DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1, 15 and 18 are amended.
Claims 2, 16 and 19 were cancelled.
Claims 21-23 are newly added.
Claims 1, 3-15, 17-18, 23 are pending.
Response to Arguments
Applicant’s arguments filed 01/22/2026 have been fully considered.
Applicant’s argument with respect to the amended limitation of “…in a manner directly triggered responsive to the satisfaction of the one or more specified revocation conditions and without involvement of the first user” is moot in view of a new ground of rejection”.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 3-7 and 15, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yee et al (U. S. PGPub. No. 2022/0060469 A1) (hereinafter “Yee”) in view of Manza et al. (U. S. Pat. No. 10,693,865 B2) (“hereinafter “Manza”); and in further view of Pangam et al. (U. S. PGPub. No. 2018/0176195 A1) (“hereinafter” Pangam”);
Regarding Claim 1, Yee teaches:
at least one processing device comprising a coupled to a memory (Yee: [0100], the member computing devices 802a, 802b through 802n shown each at least includes a computer-readable media 808, which may include memory such as random-access memory (RAM), coupled to a processor 810); the at least one processing device configured (Yee: [0038] Processor(s) 208 may include one or more known processing devices, such as a microprocessor from the Core™, Pentium™ or Xeon™ family manufactured by IntelR™, the Turion™ family manufactured by AMD™, the “Ax” (i.e., A6 or A8 processors) or “Sx” (i.e. S1, . . . processors) family manufactured by Apple™, or any of various processors manufactured by Sun Microsystems, for example. The disclosed embodiments are not limited to any type of processor(s) otherwise configured to meet the computing demands required of different components of online service system 200) to provide a processor-based an authentication service for sharing access credentials of a protected resource among multiple users (Yee: [0023], enables a user to send a password sharing request to a trusty party (e.g., another user of their shared online account), and be authenticated to access the account based on the interaction, for example, by sharing the login credentials such as passwords or other account details between users in a secure manner);
wherein the at least one processing device in (Yee: [0038] Processor(s) 208 may include one or more known processing devices, such as a microprocessor from the Core™, Pentium™ or Xeon™ family manufactured by IntelR™, the Turion™ family manufactured by AMD™, the “Ax” (i.e., A6 or A8 processors) or “Sx” (i.e. S1, . . . processors) family manufactured by Apple™, or any of various processors manufactured by Sun Microsystems, for example. The disclosed embodiments are not limited to any type of processor(s) otherwise configured to meet the computing demands required of different components of online service system 200) providing the authentication service for sharing the access credentials is further configured (Yee: [0081] The account detail sharing process 500 may include, at 510, a step of authenticating the second user based on an interaction of the first user with the GUI element. According to various embodiments, the interaction of the user with the GUI element may be implemented as an interaction with the first user via the GUI element. In one embodiment, step 510 may be performed by the server. In some other embodiments, a selection/operation of the GUI element to authorize the login request may include providing verification, by the user of the first device, that the second device is associated with a trusted entity):
to obtain, in the process-based authentication service, the access credentials at least in part from a first one of the users (Yee: [0056], upon verifying that the request is for the Netflix account and from Yeezy, Kim may select the “Share Password” button 454 to submit an approval of sharing the requested password with Yeezy. In some embodiments, the share password page 452 is configured to be active and displayed to Kim for a pre-configured period of time. As such, upon the lapse of the pre-configured requesting period of time, and without Kim's selection of the “Share Password” button 454),
to automatically provide, via the process-based authentication service, the access credentials to at least one additional one of the users responsive to authentication of the at least one additional user (Yee: [0107] As used herein, the term “dynamically” and the term “automatically,” and their logical and/or linguistic relatives and/or derivatives, mean that certain events and/or actions can be triggered and/or occur without any human intervention. [0059] FIG. 4D illustrates a final series of the user interfaces associated with the password sharing request initiated by Yeezy beginning in FIG. 4B. Upon generation of the approval from Kim to share the requested credentials, at 464, the software application on Yeezy's device is configured to transition from the password request pending page 440 to a password received page 470… the device may be configured to navigate back to a sign-in page, at 480. Here, then, the received encrypted password is decrypted and auto-populated (=automatically provides access credentials) into the password field 482…. In some embodiments, the password received page 470 may be configured to disable the “show” icon which normally allows a user to view the password such that Yeezy is only able to establish an authenticated login session with Kim's shared password auto-filled at the sign-in page 480, without the password being visibly displayed to him) and satisfaction of one or more specified distribution conditions (Yee: [0049], user A 401 may need to be further authenticated using security measures such as secondary authentication. In various examples, secondary authentication may include a set of security questions, dynamically generated information sent to another communication modality of users (e.g., SMS, email, etc.), and the like. In this example, user A's request to log into the user account at device 403 is not authenticated due to either the lack of the login credential (user A is aware that he or she does not know the correct password and/or username), or the incorrect login credentials received at server A 403 (e.g., incorrect username and/or password entered, failed secondary authentication. [0050] In some embodiments, one such embodiment being illustrated in more detail below in connection with FIGS. 4B-4D, upon receipt of a share password request from user A 401 (e.g., via a GUI at user B's device), user B 402 verifies that the request comes from user A 401 and that it pertains to an account they share, user B 402 grants the request, and thereby shares the password or other login credential(s) with user A 401. [0079] The account detail sharing process 500 may include, at 508, a step of transmitting, to the first device, a login request notification of the login request including a graphical user interface (GUI) element and a request to authenticate the login request);
Yee does not explicitly disclose:
the access credentials comprising a user name and a password for an access-controlled user account of a website provided by the one or more web-servers;
to automatically modify, via the process-based authentication service and without requiring further interaction between the processor-based authentication service and the first user, the access credentials responsive to satisfaction of one or more specified revocation conditions.
However, in an analogous art, Manza teaches:
the access credentials comprising a user name and a password for an access-controlled user account of a website provided by the one or more web-servers (Manza: [Col 18, lines 13-23], The authentication service can request credentials from the user (e.g., a username and password). When the authentication service receives the credentials, the authentication service can validate the credentials and if valid, return an authentication cookie to the user's browser. The resource request can then be redirected to the web interface layer, where the authentication cookie provides access to the requested resource. In some embodiments, when a user ends their session, either through a timeout or an affirmative logout, the web interface layer can destroy session information and return the user to a logon screen);
to automatically modify, via the process-based authentication service and without requiring further interaction between the processor-based authentication service and the first user, the access credentials responsive to satisfaction of one or more specified revocation conditions (Manza: [Col 13, lines 66-67 – Col 14, lines 1-4], (66) In some embodiments, the web logon manager can include a password change (PWC) wizard. As described above, the PWC wizard can include an automatic mode (=without human interaction) in which the PWC wizard automatically selects a new password on the user's behalf. [Col 13, lines 60-65], (65) A user can revoke delegation at any given time by selecting a “revoke” icon. The revoke icon may be shown when the credentials are shared with another user. In some embodiments, when a user delegates credentials, the user can set a delegation time period after which the credentials are automatically revoked).
the processor-based authentication service being implemented utilizing hardware devices of a network (Manza: [Col 8, lines 30-38], (38) In some embodiments, the single sign-on application can include executable scripts associated with different hardware, operating systems, browsers, or combinations thereof. The SSO application can be configured to identify a platform associated with the client device, and to configure itself to execute one or more platform specific operations. The platform can refer to one or more of a client device type (desktop, mobile device, workstation, or other hardware configuration), a browser application type, and/or an operating system. [Col 35, lines 39-44], Many other configurations having more or fewer components than the system depicted in the figure are possible. For example, customized hardware might also be used and/or particular elements might be implemented in hardware, firmware, software (including applets), or a combination) and including at least one user device interface configured to allow the processor-based authentication service to communicate with one or more user devices over the network, and at least one web server interface configured to allow the processor-based authentication service to communicate with one or more web servers over the network (Manza: [Col 1, lines 59-66], The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials. Each SSO service can be associated with a web interface (such as a REST interface) that enables the SSO services to be accessed over the web using any web-enabled device, for example through a browser, without a fully featured client deployed to the user's device. [Col 4, lines 21-33], (21) Embodiments of the present invention are directed to web-based single sign-on service that can enable a user to log in to a single interface (such as through a web browser or client application) and then provide single sign-on (SSO) services to the user for one or more web applications, enterprise systems, and other services. The web-based SSO system can be extended to support one or more different access control methods, such as form-fill, federated identity, policy-based controls, Privileged/Shared accounts, OAuth, and other security systems. The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials).
the interacting comprising the processor-based authentication service entering the username and password for the access controlled user account into a user interface of the website (Manza: [Col 15, lines 25-30], In some embodiments, the user can automatically be redirected to the web logon manager user interface upon sending a request for a web page or web application through the browser application. The web logon manager user interface can request credentials from the user to access the user interface. [Col 15, lines 47-62], (73) At block 908, once the appropriate policy and credential have been received, the web logon manager can automatically provide the user credentials to the application. In some embodiments, when an incoming web page response is received from the application, the web logon manager can use the policy to identify fields of the web page response to inject the credential and submit the credential to the web application. In some embodiments, when the web logon manager receives a form fill policy in response to a policy request, the web logon manager can automatically populate fields in a graphical user interface associated with the application with the user credentials and submit the user credentials to the application through the graphical user interface. Upon logon, the web logon manager can verify that the logon was successful, and return the response web page to the user),
activating a change password feature of the user interface of the website (Manza: [Col 10, lines 53-54], (51) In some embodiments, an automatic password change (PWC) process can be implemented by the SSO system. [Col 10, lines 60-63], During automatic PWC, a new password can be automatically generated by the SSO server and the user's credential can be updated with the new, automatically generated password),
and entering a new password that becomes part of the modified access credentials (Manza: [Col 13, lines 66-67 – Col 14, 1-4], (66) In some embodiments, the web logon manager can include a password change (PWC) wizard. As described above, the PWC wizard can include an automatic mode in which the PWC wizard automatically selects a new password on the user's behalf), the new password not being accessible to the at least one additional user (Manza: [Col 13, lines 45-49], (64) In some embodiments, a user can share or delegate their credentials to another user. The dashboard can display a “share” icon for those applications that may be shared. Application developers and/or administrators can configure the applications for sharing. In some embodiments, sharing can be disabled (not being accessible) on a per application basis).
It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Yee’s method of requesting password and Sharing password to access the online resource/service by applying Manza’s method of resetting credentials and revoking the credentials after some time period/after session timeout, in order to manage many different credentials for the systems and applications they regularly use, leading to password fatigue, wasted time entering and reentering credentials, and additional IT resources to recover and/or reset lost credentials. Single sign-on (SSO) can provide a user with access to multiple systems and applications after an initial log-in (Manza: [Col 1, lines 22-28]).
The Yee and Manza does not explicitly disclose:
wherein automatically modifying the access credentials comprises the processor-based authentication service interacting with at least one of the one or more web server providing the websites, in a manner directly triggered responsive to the satisfaction of the one or more specified revocation condition and without involvement of the first user to alter the access credentials on behalf of the first user;
However, in an analogous art, Pangam teaches:
wherein automatically modifying the access credentials comprises the processor-based authentication service interacting with at least one of the one or more web server providing the websites (Pangam: [0029] , the automatic password updates performed for the one or more functional accounts occur periodically according to a predetermined update schedule), in a manner directly triggered responsive to the satisfaction of the one or more specified revocation condition and without involvement of the first user to alter the access credentials on behalf of the first user (Pangam: [0041], the scheduling data can specify that password updates are performed periodically. In this case, the update period can be set to a pre-determined number of days (such as, for example, 60 or 90 days). In other embodiments, the scheduling data can specify one or more dynamic update conditions (=revocation condition) that, when satisfied, will automatically (=without involvement of the user) trigger a password update (=modifying the access credentials) for the functional account. Dynamic update conditions can be assigned in conjunction with a fixed update period, and the scheduler 112 can be configured to reset the update period on the occurrence of a dynamically triggered update) such that after the altering of the access credentials the at least one additional one of the users will no longer be able to access the protected resource using the previously-provided access credentials (Pangam: [0025], The password of each functional account is updated periodically by the generation of new password data by the password management system. The new password data is stored within a repository, and replaces the existing password data for the particular functional account…the new password data is transmitted to a corresponding functional account service device such that the password change is registered at the entity immediately following the update process performed by the described system…the new password data is automatically transmitted to the user of the application, allowing the user to continue to access the entity's services, via the user's corresponding functional accounts of the entity application, seamlessly in the presence of password updates. Examiner’s Note: Cited portion “replacing existing password data…new password automatically transmitted to the user of the application, allowing the user to access the entity’s service…” constitute that user is not restricted to use “existing password because it is being replaced with “New Password” and forced to use “new password” to access entity’s service.).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Yee in view of Manza by applying the well-known technique as disclosed by Pangam’s method of automatically trigger a password update when one or more dynamic update conditions are satisfied, in order to prevent unauthorized access to the information provided by the electronic application. (Pangam: [0006]).
Regarding Claim 3, the Yee in view of Manza, Pangam teaches:
The apparatus of claim 1 (see rejection of claim 1 above),
wherein the at least one processing device and the website are implemented at least in part on a same processing platform (Yee: [0026], system 100 may further include an online service provider computer platform 112, such as an enterprise company platform, a merchant platform, or any other provider platform that hosts online services for users over a network with shared account details, and one or more other provider systems 114, such as databases, providers or entities associated with the service(s) being provided or the account-sharing technology disclosed).
Regarding Claim 4, the Yee in view of Manza and Pangam teaches:
The apparatus of claim 1 (see rejection of claim 1 above),
accessing a designated interface of the website using the access credentials (Manza: [Col 1, lines 55], (3) In accordance with an embodiment, web-based single sign-on can enable a user to log in to a single interface (such as through a web browser or thin client) and then provide SSO services to the user for one or more web applications, systems, and other services);
altering one or more portions of the access credentials via the designated interface of the website to obtain modified access credentials (Manza: [Col 19, lines 27-37], (87) In some embodiments, policy manager 1104 can manage password policies. As described above, each password policy can be associated with one or more application templates that share the password policy. Password policies can be used by provisioning manager 1112 and/or password reset manager 1114 when establishing or updating a password for an application. In some embodiments, a password policy can be used to automatically generate a password during provisioning and/or password reset… [Col 20, lines 36-39], credential manager 1110 can receive a request to update credentials. The credential manager 1110 can send a request to each corresponding sub-manager, including the updated credentials);
and storing the modified access credentials for subsequent utilization by at least one of the multiple users (Manza: [Col 19, lines 40-43], (88) As shown in FIG. 11B, a credential manager 1110 can provide centralized access for end-user credential management across one or more different credential types stored in different repositories 120. [Col 21, lines 38-39], (96) Similarly, credentials can be stored in various credential stores, each accessible through its own interface.)
It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Yee’s method of requesting password and Sharing password to access the online resource/service by applying Manza’s method of resetting credentials and revoking the credentials after some time period/after session timeout, in order to manage many different credentials for the systems and applications they regularly use, leading to password fatigue, wasted time entering and reentering credentials, and additional IT resources to recover and/or reset lost credentials. Single sign-on (SSO) can provide a user with access to multiple systems and applications after an initial log-in (Manza: [Col 1, lines 22-28]).
wherein automatically modifying the access credentials responsive to satisfaction of one or more revocation conditions comprises (Pangam: [0041] The scheduler 112 is configured to maintain scheduling data representing the conditions for performing a password update for one or more functional accounts that are managed by the system. The scheduling data is specific to the entity application 105 and the particular functional account for which password updates are being performed. Specifically, the scheduler 112 maintains a record of the time and date of the last password update for each functional account enrolled within the password management system 100. When the password update conditions for a particular functional account are met, the scheduler 112 invokes the updater module 110 to initiate a password update for that functional account. In the described embodiments, the scheduling data can specify that password updates are performed periodically. In this case, the update period can be set to a pre-determined number of days (such as, for example, 60 or 90 days). In other embodiments, the scheduling data can specify one or more dynamic update conditions that, when satisfied, will automatically trigger a password update for the functional account. Dynamic update conditions can be assigned in conjunction with a fixed update period, and the scheduler 112 can be configured to reset the update period on the occurrence of a dynamically triggered update. Alternatively, or in addition, the scheduler 112 can be configured to allow the user 111 to initiate a password update for the functional account at an arbitrary time. The repeated invocation of the updater module 110 by the scheduler 112 ensures that periodic updates are performed to the password of each functional account managed by the password management device 104).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Yee in view of Manza by applying the well-known technique as disclosed by Pangam’s method of automatically trigger a password update when one or more dynamic update conditions are satisfied, in order to prevent unauthorized access to the information provided by the electronic application. (Pangam: [0006]).
Regarding Claim 5, the Yee in view of Manza, Pangam teaches:
The apparatus of claim 1 (see rejection of claim 1 above),
wherein the at least one processing device in providing the authentication service is further configured (Yee: [0023], The disclosed technology enables a user to send a password sharing request to a trusty party (e.g., another user of their shared online account), and be authenticated to access the account based on the interaction, for example, by sharing the login credentials such as passwords or other account details between users in a secure manner. Implementations of sharing account details with a trusted party herein may comprises various steps such as hosting an online service accessed by a plurality of user accounts, receiving a login request to establish an authenticated access session, transmitting a login request notification and thereby authenticating an access session, and establishing the requested access session, as are set forth below. [0024], provides securely sharing login credentials across platforms and/or devices, hosting online service accounts configured for concurrent authenticated access sessions via different devices, authenticating access sessions including transmission of login request notification and associated user interaction with such notifications, as well as establishing the requested access session based on the authentication) to permit the first user to designate different sets of one or more distribution conditions for controlling provision of the access credentials to different ones of the multiple users (Yee: [0049], user A 401 may need to be further authenticated using security measures such as secondary authentication. In various examples, secondary authentication may include a set of security questions, dynamically generated information sent to another communication modality of users (e.g., SMS, email, etc.), and the like. In this example, user A's request to log into the user account at device 403 is not authenticated due to either the lack of the login credential (user A is aware that he or she does not know the correct password and/or username), or the incorrect login credentials received at server A 403 (e.g., incorrect username and/or password entered, failed secondary authentication. [0050] In some embodiments, one such embodiment being illustrated in more detail below in connection with FIGS. 4B-4D, upon receipt of a share password request from user A 401 (e.g., via a GUI at user B's device), user B 402 verifies that the request comes from user A 401 and that it pertains to an account they share, user B 402 grants the request, and thereby shares the password or other login credential(s) with user A 401. [0079] The account detail sharing process 500 may include, at 508, a step of transmitting, to the first device, a login request notification of the login request including a graphical user interface (GUI) element and a request to authenticate the login request)
Regarding Claim 6, the Yee in view of Manza, Pangam teaches:
The apparatus of claim 1 (see rejection of claim 1 above),
wherein the one or more specified distribution conditions comprise one or more of (Yee: [0049], user A 401 may need to be further authenticated using security measures such as secondary authentication. In various examples, secondary authentication may include a set of security questions, dynamically generated information sent to another communication modality of users (e.g., SMS, email, etc.), and the like. In this example, user A's request to log into the user account at device 403 is not authenticated due to either the lack of the login credential (user A is aware that he or she does not know the correct password and/or username), or the incorrect login credentials received at server A 403 (e.g., incorrect username and/or password entered, failed secondary authentication. [0050] In some embodiments, one such embodiment being illustrated in more detail below in connection with FIGS. 4B-4D, upon receipt of a share password request from user A 401 (e.g., via a GUI at user B's device), user B 402 verifies that the request comes from user A 401 and that it pertains to an account they share, user B 402 grants the request, and thereby shares the password or other login credential(s) with user A 401. [0079] The account detail sharing process 500 may include, at 508, a step of transmitting, to the first device, a login request notification of the login request including a graphical user interface (GUI) element and a request to authenticate the login request);
receiving a request for the access credentials by the at least one additional user (Yee: [0052], Upon Yeezy selecting the “Request Password” button in field 422, for example, the password assistance page 420 may be configured to navigate, at 424, to a password request page 430. [0053] In the exemplary sequence shown in FIG. 4B, the password request page 430 displays one or more GUI elements with which Yeezy may interact to send a share-a-password request);
determining that the request originates from a user device having one or more specified characteristics (Yee: 0062] In connection with the implementations of secure account detail sharing herein, various contextual information (e.g., device data, IP address, geo-location, time zone, etc.) related to the attempted login at device A is detected by server A, and the online service application may handle such data and/or perform different processing based on certain data that may be different from information associated with previous authenticated login sessions);
determining that the request originates from a network having one or more specified characteristics (Yee: [0032] Network 116 may be any type of network configured to provide communication between components of system 100. For example, network 116 may be any type of network (including infrastructure) that provides communications, exchanges information, and/or facilitates the exchange of information, such as the Internet, a Local Area Network, near field communication (NFC), optical code scanner, or other suitable connection(s) that enables the sending and receiving of information between the components of system 100. In other embodiments, one or more components of system 100 may communicate directly through a dedicated communication link(s));
determining that the request originates from a particular specified user of the multiple users (Yee: [0056], the share password page 452 is configured as a push notification that is configured, e.g. within an app, browser page, or the like on Kim's device, to generate an active GUI 450 on a device owned by Kim, or one she is currently using. the share password page 452 may be configured to display an inquiry of whether Kim wants to share the Netflix account password with Yeezy);
receiving an approval of the request from the first user (Yee: [0059], Referring to FIG. 4D, the illustrated password received page 470 may comprise a notification 472, such as the checkmark icon shown, displayed at the password received page 470 to inform Yeezy that Kim has accepted the request to share the password);
receiving an approval of the request from at least one other one of the multiple users designated by the first user as being authorized to approve the request (Yee: [0053], an exemplary password request page 430 may include a lower portion 432 which displays a search box 434 and a scrollable list 436. In the example shown, the list 436 displays list of contacts from which the password to the user account may be requested. In some embodiments, the list 436 may be configured to display the communication modal associated with the each of the contacts. Here, for example, the three contacts displayed in the list 436 indicate that the password request associated with this user account may be sent to Kim's phone, Mom′ phone, and/or Dad's phone. In other examples, the list 436 may include modals such as email, SMS, or the like), the at least one other one of the multiple users being one or more of the multiple users other than the particular specified user of the multiple users (Yee: [0053], In the example shown, the list 436 displays list of contacts from which the password to the user account may be requested. In some embodiments, the list 436 may be configured to display the communication modal associated with the each of the contacts. Here, for example, the three contacts displayed in the list 436 indicate that the password request associated with this user account may be sent to Kim's phone, Mom′ phone, and/or Dad's phone. In other examples, the list 436 may include modals such as email, SMS, or the like. In some embodiments, the list 436 may be configured with GUI options allowing Yeezy to scroll up to down to select a contact. In other embodiments, the password assistance page 430 may allow Yeezy to enter information into the search box 434 to perform a search in all the contacts included in the list 436);
and receiving an approval of the request from at least one further user that is not one of the multiple users (Yee: [0058], a check icon to indicate that the requested password is shared properly with Yeezy. [0053], In other embodiments, the password assistance page 430 may allow Yeezy to enter information into the search box 434 to perform a search in all the contacts);
wherein the request is received from the at least one additional user via a corresponding user interface of the authentication service (Yee: [0054] Turning to FIG. 4C, the password request pending page 440 may be configured to display a notification or field 442 indicating that the password is being requested from Kim).
Regarding Claim 7, the Yee in view of Manza, Pangam teaches:
The apparatus of claim 1 (see rejection of claim 1 above),
expiration of a specified time period for which the at least one additional user is permitted to utilize the access credentials (Yee: [0071], provided to user B to facilitate secure sharing of account details with user A. For example, the notification may include a GUI input enabling user B to indicate a duration or expiration time regarding how long user A should be authenticated. In the case where user B indicates that user A needs to re-authenticated at some point, the re-authentication session may be configured to expire after a pre-determined period of time).
Yee does not explicitly teach:
wherein the one or more specified revocation conditions comprise at least expiration of a specified time period for which the at least one additional user is permitted to utilize the access credentials
However, Pangam teaches:
wherein the one or more specified revocation conditions comprise at least expiration of a specified time period for which the at least one additional user is permitted to utilize the access credentials (Pangam: [0029], The scheduling of password updates can be either static (i.e. based on predetermined time periods) or dynamic, such that the system performs a password update in response to particular events (as described herein below. [0041], the scheduling data can specify that password updates are performed periodically. In this case, the update period can be set to a pre-determined number of days (such as, for example, 60 or 90 days). In other embodiments, the scheduling data can specify one or more dynamic update conditions that, when satisfied, will automatically trigger a password update for the functional account. Dynamic update conditions can be assigned in conjunction with a fixed update period, and the scheduler 112 can be configured to reset the update period on the occurrence of a dynamically triggered update. Alternatively, or in addition, the scheduler 112 can be configured to allow the user 111 to initiate a password update for the functional account at an arbitrary time. The repeated invocation of the updater module 110 by the scheduler 112 ensures that periodic updates are performed to the password of each functional account managed by the password management device 104.).
Regarding claim 15, this claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (non-transitory medium). For this reason the same grounds of rejection are applied to claim 15.
Regarding claim 17, this claim contains identical limitations found within that of claim 4 above albeit directed to a different statutory category (non-transitory medium). For this reason the same grounds of rejection are applied to claim 17.
Regarding claim 18, this claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (method). For this reason the same grounds of rejection are applied to claim 15.
Regarding claim 20, this claim contains identical limitations found within that of claim 4 above albeit directed to a different statutory category (method). For this reason the same grounds of rejection are applied to claim 20.
Regarding Claim 21, this claim contains identical limitations found within that of claim 5 above albeit directed to a different statutory category (method). For this reason the same grounds of rejection are applied to claim 21.
Regarding Claim 22, this claim contains identical limitations found within that of claim 13 below albeit directed to a different statutory category (method). For this reason the same grounds of rejection are applied to claim 22.
Regarding Claim 23, this claim contains identical limitations found within that of claim 14 below albeit directed to a different statutory category (method). For this reason the same grounds of rejection are applied to claim 23.
Claim(s) 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over Yee et al (U. S. PGPub. No. 2022/0060469 A1) (hereinafter “Yee”) in view of Manza et al. (U. S. Pat. No. 10,693,865 B2) (hereinafter “Manza”) and Pangam et al. (U. S. PGPub. No. 2018/0176195 A1) (“hereinafter” Pangam”); and further in view of Bhattacharya et al (U. S. PGPub. No. 2017/0250989 A1) (hereinafter “Bhattacharya”)
Regarding Claim 8, the Yee in view of Manza and Pangam teaches:
The apparatus of claim 7 (see rejection of claim 7 above),
the Yee in view of Pangam and Manza does not explicitly teach:
wherein the specified time period is established at least in part by the first user via a corresponding user interface of the authentication service.
However, in an analogous art, Bhattacharya teaches:
wherein the specified time period is established at least in part by the first user via a corresponding user interface of the authentication service (Bhattacharya: [0049], the processing in module 310 can be further utilized to inform the user of amount of time left before online access would be blocked to that website. [0048] The module for applying 310 the time weighting value further includes: a sub-module for assigning 335 a time weighting value associated with various times of day; a sub-module for determining 340 which time period block contains the time of day when the request to access the website is made; a sub-module for applying 345 the time weighting value corresponding to the time period that the request to access the website is made to the safety rank of the specific website).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Yee in view of Manza and Pangam by applying the well-known technique as disclosed by Bhattacharya of assigning a time weighting value and applying the time weighting value. The motivation is to control their children's web browsing activities to prevent access to harmful or unsafe content, or exposure to inappropriate or undesired websites or web content. (Bhattacharya: [0009]).
Regarding Claim 9, the Yee in view of Manza, Pangam teaches:
The apparatus of claim 7 (see rejection of claim 7 above),
the Yee in view of Manza, Pangam not explicitly teach:
wherein the specified time period comprises a predetermined time period not selectable by the first user.
However, Bhattacharya teaches:
wherein the specified time period comprises a predetermined time period not selectable by the first user (Bhattacharya: [0051], some parents may choose to block online access to a social media site for their children during study hours of 4 pm to 7 pm on weekdays, which may be included in the user's profile and available to use by Sub-module 355. Sub-module 360 may use the results from sub-module 355 to modify the access rule (=setting the time limit which is the predetermined time limit) for the specific website deepening upon the day of the week or the amount of time access has been granted for that day of the week).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Yee in view of Manza and Pangam by applying the well-known technique as disclosed by Bhattacharya of assigning a time weighting value and applying the time weighting value. The motivation is to control their children's web browsing activities to prevent access to harmful or unsafe content, or exposure to inappropriate or undesired websites or web content. (Bhattacharya: [0009]).
Regarding Claim 10, the Yee in view of Manza, Pangam teaches:
The apparatus of claim 7 (see rejection of claim 7 above),
the Yee in view of Pangam and Manza not explicitly teach:
wherein the specified time period is selectable by the first user subject to a predetermined maximum value.
However, Bhattacharya teaches:
wherein the specified time period is selectable by the first user subject to a predetermined maximum value (Bhattacharya: [0049], There may be a need to restrict access to a particular website for a limited time only, such as allow access to some gaming website for 1 hour… the processing in module 310 can be further utilized to inform the user of amount of time left before online access would be blocked to that website. [0051], some parents may choose to block online access to a social media site for their children during study hours of 4 pm to 7 pm on weekdays, which may be included in the user's profile and available to use by Sub-module 355).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Yee in view of Manza, Pangam by applying the well-known technique as disclosed by Bhattacharya of assigning a time weighting value and applying the time weighting value. The motivation is to control their children's web browsing activities to prevent access to harmful or unsafe content, or exposure to inappropriate or undesired websites or web content. (Bhattacharya: [0009]).
Claim(s) 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Yee et al (U. S. PGPub. No. 2022/0060469 A1) (hereinafter “Yee”) in view of Manza et al. (U. S. Pat. No. 10,693,865 B2) (hereinafter “Manza”) and Pangam et al. (U. S. PGPub. No. 2018/0176195 A1) (“hereinafter” Pangam”); and further in view of Brannon (U. S. PGPub. No. 2017/0126660 A1) (hereinafter “Brannon”)
Regarding Claim 11, the Yee in view of Manza, Pangam teaches:
The method of claim 1 (see rejection of claim 1 above),
The combination of Yee in view of Manza, Pangam does not explicitly teach:
wherein the access credentials comprise a multi-factor authentication code.
However, in an analogous art, Brannon teaches:
wherein the access credentials comprise a multi-factor authentication code (Brannon: [0035], When multi-factor authentication is enabled, the user can provide a supplementary authentication factor (=MFA code) using a laptop or tablet. At step 227, the authentication application 128 obtains the supplementary authentication factors from a user through a user interface 127 or one or more input devices (e.g., fingerprint scanners, retinal scanners). At step 228, the authentication application 128 sends the supplementary authentication factors to the MFA adapter 116 of the identity provider 106. [0037], Once the user is authenticated with the MFA adapter 116 for the purpose of authenticating client application 124a, the user need not enter security credentials again for authenticating client application 124b, unless perhaps due to inactivity or other events that could cause the identity of the user to be in question).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Yee in view of Pangam and Manza by applying the well-known technique as disclosed by Brannon of enabling the Multi-Factor authentication and providing supplementary authentication factor (=MFA code). The motivation is that the administrators of an organization that manages devices can selectively enable multi-factor authentication for specific applications (Brannon: [0010]).
Regarding Claim 12, the Yee in view of Manza, Pangam teaches:
The method of claim 1 (see rejection of claim 1 above),
The combination of Yee in view of Manza, Pangam does not explicitly teach:
wherein the access credentials comprise a session cookie.
However, in an analogous art, Brannon teaches:
wherein the access credentials comprise a session cookie (Brannon: [0072] At step 815, the service provider 109 generates a session token. At step 818, the service provider 109 sets a session cookie including the session token with the client application 124. At step 821, the service provider 109 provides service access to the client application 124 based at least in part on the client application 124 presenting the session token, by way of a uniform resource locator (URL) or session cookie. Thereafter, the process can proceed to completion).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Yee in view of Manza, Pangam by applying the well-known technique as disclosed by Brannon of setting a session cookie. The motivation is that the administrators of an organization that manages devices can selectively enable multi-factor authentication for specific applications (Brannon: [0010]).
Regarding Claim 13, the Yee in view of Manza, Pangam teaches:
The method of claim 1 (see rejection of claim 1 above),
wherein the at least one processing device (Yee: [0038] Processor(s) 208 may include one or more known processing devices, such as a microprocessor from the Core™, Pentium™ or Xeon™ family manufactured by IntelR™, the Turion™ family manufactured by AMD™, the “Ax” (i.e., A6 or A8 processors) or “Sx” (i.e. S1, . . . processors) family manufactured by Apple™, or any of various processors manufactured by Sun Microsystems, for example. The disclosed embodiments are not limited to any type of processor(s) otherwise configured to meet the computing demands required of different components of online service system 200) in providing the authentication service for sharing the access credentials is further configured (Yee: [0023], The disclosed technology enables a user to send a password sharing request to a trusty party (e.g., another user of their shared online account), and be authenticated to access the account based on the interaction, for example, by sharing the login credentials such as passwords or other account details between users in a secure manner. Implementations of sharing account details with a trusted party herein may comprises various steps such as hosting an online service accessed by a plurality of user accounts, receiving a login request to establish an authenticated access session, transmitting a login request notification and thereby authenticating an access session, and establishing the requested access session, as are set forth below. [0024], provides securely sharing login credentials across platforms and/or devices, hosting online service accounts configured for concurrent authenticated access sessions via different devices, authenticating access sessions including transmission of login request notification and associated user interaction with such notifications, as well as establishing the requested access session based on the authentication) to utilize the access credentials (Yee: [0059], Subsequently, the device may be configured to navigate back to a sign-in page, at 480. Here, then, the received encrypted password is decrypted and auto-populated into the password field 482. With the missing password populated, Yeezy may then select the sign-in button 484 to log into the online account. In some embodiments, the password received page 470 may be configured to disable the “show” icon which normally allows a user to view the password such that Yeezy is only able to establish an authenticated login session with Kim's shared password auto-filled at the sign-in page 480, without the password being visibly displayed to him)
The combination of Yee in view of Manza and Pangam does not explicitly teach:
to temporarily disable a multi-factor authentication requirement of the protected resource.
However, Branon teaches:
to temporarily disable a multi-factor authentication requirement of the protected resource (Brannon: [0025], In particular, the operation of the MFA adapter 116 can be controlled by a set of MFA rules 117 that can enable or disable the MFA adapter 116 in various scenarios. [0026], the identity provider 106 can enable or disable multi-factor authentication using the MFA adapter 116).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Yee in view of Manza and Pangam by applying the well-known technique as disclosed by Brannon of temporary disabling the MFA rules. The motivation is that the administrators of an organization that manages devices can selectively enable multi-factor authentication for specific applications (Brannon: [0010]).
Regarding Claim 14, the Yee in view of Manza and Pangam teaches:
The method of claim 1 (see rejection of claim 1 above),
wherein the at least one processing device (Yee: [0038] Processor(s) 208 may include one or more known processing devices, such as a microprocessor from the Core™, Pentium™ or Xeon™ family manufactured by IntelR™, the Turion™ family manufactured by AMD™, the “Ax” (i.e., A6 or A8 processors) or “Sx” (i.e. S1, . . . processors) family manufactured by Apple™, or any of various processors manufactured by Sun Microsystems, for example. The disclosed embodiments are not limited to any type of processor(s) otherwise configured to meet the computing demands required of different components of online service system 200) in providing the authentication service for sharing the access credentials is further configured to store information characterizing (Yee: [0041], online service system 200 may also be communicatively connected to one or more database(s) (not shown). Alternatively, such database(s) may be located remotely from online service system 200. Online service system 200 may be communicatively connected to such database(s) through a network, such as network 116 described above. Such database(s) may include one or more memory devices that store information and are accessed and/or managed through online service system 200. By way of example, such database(s) may include Oracle™ databases, Sybase™ databases, or other relational databases or non-relational databases, such as Hadoop sequence files, HBase, or Cassandra. Such database(s) may include computing components (e.g., database management system, database server, etc.) configured to receive and process requests for data stored in memory devices of the database(s) and to provide data to the database(s))
The combination of Yee in view of Manza and Pangam does not explicitly teaches:
a registration of the authentication service to receive multi-factor authentication codes generated in conjunction with attempts to access the protected resource.
However, Brannon teaches:
a registration of the authentication service to receive multi-factor authentication codes generated in conjunction with attempts to access the protected resource (Brannon: [0053], the authentication application 128 can prove its identity using stored registration credentials or using a token communicated to the authentication application 128 by way of a predefined communication channel, e.g., an email address, a telephone number, etc.).
A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Yee in view of Manza and Pangam by applying the well-known technique as disclosed by Brannon of receiving MFA code by registering the credentials. The motivation is that the administrators of an organization that manages devices can selectively enable multi-factor authentication for specific applications (Brannon: [0010]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to a disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Hurley et al. (U. S. PGPub. No. 2018/0083986 A1): Disclosed are systems and methods for providing protection against alteration of data, such as a credential, associated with a transaction. A first communication is received from a requesting system. The first communication includes a credential and corresponds to an indication that an extended-duration task is being initiated and a request to listen to a status of the credential. A device-listening data store is updated to associate the credential with an identifier associated with the requesting system. When an event is detected that indicates that the credential has been modified or cancelled, the device-listening data store is queried based on the credential. In response to the query, the identifier associated with the requesting device is received. A second communication is generated that corresponds to an alert that identifies a status of the credential as having been modified or cancelled. The second communication is transmitted to the requesting system.
Kundu et al. (U. S. PGPub. No. 2015/0244714 A1): A method of automatic security parameter renewal including determining if a security parameter satisfies a renewal condition and automatically updating the security parameter when the renewal condition is satisfied.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RUPALI DHAKAD whose telephone number is (571)270-3743. The examiner can normally be reached M-F 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 5712705143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/R.D./Examiner, Art Unit 2437
/ALEXANDER LAGOR/Supervisory Patent Examiner, Art Unit 2437
Prosecution Insights