USB DEVICE

Notice of Pre-AIA or AIA Status The present application is being examined under the pre-AIA first to invent provisions. DETAILED ACTION This office action is in response to the claim listing filed on September 15th, 2025. Claims 1-20 are currently pending. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Finn (USPGPUB No. 2006/0219776 A1, hereinafter referred to as Finn) in view of Gonzalez et al. (WIPO PCT Pub No. WO2007/008540 A2, hereinafter referred to as Gonzalez) and further in view of Trethewey (USPGPUB No. 2008/0092043 A1). Referring to claim 1, Finn discloses a portable universal serial bus (USB) device {“USB stick for connecting to a PC, or a USB plug for receiving a USB stick”, see Fig. 1a, [0290], 2nd sentence, the device including a package {“RFID reader apparatus 100”, see Fig. 1a [0291]}, wherein the device is configured such that {“The RFID reader apparatus can be plugged into (or connected wirelessly with)”, see Fig. 1a [0289], 2nd sentence}, following connection to a computer terminal {“a [computer terminal] personal computer (PC)”, see Fig. 1a [0289]}, the device presents itself to the computer terminal as a human interface device (HID) {“Other switches, and human interfaces (audio jacks, display, etc.) may be incorporated into the apparatus 100. The membrane sensor 110 is considered to be a ‘human interface’”, see Fig. 1a [0297]}; Finn does not appear to explicitly disclose wherein the portable USB device includes a USB module that includes a USB microcontroller, the USB module being attached to or embedded in the package, wherein the portable USB device is applicable to secure on-line access, wherein the portable USB device 1s operable to generate a one-time-only passcode and to use the one-time-only passcode so that the portable USB device can be authenticated by a secure server via the computer terminal. However, Gonzalez discloses wherein the portable USB device, the USB module being attached to or embedded in the package {portable USB device “and MSD 100 is a thumb drive… the storage device or subsystem may be embedded in the host computer”, see Fig. 1, [0052]}, wherein the portable USB device is applicable to secure on-line access {“online financial activity. Banks, brokerages, and other financial institutions” (see Fig. 1 [0044], 1st sentence) that would necessitate secure access “make the [USB] device function as a type of ‘key’ that allows access to other secure systems” ([0040], 2nd sentence)}, wherein the portable USB device is operable to generate a one-time-only passcode {“as a USB flash storage device with OTP functionality” (see Fig. 1 [0043])} and to use the one-time-only passcode so that the portable USB device can be authenticated by a secure server {secure “automatically link to the appropriate [secure server hosting] institution web page”, see Fig. 1 [0043]} via the computer terminal {“When a user wishes to access a particular institution, say his online bank for example, he plugs MSD 100 into a USB port, a client that resides on MSD is launched by [via the computer terminal] the PC”, see Fig. 1 [0052]}. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Finn and Gonzalez before him or her, to modify Finn’s “RFID reader apparatus 100” (see Fig. 1a) incorporating Gonzalez’ portable USB device “MSD 100” (see Fig. 1). The suggestion/motivation for doing so would have been to provide a convenient multi-purpose device that integrates one time password generation as part of a robust security and password management system (Gonzalez [0008] addressing lacking features in past approaches (Gonzalez [0006])). Therefore, it would have been obvious to combine Gonzalez with Finn to obtain the invention as specified in the instant claim(s). Neither Finn or Gonzalez appear to explicitly disclose wherein the portable USB device includes a USB module that includes a USB microcontroller; Furthermore, Trethewey discloses wherein the portable USB device includes a USB module that includes a USB microcontroller {“RFID reader chip and companion MSP430 microcontroller.” (see Fig. 1 [0068]) the RFID including USB module interface ‘Apr. 2000; USB Device Class Definition for Human Interface Devices (HID)’ ([0073]} including a , “[HID] USB keyboard driver” ([0090]).} Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Finn/Gonzalez and Kaplan before him or her, to modify Finn/Gonzalez’ device incorporating Trethewey’s “USB keyboard driver” (see Fig. 7 [0090]). The suggestion/motivation for doing so would have been to implementing A consistent naming and implementation scheme allows the system designs to be developed more rapidly involving an approach allows the driver to be reused from design to design, with only a configuration file change which in turn BIOS and firmware development can be done faster because the interfaces are known in advance and don't need to be specified from scratch (Trethewey [0114]). Therefore, it would have been obvious to combine Trethewey with Finn/Gonzalez to obtain the invention as specified in the instant claim(s). As per claim 2, the rejection of claim 1 is incorporated and Gonzalez discloses wherein the device includes a one-time-only passcode generator {“one time password generator”, see Fig. 3c [0024]}. As per claim 3, the rejection of claim 2 is incorporated and Gonzalez discloses wherein the one-time-only passcode generator includes a computer program embodied on a non-transitory storage medium of the portable USB device {computer program embodied on “encryption engine within [portable USB device subcomponent] controller 306”, see Figs. 3a and 3c [0054]}, wherein the computer program is executable on the portable USB device to generate one-time-only passcodes {“authority 126 may provide the seeds necessary for [one-time-only] OTP generation within MSD 100”, see Fig. 2 [0053], 5th sentence}. As per claim 4, the rejection of claim 1 is incorporated and Trethewey discloses wherein the HID device is a HID keyboard device {“e HID class driver centralizes all HID class activity on the computer, regardless of the originating driver (e.g., ACPI-to-HID mapper driver, USB keyboard driver,”, see Figs. 7 and 14, [0090], 2nd sentence}. As per claim 5, the rejection of claim 4 is incorporated and Trethewey discloses wherein the portable USB device sends to the computer terminal a sequence of data {“This driver may then translate the [sequence of data] button press[es] into an HID code for further processing” (see Fig. 7, [0072], 4th sentence per the USB keyboard driver (see Figs. 7 and 14, [0090], 2nd sentence)}, the data complying with the HID keyboard standard protocol {“HID class driver centralizes all HID class activity on the computer, regardless of the originating driver (e.g., ACPI-to-HID mapper driver, USB keyboard driver,”, see Figs. 7 and 14, [0090], 2nd sentence}. As per claim 6, the rejection of claim 4 is incorporated and Trethewey discloses wherein a sequence of data is transmitted to the secure server {“This driver may then translate the [sequence of data] button press[es] into an HID code for further processing” (see Fig. 7, [0072], 4th sentence per the USB keyboard driver (see Figs. 7 and 14, [0090], 2nd sentence)}, wherein the data are keycodes, the keycodes complying with the human interface device (HID) keyboard standard protocol {“HID class driver centralizes all HID class activity on the computer, regardless of the originating driver (e.g., ACPI-to-HID mapper driver, USB keyboard driver,”, see Figs. 7 and 14, [0090], 2nd sentence}. As per claim 7, the rejection of claim 1 is incorporated and Gonzalez discloses wherein the device includes a button, wherein the device is configured to initiate a pre-programmed sequence {“ser preferably has no involvement in [pre-programmed sequence] performing the OTP authentication after some initial enrollment and/or activation”, [0013], 1st sentence}, in response to receiving a press of the button {“performs the log on and authentication operation all with a single click of a button”, [0013] last two sentences}. As per claim 8, the rejection of claim 1 is incorporated and Gonzalez discloses wherein the one-time-only passcode 1s generated using a seed and hash algorithm {“the device supports a number of independent OTP seeds, or even if it supports a number of independent institutions using the same OTP seeds, then the user identity, credentials, and URL are ideally selected from a list stored on the device according to the particular institution to which the person is authenticating.”, see Fig. 1, [0013] last three sentences}. As per claim 9, the rejection of claim 1 is incorporated and Gonzalez discloses wherein a hash algorithm is a part of a program embodied on a non-transitory storage medium of the portable USB device {“form of [hash] public key certificates by CA 550”, see Fig. 5C [0075], 2ND sentence}; the USB module includes a key {“utilizes the public key infrastructure”, see Fig. 5c [0074]}, stored in a non-transitory storage medium of the USB device {computer program embodied on “encryption engine within [portable USB device subcomponent] controller 306”, see Figs. 3a and 3c [0054]}; wherein the USB module 1s configured to use the hash algorithm {“framework for PKI is defined in the ITU-T X.509 Recommendation [X.509]”, see Fig. 5c [0075] 3rd sentence}, the key, and the previous passcode to generate the next passcode {“the seed is used by a complex algorithm to generate a new (OTP) value for each login that is validated”, see Fig. 11a, 12A, 12B [0078], 4TH sentence}; wherein the USB module is configured to store the passcode in a non-transitory storage medium {“the client itself performs the OTP functionality and stores and retrieves information such as the count to and from the device”, [0010] last two sentences} of the portable USB device ready for use next time {“This is a password that is later correlated by the system with all the user's other passwords and account info.”, see Figs. HA and HB [0079]}. As per claim 10, the rejection of claim 1 is incorporated and Gonzalez discloses wherein the key is unique for each portable USB device {“For example, OTP generator 330 can use a unique value [key] generating algorithm for each institution”, see Fig. 3c [0060] last three sentences}. As per claim 11, the rejection of claim 1 is incorporated and Gonzalez discloses in which the one-time passcode is generated using a hash algorithm and seed {“form of [hash] public key certificates by CA 550”, see Fig. 5C [0075], 2ND sentence} so as to be unique for each connection of the device {“Connections between the [USB device] mass storage device and the secure entities are also secure”, [0049], last two sentences} and thus one-time-only (OTO) {“the device supports a number of independent OTP seeds, or even if it supports a number of independent institutions using the same OTP seeds, then the user identity, credentials, and URL are ideally selected from a list stored on the device according to the particular institution to which the person is authenticating.”, see Fig. 1, [0013] last three sentences}. As per claim 12, the rejection of claim 1 is incorporated and Gonzalez discloses in which the device is configured such that communications between the device and the secure server are encrypted {“secure manner, and protected appropriately by some means such as encryption”, [0010] last sentence}. As per claim 13, the rejection of claim 1 is incorporated and Finn discloses in which the package is small enough to be held in a hand {“Contactless smart card fob 116 and an external (see FIG. 3) RFID reader, terminal, handheld”, see Figs. 2a and 3 [0350]} and in which the device is readily inserted into a female USB socket on the computer terminal {female socket typical of PC terminals “A single USB port can be used to connect up to 127 peripheral devices, such as mice, modems, and keyboards. USB also supports plug-and-play installation and ‘hot plugging’”, see Fig. 1 [0039]}. As per claim 14, the rejection of claim 1 is incorporated and Trethewey discloses in which the portable USB device is configured to open a Uniform Resource Locator (URL) {“valid URLs pertaining to a given institution”, see Fig. 1 [0018], 3rd sentence}, or a Uniform Resource Identifier (URI), of a secure web site on the computer terminal {Examiner’s note: by recitation “or” term treats this dependent claim as a Markush claim, thus the reference needs only disclose one element in the group to address the claim}. As per claim 15, the rejection of claim 14 is incorporated and Gonzalez discloses wherein the URL or the URI is one-time only {“the URL embedded in the list of participating institutions may be used to limit the URLs to which a user may enroll with the system”, see Fig. 1 [0018], 4th sentence}. As per claim 16, the rejection of claim 14 is incorporated and Gonzalez discloses wherein the URL or the URI has appended to it an ID, which is passed as a parameter to the secure server {“obtaining an [parameter] OTP value from the mass storage device, and providing the [other types of parameters] user identity, credentials, and OTP value to the server to which the user is authenticating”, see Fig. 1 [0013]}; or (11) wherein the URL or the URI has appended to it a password, which is passed as a parameter to the secure server {; or (1i1) wherein the device includes a one-time-only passcode generator, wherein the URL or the URI has appended to it an ID, and a one-time-only passcode generated by the one-time-only passcode generator {“traditional password manager and an OTP authentication system seamlessly”, [0013] last two sentences}, which are passed as parameters to the secure server {Examiner’s note: by recitation “or” term treats this dependent claim as a Markush claim, thus the reference needs only disclose one element in the group to address the claim}. As per claim 17, the rejection of claim 1 is incorporated and Gonzalez discloses in which the device includes a button {“may be launched either manually by the user” (see Fig. 1 [0013]) via mouse button “performs the log on and authentication operation all with a single click of a [mouse] button” ([0014], last two sentences)}, wherein the device is configured to auto-launch a URL {“[auto launches] the institution Uniform Resource Locator ("URL") or other form of web address are also ideally already stored on the removable storage authentication mass storage device, and are retrieved for the authentication. If the device supports a number of independent OTP seeds, or even if it supports a number of independent institutions using the same OTP seeds, then the user identity, credentials, and URL are ideally selected from a list stored on the device according to the particular institution to which the person is authenticating”, see Fig. 1, [0014]} or a URI relating to the secure server {“[securing] validation of the website may be performed”, see Fig. 1 [0018]}, in response to receiving a press of the button {subsequent to the button press “with a one-click operation using a human interface device such as a mouse [button] or a keyboard”, see Fig. 1 [0013]}. As per claim 18, the rejection of claim 1 is incorporated and Gonzalez discloses to which a unique device ID and a password or the one-time passcode is appended to a URL {“obtaining an [parameter] OTP value from the mass storage device, and providing the [other types of parameters] user identity, credentials, and OTP value to the server to which the user is authenticating [/appending]” (see Fig. 1 [0013]}) along with the URL “The user identity and credentials, and the institution Uniform Resource Locator ("URL") or other form of web address are also ideally already stored on the removable storage authentication mass storage device, and are retrieved for the authentication” ([0014])} or a URI and passed as parameters to the secure server {“traditional password manager and an OTP authentication system seamlessly”, [0013] last two sentences}, so that the device can be identified and authenticated {“ stored on the device according to the particular institution to which the person is authenticating”, see Fig. 1 [0014]}. Referring to claim 19 is a system claim reciting claim functionality corresponding to the device claim of claim 1, thereby rejected under the same rationale as claim 1 recited above {Examiner’s note: the term “AV” system is recited only once in this claim tree, in the preamble, thus the term “AV” is not given any patentable weight since it lacks antecedent basis in the body of the claim}. Referring to claim 20 is a method claim reciting claim functionality corresponding to the device claim of claim 1, thereby rejected under the same rationale as claim 1 recited above. Response to Arguments Applicant’s arguments filed on 09/15/2025 have been considered but deemed moot in view of the following explanation: Applicant alleges that the combination of Finn, Gonzalez, and Tretheway references does not appear to teach all the limitations recited in claim 1, on the basis of legal precedent from KSR applied to the Gonzalez reference as the [0052] may be embedded in the host computer when the storage device is already embedded in the host computer (Remarks pages 5 and 6). Per the Examiner’s rebuttal, the Examiner will further expand upon the claim interpretation to claim 1 further drawn parallels to the Finn, Gonzalez, Tretheway references, in particular Gonzalez. Claim 1 recites “the device including a package”, for equivalency sake as a “comprising” preamble, thus treating the claim open-ended, meaning that undisclosed elements can be part of the claimed embodiment, provided such elements facilitate the recited functionality/steps/structure. Also worth noting that the “USB module being attached to or embedded in the package”, “the package” is not further defined positively/negatively restricted in any way until dependent claim 13 “in which the package is small enough to be held in a hand”, still lacks any type of material for the package. By the rationale presented above Remarks pages 5 and 6, it appears that claim 1 runs into a similar problem. If such a device is embedded in a bigger system, that implies some level of connection if there’s more than one layer, whether an embedded DMA controller/ISA industry standard architecture bus also have ports to USB and UART interface? Basically an computerized/specialized system becomes incorporated/embedded into another article of manufacture, which in claim 1 does not further elaborate on such combination of the type of material. Best recitation from the specification (USPGPUB [0039]) of the package is already in dependent claim 13. Turning to Gonzalez, Applicant/Attorney already acknowledge embedded functionality [0052] (Remarks page 5) without considering claim 7 citations in entirety, [0013] 4th sentence: “application may be launched either manually by the user or the system may be set up to automatically launch the application upon insertion of the device into a host computer” (emphasis added by Examiner). Applicant alleges that the combination of Finn by Gonzalez rendered non-obvious as Finn’s principle of operation is changed according to MPEP 2143.01 VI. Furthermore, applicant argued Tretheway does not remedy the deficiencies of the Finn/Gonzalez combination (Remarks page 7, entirety). In particular, allegedly Tretheway does not disclose a USB microcontroller (Remarks pages 8 and 9). Per the rebuttals above alleviate such alleged deficiencies regarding Finn/Gonzalez combination upon describing the insertion by Gonzalez. In addition to the citations above, Tretheway [0080], 2nd sentence: “USB functionality may be implemented with a device such as the Philips ISP 1520 USB controller chip in an LQFP64 [microcontroller] package”. Also, per the rationale in last two lines of Remarks page 2 through page 4, 1st 4 lines, the current ground of double patent rejection(s) has been withdrawn. For these reasons the current ground of prior art rejection(s) is respectfully maintained. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A. BARTELS whose telephone number is (571)270-3182. The examiner can normally be reached on Monday-Friday 9:00a-5:30pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dr. Henry Tsai can be reached on 571-272-4176. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /C. B./ Examiner, Art Unit 2184 /HENRY TSAI/Supervisory Patent Examiner, Art Unit 2184