disclose wherein the controller is further configured to: receive a token from the server in a case where the change instruction is sent to the server, in the case where the input of the authentication code is accepted, the controller is configured to send the authentication code and the token to the server, and in a case where the authentication code and the token are sent to the server, the controller is configured to receive the change permission notification from the server.
However, Belov teaches wherein the controller is further configured to: receive a token from the server in a case where the change instruction is sent to the server, in the case where the input of the authentication code is accepted, the controller is configured to send the authentication code and the token to the server, and in a case where the authentication code and the token are sent to the server, the controller is configured to receive the change permission notification from the server. (¶0068-0069: The access continuation parameter can be used when a user changes their credentials to generate new tokens (e.g., changes their password on an account that is associated with one or more of the user's devices). In a further embodiment, the authorization process 510 negotiates an authorization token and returns this authorization token to the HTTP request process 508. The HTTP request process 508 returns the authorization token to the application 504, where the application 504 uses authorization token to authorize the application 504 for the user. ).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Belov regarding receiving a token to the of method Rockwell in view of Li and Yang in order to provide authorization without revealing any private information (Belov: ¶0039).
With respect to claim 12, the combination of Rockwell in view of Li and Yang teaches the non-transitory computer-readable recording medium of claim 11 (as seen in claim 11 above) , but does not disclose herein the computer-readable instructions, when executed by the processor, further cause the server to: store the authentication code and a token different from the authentication code in association with each other in the memory; and in the case where the change instruction is received from the communication device, send the second authentication code to the communication device identified by the identification information, in a case where the token is sent to the communication device and the authentication code is inputted to the communication device, the authentication code and the token are received from the communication device, and in a case where the authentication code and the token have been received from the communication device and the received authentication code and the received token are stored in association with each other in the memory, the change permission notification is sent to the communication device.
However, Belov teaches wherein the computer-readable instructions, when executed by the processor, further cause the server to: store the authentication code and a token different from the authentication code in association with each other in the memory; (¶0061: For a subsequent request, the anonymous identity token and authorization code are stored in an application authorization cache on the authorization requesting device and the single sign on (or another type of sign on for the application) is not needed until the user signs out of the application.);
and in the case where the change instruction is received from the communication device, send the second authentication code to the communication device identified by the identification information, in a case where the token is sent to the communication device and the authentication code is inputted to the communication device, the authentication code and the token are received from the communication device, and in a case where the authentication code and the token have been received from the communication device and the received authentication code and the received token are stored in association with each other in the memory, the change permission notification is sent to the communication device. (¶0068-0069: The access continuation parameter can be used when a user changes their credentials to generate new tokens (e.g., changes their password on an account that is associated with one or more of the user's devices). In a further embodiment, the authorization process 510 negotiates an authorization token and returns this authorization token to the HTTP request process 508. The HTTP request process 508 returns the authorization token to the application 504, where the application 504 uses authorization token to authorize the application 504 for the user. ).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Belov regarding receiving a token to the method of Rockwell in view of Li and Yang in order to provide authorization without revealing any private information (Belov: ¶0039).
Claims 4 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Rockwell et al. (US PGPub No. 20130276078-A1) in view of Li et al. (US-20160352723-A1), Yang et al. (US PGPub No. 20160212119-A1) and Li et al. (US PGPub No. 20210099295-A1).
With respect to claim 4, the combination of Rockwell in view of Li (US PGPub No. 20160352723-A1) and Yang teaches the device of claim 1 (see rejection of claim 1 above) but does not disclose wherein the target user information includes an e-mail address of the user of the terminal device, and the change instruction instructing the server to send a first e-mail including the authentication code to the e-mail address included in the target user information stored in association with the identification information included in the change instruction.
However, Li (US PGPub No. 20210099295-A1) teaches wherein the target user information includes an e-mail address of the user of the terminal device, and the change instruction instructing the server to send a first e-mail (¶0006: The at least one recovery element comprising at least one of: an email address, a mobile phone number, a landline phone number, a social media account identifier or a messaging application account identifier.) including the authentication code to the e-mail address included in the target user information stored in association with the identification information included in the change instruction. (¶0006: Utilizing multi-factor authentication prior to decrypting a master encryption key with a recovery element encryption key cipher comprises, for example, sending a verification code to a user computing entity associated with the user, such as by sending a verification code to the user's phone by text message, the user's email address, or the user's special-purpose client application (e.g., WeChat, WhatsApp), or the like and verifying this code before authentication.);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Li (US PGPub No. 20210099295-A1) regarding an email to the method of Rockwell in view of Li (US PGPub No. 20160352723-A1) and Yang in order to prevent unauthorized users from accessing the authorized user’s account (Li ¶0003).
With respect to claim 13, the combination of Rockwell in view of Li (US PGPub No. 20160352723-A1) and Yang teaches the non-transitory computer-readable recording medium of claim 11 (as seen in claim 11 above), but does not disclose wherein the target user information includes an e-mail address of the user of the terminal device, and in the case where the change instruction is received from the communication device, a first e-mail including the authentication code is sent to the e-mail address included in the target user information stored in association with the identification information included in the change instruction.
However, Li teaches wherein the target user information includes an e-mail address of the user of the terminal device, (¶0006: The at least one recovery element comprising at least one of: an email address, a mobile phone number, a landline phone number, a social media account identifier or a messaging application account identifier.) and in the case where the change instruction is received from the communication device, a first e-mail including the authentication code is sent to the e-mail address included in the target user information stored in association with the identification information included in the change instruction. (¶0006: Utilizing multi-factor authentication prior to decrypting a master encryption key with a recovery element encryption key cipher comprises, for example, sending a verification code to a user computing entity associated with the user, such as by sending a verification code to the user's phone by text message, the user's email address, or the user's special-purpose client application (e.g., WeChat, WhatsApp), or the like and verifying this code before authentication.);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Li (US PGPub No. 20210099295-A1)regarding an email to the of method Rockwell in view of Li (US PGPub No. 20160352723-A1) and Yang in order to prevent unauthorized users from accessing the authorized user’s account (Li (US PGPub No. 20210099295-A1) ¶0003).
Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Rockwell et al. (US PGPub No. 20130276078-A1) in view of Li et al. (US-20160352723-A1), Yang et al. (US PGPub No. 20160212119-A1), Li et al. (US PGPub No. 20210099295-A1), Nishiyama et al. (US PGPub No. 20130308167-A1), and Jenks et al. (US PGPub No. 20240073167-A1).
With respect to claim 5, the combination of Rockwell in view of Li and Yang teaches the device of claim 1 (see rejection of claim 1 above), but does not disclose wherein the target user information includes an e-mail address of the user of the terminal device, the change instruction instructing the server to send a second e-mail including location information to the e-mail address included in the target user information stored in association with the identification information included in the change instruction, wherein the location information indicates a location of login screen data representing a login screen for login to the server, and in a case where the server is logged in by the terminal device after the login screen has been displayed at the terminal device, the authentication code is sent to the terminal device.
However, Li (US PGPub No. 20210099295-A1) teaches wherein the target user information includes an e-mail address of the user of the terminal device, (¶0006: Utilizing multi-factor authentication prior to decrypting a master encryption key with a recovery element encryption key cipher comprises, for example, sending a verification code to a user computing entity associated with the user, such as by sending a verification code to the user's phone by text message, the user's email address, or the user's special-purpose client application (e.g., WeChat, WhatsApp), or the like and verifying this code before authentication.);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Li (US PGPub No. 20210099295-A1) regarding an email to the of method Rockwell in view of Li (US PGPub No. 20160352723-A1) and Yang in order to prevent unauthorized users from accessing the authorized user’s account (Li (US PGPub No. 20210099295-A1) ¶0003).
Rockwell in view of Li (US PGPub No. 20160352723-A1), Yang, and Li (US PGPub No. 20210099295-A1) does not disclose:
the change instruction instructing the server to send a second e-mail including location information to the e-mail address included in the target user information stored in association with the identification information included in the change instruction,
However, Nishiyama teaches the change instruction instructing the server to send a second e-mail including location information (¶0055: A second setting operation (an operation of setting a destination of a second e-mail) in the MFP 101. The CPU 211 of the MFP 101 executes a control program stored in the HDD as seen in Figure 9) to the e-mail address included in the target user information stored in association with the identification information included in the change instruction, (¶00012: A second setting unit configured to set a destination of a second e-mail for making notification of completion of transmission of the first e-mail, and a control unit configured to perform control such that a destination of the first e-mail is restricted to the e-mail address acquired by the acquisition unit, but a destination of the second e-mail is not restricted to the e-mail address acquired by the acquisition unit.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Nishiyama with regards to email addresses to the method of Rockwell in view of Li (US PGPub No. 20160352723-A1), Yang, and Li order to prevent malicious user to transmit data to an inappropriate destination (Nishiyama: ¶0006-0007).
Rockwell in view of Li (US PGPub No. 20160352723-A1), Yang, Li (US PGPub No. 20210099295-A1), and Nishiyama does not disclose:
wherein the location information indicates a location of login screen data representing a login screen for login to the server, and in a case where the server is logged in by the terminal device after the login screen has been displayed at the terminal device, the authentication code is sent to the terminal device.
However, Jenks teaches wherein the location (¶0245-0246: The back-end server 302 may determine second contextual information in a second electronic message 3206 generated during the electronic messaging conversation. Similar to the first contextual information, the second contextual information may include one or more words of the second electronic message 3206 generated during the electronic messaging conversation as seen in Figure 32. In certain example embodiments, the second contextual information may be indicative of a geographic region.) information indicates a location of login screen data representing a login screen for login to the server, and (¶0245-0246: In such example embodiments, additional information relating to a user profile associated with the electronic messaging conversation or a user device 306 used to log into such a user profile may be accessed (login in screen for login to the server) to determine a specific geographic region/location. )
in a case where the server is logged in by the terminal device after the login screen has been displayed at the terminal device, the authentication code is sent to the terminal device. (¶0250: As seen in Figure 33, wherein the screen contains the logged information of the location selection of that selectable icon 3208 may cause a user interface to be rendered that includes content cards corresponding to the larger, unfiltered set of options corresponding to the first contextual information (first authentication information) .)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jenks with regards to email addresses to the method of Rockwell in view of Li (US PGPub No. 20160352723-A1), Yang, Li (US PGPub No. 20210099295-A1) , and Nishiyama in order to detect changes with regards to the user’s device and better manage rapid expansion and modifications to the user’s account (Jenks: 0002 & 0045-0051)
With respect to claim 15, the combination of Rockwell in view of Li and Yang teaches the non-transitory computer-readable recording medium of claim 14 (as seen in claim 14 above), but does not disclose wherein the target user information includes an e-mail address of the user of the terminal device, in the case where the change instruction is received from the communication device, a second e-mail including location information is sent to the e-mail address included in the target user information stored in association with the identification information included in the change instruction, wherein the location information indicates a location of login screen data representing a login screen for login to the server, and in a case where the server is logged in by the terminal device after the login screen has been displayed at the terminal device, the authentication code is sent to the terminal device.
However, Li (US PGPub No. 20210099295-A1) teaches wherein the target user information includes an e-mail address of the user of the terminal device, (¶0006: Utilizing multi-factor authentication prior to decrypting a master encryption key with a recovery element encryption key cipher comprises, for example, sending a verification code to a user computing entity associated with the user, such as by sending a verification code to the user's phone by text message, the user's email address, or the user's special-purpose client application (e.g., WeChat, WhatsApp), or the like and verifying this code before authentication.);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Li (US PGPub No. 20210099295-A1)regarding an email to the of method Rockwell in view of Li (US PGPub No. 20160352723-A1) and Yang in order to prevent unauthorized users from accessing the authorized user’s account (Li (US PGPub No. 20210099295-A1) ¶0003).
Rockwell in view of Li (US PGPub No. 20160352723-A1), Yang, and Li (US PGPub No. 20210099295-A1)does not disclose:
in the case where the change instruction is received from the communication device, a second e-mail including location information is sent to the e-mail address included in the target user information stored in association with the identification information included in the change instruction,
However, Nishiyama teaches in the case where the change instruction is received from the communication device, a second e-mail including location information (¶0055: A second setting operation (an operation of setting a destination of a second e-mail) in the MFP 101. The CPU 211 of the MFP 101 executes a control program stored in the HDD as seen in Figure 9) is sent to the e-mail address included in the target user information stored in association with the identification information included in the change instruction, (¶00012: A second setting unit configured to set a destination of a second e-mail for making notification of completion of transmission of the first e-mail, and a control unit configured to perform control such that a destination of the first e-mail is restricted to the e-mail address acquired by the acquisition unit, but a destination of the second e-mail is not restricted to the e-mail address acquired by the acquisition unit.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Nishiyama with regards to email addresses to the method of Rockwell in view of Li (US PGPub No. 20160352723-A1), Yang, and Li order to prevent malicious user to transmit data to an inappropriate destination (Nishiyama: ¶0006-0007).
Rockwell in view of Li (US PGPub No. 20160352723-A1), Yang, Li (US PGPub No. 20210099295-A1), and Nishiyama does not disclose:
wherein the location information indicates a location of login screen data representing a login screen for login to the server, and in a case where the server is logged in by the terminal device after the login screen has been displayed at the terminal device, the authentication code is sent to the terminal device.
However, Jenks teaches wherein the location information ( ¶0245-0246: The back-end server 302 may determine second contextual information in a second electronic message 3206 generated during the electronic messaging conversation. Similar to the first contextual information, the second contextual information may include one or more words of the second electronic message 3206 generated during the electronic messaging conversation as seen in Figure 32. In certain example embodiments, the second contextual information may be indicative of a geographic region.) indicates a location of login screen data representing a login screen for login to the server, and (¶0245-0246: In such example embodiments, additional information relating to a user profile associated with the electronic messaging conversation or a user device 306 used to log into such a user profile may be accessed (login in screen for login to the server) to determine a specific geographic region/location. )
in a case where the server is logged in by the terminal device after the login screen has been displayed at the terminal device, the authentication code is sent to the terminal device. (¶0250: As seen in Figure 33, wherein the screen contains the logged information of the location selection of that selectable icon 3208 may cause a user interface to be rendered that includes content cards corresponding to the larger, unfiltered set of options corresponding to the first contextual information.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jenks with regards to email addresses to the method of Rockwell in view of Li (US PGPub No. 20160352723-A1) , Yang, Li (US PGPub No. 20210099295-A1), and Nishiyama in order to detect changes with regards to the user’s device and better manage rapid expansion and modifications to the user’s account (Jenks: 0002 & 0045-0051).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Gallant et al. (US PGPub No. 20160352702-A1) teaches a method of enabling a password reset mechanism for a secured device that verifies a digital signature on a password reset message.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAYLOR P VU whose telephone number is (703)756-1218. The examiner can normally be reached MON - FRI (7:30 - 5:00).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/T.P.V./ Examiner, Art Unit 2437
/ALI S ABYANEH/ Primary Examiner, Art Unit 2437