Prosecution Insights
Last updated: July 17, 2026
Application No. 18/515,104

SYSTEMS AND METHODS FOR SECURING LOGIN ACCESS

Non-Final OA §103
Filed
Nov 20, 2023
Priority
Jul 10, 2020 — continuation of 11/824,850
Examiner
MOHAMMADI, FAHIMEH M
Art Unit
2439
Tech Center
2400 — Computer Networks
Assignee
Capital One Services LLC
OA Round
5 (Non-Final)
76%
Grant Probability
Favorable
5-6
OA Rounds
5m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 76% — above average
76%
Career Allowance Rate
225 granted / 296 resolved
+18.0% vs TC avg
Strong +52% interview lift
Without
With
+52.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 1m
Avg Prosecution
20 currently pending
Career history
325
Total Applications
across all art units

Statute-Specific Performance

§101
0.4%
-39.6% vs TC avg
§103
98.5%
+58.5% vs TC avg
§102
0.7%
-39.3% vs TC avg
§112
0.1%
-39.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 296 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 04/13/2026 has been entered. As per instant Amendment, Claims 2, 14, and 18 are independent claims. Claims 2-21 have been examined and are pending. This Action is made Non-FINAL. Response to Arguments In attempt to promote compact prosecution, the Examiner has contacted the Applicants for possible amendments to move the case forward. However the Applicants and the Examiner could not come up with an agreement. The DP will be held in abeyance until a terminal disclaimer is filed and approved. Applicants’ arguments in the instant Amendment, filed on 04/13/2026, with respect to limitations listed below, have been fully considered but they are not persuasive. Applicant’s arguments: “Yedidi, Jakobsson and Badnes fail to disclose the compare element, the full access element, and the partial access element.” The Examiner disagrees with the Applicants. The Examiner respectfully submits that Badnes does disclose (Badenes: par. 0051 an authentication application operating on the server may compare the first password segment to a previously stored value for this password segment, in step 902; par. 0032 the user may enter a full password [] if the user 501 initially enters the full password, then the server authentication application 506 may authorize the user 501 to access all of the information in database 509 [] if the user enters a partial password [] then the server authentication application 506 may authorize the user 501 to access only a limited portion of the data; par. 0023 divide a user's password into multiple parts and allow the user to access subsets of information based on successful authentications of the individual password parts). More specifically, Badenes discloses the partial authentication may be based on a user password 600 that has been partitioned into multiple segments 600A, 600B, and 600Z [par. 0034], as the user 501 provides the initial password segment 600A, the server authentication application 506 may verify the password segment 600A against the value for the segment 600A as previously established and stored, for example, in the server 206. If the verification of the password segment 600A is successful, then the server authentication application 509 may authorize the user 501 to access information portion 609A in a database 609 [par. 0035] and the server authentication system 706 may comprise a password segment verifying component 711 for comparing a password segment that the user has entered against a previously stored value for that segment [par. 0037] [NOTE: user password simply ordered sequence of characters or components (i.e., 600A, 600B, and 600Z) grouping characters into bigger pieces or chunks doesn't make it fundamentally different, it's still just a sequence of components forming one string. The difference is only how we group the characters, not the structure of the secret itself.] Therefore, the examiner finds this argument not persuasive. Applicant's arguments: "Applicant submits that the only way a POSA would have combined the references was using impermissible hindsight bias. Therefore, the Examiner cannot do the same." The Examiner disagrees with the Applicants. In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning. But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper. See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). Therefore, the examiner finds this argument not persuasive. A substantially similar rejection to the previous non-final rejection follows below. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claims 2-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11824850. Although the claims at issue are not identical, they are not patentably distinct from each other because all limitations recited in claims 2-21 of the instant application are anticipated by all limitations recited in claims 1-20 of the patent ‘850, respectively. Refer to the comparison table below for details. Instant Application 18/515104 Patent No. 11824850 (Application No. 16/926567) Claim 2: A system, comprising: one or more processors; and a memory in communication with the one or more processors and storing instructions that, when executed by the one or more processors, are configured to cause the system to: receive, from a first browser of a first user device associated with a user, a request to access one or more resources comprising a first salted credential, wherein: the first salted credential comprises a first component, a second component, and a third component, the second component is appended to an end of the first component, the third component is appended to an end of the second component, and each of the first component, second component, and third component comprise one of: (i) a first password inputted by the user, (ii) a first user device identifier associated with the first user device and retrieved by the first user device, or (iii) a first browser identifier associated with the first browser and retrieved by the first user device; retrieve stored components corresponding to each component of the first salted credential; extract each component from the first salted credential; respectively compare each of the three components of the first salted credential to the stored components; responsive to each of the three components of the first salted credential respectively matching the stored components beyond a predetermined threshold, grant the request and allow full access to the one or more resources for the first user device; and responsive to only two components of the three components of first salted credential respectively matching the stored components beyond the predetermined threshold, perform one or more actions, the partial access a subset of the full access. Claim 1: A system, comprising: one or more processors; and a memory in communication with the one or more processors and storing instructions that, when executed by the one or more processors, are configured to cause the system to: receive, from a first browser of a first user device associated with a user, a request to access one or more resources, wherein the request comprises a first salted password, wherein the first salted password comprises a first password, a first user device identifier appended to a first end of the first password, and a first browser identifier appended to a second end of the first user device identifier; retrieve a stored first password, a stored first user device identifier, and a stored first browser identifier; extract the first password, the first user device identifier, and the first browser identifier from the first salted password; respectively compare the first password, the first user device identifier, and the first browser identifier to the stored first password, the stored first user device identifier, and the stored first browser identifier; determine whether the first password, the first user device identifier, and the first browser identifier respectively match the stored first password, the stored first user device identifier, and the stored first browser identifier beyond a predetermined threshold; when the first password, the first user device identifier, and the first browser identifier respectively match the stored first password, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold, grant the request to access the one or more resources for the first user device; and when the first password, the first user device identifier, or the first browser identifier do not respectively match the stored first password, the stored first user device identifier, or the stored first browser identifier beyond the predetermined threshold, perform one or more actions. Claim 14: A user device, comprising: one or more processors; and a memory in communication with the one or more processors and storing instructions that, when executed by the one or more processors, are configured to cause the user device to: receive a first password inputted by a use; retrieve, from the user device, a user device identifier associated with the user device; retrieve, from a first browser, a first browser identifier associated with the first browser; generate a first salt by appending the user device identifier to the first browser identifier or the first browser identifier to the user device identifier; apply the first salt to the first password by appending the first salt to an end of the first password to generate a first salted credential; transmit the first salted credential to an authentication system; and gain full access to a secured resource when only the first password, the user device identifier, and the first browser identifier of the first salted credential each respectively match a stored password, a stored first browser identifier, and a stored user device identifier; and gain partial access a secure resource when only two of the first password, the user device, and the browser identifier of the first salted credential respectively match a stored password, a stored first browser identifier, and a stored user device identifier, the partial access a subset of the full access. Claim 13: A user device, comprising: one or more processors; and a memory in communication with the one or more processors and storing instructions that, when executed by the one or more processors, are configured to cause the user device to: navigate a first browser to a login page for a website; receive a first password inputted by a user of the user device via the first browser at the website; retrieve a user device identifier and a first browser identifier; generate a first salt by appending the first browser identifier to the user device identifier; apply the first salt to the first password by appending the first salt to an end of the first password to generate a first salted password without displaying an indication to the user device that the first salt was applied to the first password; transmit the first salted password to an authentication system; and gain access to the website when the first password, the first browser identifier, and the user device identifier of the first salted password matches a stored password, a stored first browser identifier, and a stored user device identifier beyond a predetermined threshold. Claim 18: A system, comprising: one or more processors; and a memory in communication with the one or more processors and storing instructions that, when executed by the one or more processors, are configured to cause the system to: receive, from a first user device associated with a user, a first salted credential, wherein the first salted credential comprises a first group of at least three first salted components, the first group of salted components comprising a first salted component, a second salted component, and a third salted component, each comprising (i) a first password inputted by the user, (ii) a first user device identifier associated with the first user device and retrieved by the first user device, or (iii) a first browser identifier associated with a first browser and retrieved by the first user device, and wherein the first salted credential comprises appending the second salted component to the first salted component and appending the third salted component to the second salted component; extract each of the first group of salted components from the first salted credential; receive, from a second user device associated with the user, a request to access a secured resource comprising a second salted credential, the second salted credential comprising a second group of salted components corresponding to the first group of first salted components of the first salted credential; extract the second group of salted components from the second salted credential; when all of the second group of salted components respectively match the first group of salted components, grant the request to fully access the secured resource for the first user device; and when only two components of the second group of salted components does not respectively match the first group of salted components, grant partial access to the secured resources for the first user device and perform one or more actions, the partial access a subset of the full access. Claim 17: A system, comprising: one or more processors; and a memory in communication with the one or more processors and storing instructions that, when executed by the one or more processors, are configured to cause the system to: receive, from a first user device associated with a user, a first salted password associated with a website, wherein the first salted password comprises a first user device identifier, a first browser identifier appended to the first user device identifier, and a first password appended to the first browser identifier; extract the first password, the first user device identifier, and the first browser identifier from the first salted password; store the first password, the first user device identifier, and the first browser identifier; receive, from a second user device associated with a user, a request to access the website comprising a second salted password, wherein the second salted password comprising a second password, a second user device identifier, and a second browser identifier; extract the second password, the second user device identifier, and the second browser identifier from the second salted password; retrieve the first password, the first user device identifier, and the first browser identifier; determine whether the second password, the second user device identifier, and the second browser identifier respectively match the first password, the first user device identifier, and the first browser identifier beyond a predetermined threshold; when the second password, the second user device identifier, and the second browser identifier respectively match the first password, the first user device identifier, and the first browser identifier beyond the predetermined threshold, grant the request to access the website for the first user device; and when the second password, the first user device identifier, or the first browser identifier do not respectively match the first password beyond the predetermined threshold, the first user device identifier, or the first browser identifier, perform one or more actions. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 2, 4 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Jakobsson (US 2012/0284783) and Badenes et al. (“Badenes,” US 2012/0222093). Regarding claim 2: Yedidi discloses a system, comprising: one or more processors (Yedidi: fig. 5 item 510); and a memory in communication with the one or more processors and storing instructions (Yedidi: fig. 5 items 512, 515) that, when executed by the one or more processors, are configured to cause the system to: receive, from a first browser of a first user device associated with a user, a request to access one or more resources comprising a first salted credential, wherein the first salted credential comprising a first component, a second component, and a third component, each of the first component, second component, and third component comprising one of: (i) a first password inputted by the user, (ii) a first user device identifier associated with the first user device and retrieved by the first user device, or (iii) a first browser identifier associated with the first browser and retrieved by the first user device (Yedidi: par. 0056 at step 402, content management system 106 can receive a login request for a user account from a user device [] the login request can include a password; par. 0057 at step 404, content management system 106 can obtain login context data from the user device; par. 0043 each record [] in login context database 300 can correspond to a [] browser identifier (e.g., name, version, etc.) [] an operating system identifier (e.g., name version, etc.) for the operating system of the client device, a device type (e.g., manufacturer, model, etc.) for the client device); retrieve stored components corresponding to each component of the first salted credential (Yedidi: par. 0058 content management system 106 can store login context data in login context database 204. For example, login context database 204 (i.e., database 300) can store a database entry (e.g., record) that includes login context data collected for each attempt to log in to a user account); and extract each component from the first salted password the first credential (Yedidi: par. 0059 at step 408, content management system 106 can generate a login metric. For example, content management system 106 can generate one or more login metrics based on the login context data stored in login context database 204). Yedidi does not explicitly disclose wherein the second component is appended to an end of the first component and the third component is appended to an end of the second component. However, Jakobsson discloses wherein the second component is appended to an end of the first component and the third component is appended to an end of the second component (Jakobsson: par. 0011 a password is analyzed to determine all words or numbers [] contained within the password. A word may be appended to the beginning or end of another word or inserted within another word; par. 0032 the proposed password is analyzed for concatenations at step 110 by first identifying all words within the password; par. 0025 concatenation is when one word is appended to the beginning or end of another word). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Jakobsson with the system/method of Yedidi to include the second component is appended to an end of the first component and the third component is appended to an end of the second component. One would have been motivated to provide security to a user's sensitive information and to grant a user access to content (Jakobsson: par. 0005). Yedidi in view of Jakobsson does not explicitly disclose respectively compare each of the three components of the first salted credential to the stored components, responsive to each of the three components of the first salted credential respectively matching the stored components beyond a predetermined threshold, grant the request and allow full access to the one or more resources for the first user device and responsive to only two components of the three components of the first salted credential respectively matching the stored component beyond a predetermined threshold, grant partial access for the first user device and perform one or more actions, the partial access a subset of full access. However, Badenes discloses respectively compare each of the three components of the first salted credential to the stored components (Badenes: par. 0037 the server authentication system 706 may comprise a password segment verifying component 711 for comparing a password segment that the user has entered against a previously stored value for that segment); responsive to each of the three components of the first salted credential respectively matching the stored components beyond a predetermined threshold, grant the request and allow full access to the one or more resources for the first user device (Badenes: par. 0031 the user authentication interface 503 may include a password field 510 in which a user 501 may enter a user password or a password segment to be authenticated by a server authentication application 506; par. 0032 when the user 501 provides a user password in the password field 510, the user may enter a full password [] if the user 501 initially enters the full password, then the server authentication application 506 may authorize the user 501 to access all of the information in database 509 that the user 501 is entitled to, e.g., all of the user's own emails); and responsive to only two components of the three components of the first salted credential respectively matching the stored component beyond a predetermined threshold, grant partial access for the first user device and perform one or more actions, the partial access a subset of full access (Badenes: par. 0032 when the user 501 provides a user password in the password field 510, the user may enter [] a partial password [] if the user enters a partial password [] then the server authentication application 506 may authorize the user 501 to access only a limited portion of the data, such as the number of new or unread emails but not the email contents; par. 0023 divide a user's password into multiple parts and allow the user to access subsets of information based on successful authentications of the individual password parts). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Badenes with the system/method of Yedidi and Jakobsson to include responsive to each of the three/two components of the first salted password respectively matching the stored components beyond a predetermined threshold, grant the request and allow full/partial access to the one or more resources for the first user device. One would have been motivated for enabling a partial authentication to allow a user to access an initial portion of the information, and continue with subsequent partial authentications to access remaining information increments as desired (Badenes: par. 0022). Regarding claim 4: Yedidi in view of Jakobsson and Badenes discloses the system of claim 2. Yedidi further discloses wherein the stored components comprise a stored first password, a stored first user device identifier, and a stored first browser identifier, and the first stored password is received from the first user device during a device registration process and subsequently stored in a database associated with the system (Yedidi: par. 0017 user account database 150 can store profile information for registered users). Regarding claim 18: Yedidi discloses a system, comprising: one or more processors (Yedidi: fig. 5 item 510); and a memory in communication with the one or more processors and storing instructions (Yedidi: fig. 5) that, when executed by the one or more processors, are configured to cause the system to: receive, from a first user device associated with a user, a first salted credential, wherein the first salted credential comprising a first group of at least three first salted component, the first group of salted component comprising a first salted component, a second salted component, and a third salted component, each comprising (i) a first password inputted by the user, (ii) a first user device identifier associated with the first user device and retrieve by the first user device, or (iii) a first browser identifier associated with a first browser and retrieved by the first user device (Yedidi: par. 0056 at step 402, content management system 106 can receive a login request for a user account from a user device [] the login request can include a password; par. 0057 at step 404, content management system 106 can obtain login context data from the user device; par. 0043 each record [] in login context database 300 can correspond to a [] browser identifier (e.g., name, version, etc.) [] an operating system identifier (e.g., name version, etc.) for the operating system of the client device, a device type (e.g., manufacturer, model, etc.) for the client device); extract each of the first group of salted component from the first salted credential (Yedidi: par. 0059 at step 408, content management system 106 can generate a login metric. For example, content management system 106 can generate one or more login metrics based on the login context data stored in login context database 204); receive, from a second user device associated with a user, a request to access a secure resource comprising a second salted credential, the second salted credential Page 49 of 53Attorney Docket No.: COF0147 (029424.002531) comprising a second group of salted components corresponding to the first group of first salted component of the first salted credential (Yedidi: par. 0056 at step 402, content management system 106 can receive a login request for a user account from a user device; par. 0057 At step 404, content management system 106 can obtain login context data from the user device; fig. 3 login context database); extract the second group of salted components from the second salted credential (Yedidi: par. 0059 at step 408, content management system 106 can generate a login metric. For example, content management system 106 can generate one or more login metrics based on the login context data stored in login context database 204); Yedidi does not explicitly disclose wherein the first salted credential comprises appending the second salted component to the first salted component and appending the third salted component to the second salted component. However, Jakobsson discloses wherein the first salted credential comprises appending the second salted component to the first salted component and appending the third salted component to the second salted component (Jakobsson: par. 0011 a password is analyzed to deter mine all words or numbers [] contained within the password. A word may be appended to the beginning or end of another word or inserted within another word; par. 0032 the proposed password is analyzed for concatenations at step 110 by first identifying all words within the password; par. 0025 concatenation is when one word is appended to the beginning or end of another word). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Jakobsson with the system/method of Yedidi to include the first salted password comprises appending the second salted component to the first salted component and appending the third salted component to the second salted component. One would have been motivated to provide security to a user's sensitive information and to grant a user access to content (Jakobsson: par. 0005). Yedidi in view of Jakobsson does not explicitly disclose when all of the second group of salted components respectively match the first group of salted components, grant the request to fully access the secured resource for the first user device and when only two components of the second group of salted components respectively match the first group of salted components, grant partial access to the secured resource for the first user device and perform one or more actions, the partial access a subset of the full access. However, Badenes discloses when all of the second group of salted components respectively match the first group of salted components, grant the request to fully access the secured resource for the first user device (Badenes: par. 0031 the user authentication interface 503 may include a password field 510 in which a user 501 may enter a user password or a password segment to be authenticated by a server authentication application 506; par. 0032 when the user 501 provides a user password in the password field 510, the user may enter a full password [] if the user 501 initially enters the full password, then the server authentication application 506 may authorize the user 501 to access all of the information in database 509 that the user 501 is entitled to, e.g., all of the user's own emails); and when only two components of the second group of salted components respectively match the first group of salted components, grant partial access to the secured resource for the first user device and perform one or more actions, the partial access a subset of the full access (Badenes: par. 0032 when the user 501 provides a user password in the password field 510, the user may enter [] a partial password [] if the user enters a partial password [] then the server authentication application 506 may authorize the user 501 to access only a limited portion of the data, such as the number of new or unread emails but not the email contents; par. 0023 divide a user's password into multiple parts and allow the user to access subsets of information based on successful authentications of the individual password parts). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Badenes with the system/method of Yedidi and Jakobsson to include when the second group of salted components respectively match the first group of salted components beyond a predetermined threshold, grant the request to fully access the secured resource for the first user device. One would have been motivated for enabling a partial authentication to allow a user to access an initial portion of the information, and continue with subsequent partial authentications to access remaining information increments as desired (Badenes: par. 0022). Regarding claim 19: Yedidi in view of Jakobsson and Badenes discloses the system of claim 18. Badenes further discloses wherein the first password is salted without displaying an indication that a first salt was applied to the first password (Badenes: par. 0038 the server authentication system 706 may include a password segment hashing component 712 for hashing the values of the password segments 601A ... 601Z before storing them, for example, in a server 206. A hashing function (h) may be applied to a password segment value (i) to generate a hashed value h(i) which may then be stored in the server 206 instead of the value (i) itself). The motivation is the same that of claim 18 above. Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Jakobsson (US 2012/0284783), Badenes et al. (“Badenes,” US 2012/0222093) and Goodwin et al. (“Goodwin,” US 8,234,302). Regarding claim 3: Yedidi in view of Jakobsson and Badenes discloses the system of claim 2. Yedidi in view of Jakobsson and Badenes does not explicitly disclose wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to generate and transmit the first password to the user via the first user device. However, Goodwin discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to generate and transmit the first password to the user via the first user device (Goodwin: col. 3 lines 59-61 a user may be provided or specify a username and password that is associated with the user account). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Goodwin with the system/method of Yedidi, Jakobsson and Badenes to include the system to generate and transmit the first password to the user via the first user device. One would have been motivated for controlling access to electronic content stored on a content provider’s server (Goodwin: col. 1 lines 52-53). Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Jakobsson (US 2012/0284783), Badenes et al. (“Badenes,” US 2012/0222093), Maxilom et al. (“Maxilom,” US 2020/0007607) and Bemmel (US 2009/0006861). Regarding claim 5: Yedidi in view of Jakobsson and Badenes discloses the system of claim 4. Yedidi further discloses a second browser identifier (Yedidi: par. 0043 a browser identifier). Yedidi in view of Jakobsson and Badenes does not disclose randomly generating a first code comprising numbers, transmitting the first code to the user via email or text message, prompting the user to enter a second code via the first browser of the first user device, receiving a salted code comprising a combination of the second code, a second user device identifier, and a second browser identifier, extracting the second code, the second user device identifier. However, Maxilom discloses randomly generating a first code comprising numbers (Maxilom: par. 0023 randomly generated code by the agent 111); transmitting the first code to the user via email or text message (Maxilom: par. 0023 randomly generated code [] is delivered to the mobile device [] such as though a text message to the mobile device 130); prompting the user to enter a code via the first browser of the first user device (Maxilom: par. 0023 the user/operator of the mobile device 130 then enters the code received through the out-of-band text message into a code enter screen rendered within the support manager 131); receiving a salted code comprising a second code, a second user device identifier (Maxilom: par. 0024 the one-time-only code; par. 0024 the support manager 131 can interact with the agent 111 to identify a device identifier); extracting the second code, the second user device identifier from the salted code (Maxilom: par. 0024 when the support personnel activate the link provided by the support manager 131 a connection between the support personnel's device and the enterprise services device 110 is established and the agent sends the random remote code back to the support personnel and displays a code-input screen into which the support personnel enters the received code). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Maxilom with the system/method of Yedidi, Jakobsson and Badenes to include transmitting the first code to the user via email or text message, prompting the user to enter a code via the first browser of the first user device. One would have been motivated for establishing a secure session with the portal (Maxilom: par. 0002). Yedidi in view of Jakobsson, Badenes and Maxilom does not explicitly disclose prompting the user for a second password or block further password attempts depending on whether the second code, the second user device identifier, and the second browser identifier respectively match the first code, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold. However, Bemmel discloses prompting the user for a second password or block further password attempts depending on whether the second code, the second user device identifier, and the second browser identifier respectively match the first code, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold (Bemmel: par. 0053 the pass-phrase creation page may include a statement requesting that the user enter a pass-phrase in a corresponding pass-phrase entry field. The pass-phrase creation page may include one or more suggested pass-phrases, thereby enabling the user to select one of the suggested pass-phrases). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bemmel with the system/method of Yedidi, Jakobsson, Badenes and Maxilom to include whether the second code, the second user device identifier, and the second browser identifier respectively match the first code, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold. One would have been motivated for providing a more secure, user-friendly technique by which users may prevent phishing attacks while using the Internet (Bemmel: par. 0015). Claims 6-9, 11 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Jakobsson (US 2012/0284783), Badenes et al. (“Badenes,” US 2012/0222093) and Bemmel (US 2009/0006861). Regarding claim 6: Yedidi in view of Jakobsson and Badenes discloses the system of claim 2. Yedidi in view of Jakobsson and Badenes does not disclose when the first password does not match the stored first password beyond the predetermined threshold, but the first user device identifier and the first browser identifier respectively match the stored first user device identifier and a stored first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, transmit a password mismatch error to the first user device, or transmit a notification via text or email to the user reporting a password mismatch, or a combination thereof. However, Bemmel discloses when the first password does not match the stored first password beyond the predetermined threshold, but the first user device identifier and the first browser identifier respectively match the stored first user device identifier and a stored first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, transmit a password mismatch error to the first user device, or transmit a notification via text or email to the user reporting a password mismatch, or a combination thereof (Bemmel: par. 0035 if the pass-phrase is not valid, method 200 proceeds to step 230. At step 230, the user device transmits an alert to the web server [] method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bemmel with the system/method of Yedidi, Jakobsson and Badenes to include match the stored first user device identifier and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device. One would have been motivated for providing a more secure, user-friendly technique by which users may prevent phishing attacks while using the Internet (Bemmel: par. 0015). Regarding claim 7: Yedidi in view of Jakobsson, Badenes and Bemmel discloses the system of claim 6. Bemmel further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password does not match the stored first password beyond the predetermined threshold, the first browser identifier does not match the stored first browser identifier beyond the predetermined threshold, but the first user device identifier matches the stored first user device identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, block a future access associated with the stored first password, the stored first user device identifier, remotely uninstall a first browser associated with the first browser identifier, record future keystrokes of the first user device, transmit the password mismatch error to the first user device, transmit a first browser identifier mismatch error to the first user device, or transmit the notification via text or email to the user reporting the password mismatch and a browser mismatch, or a combination thereof (Bemmel: par. 0033 if [] the identifiers do not match, method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page). The motivation is the same that of claim 6 above. Regarding claim 8: Yedidi in view of Jakobsson, Badenes and Bemmel discloses the system of claim 7. Bemmel further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password does not match the stored first password beyond the predetermined threshold, the first user device identifier does not match the stored first user device identifier beyond the predetermined threshold, but the first browser identifier matches the stored first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, block the future access associated with the stored first password, the stored first user device identifier, transmit a password mismatch error to the first user device, transmit a first user device identifier mismatch error to the first user device, or transmit the notification via text or email to the user reporting the password mismatch and a first user device identifier mismatch, or a combination thereof (Bemmel: par. 0034 a determination is made as to whether the pass-phrase (of the pass-phrase page) is valid [] the determination as to whether the pass-phrase displayed in the pass-phrase page is valid is a determination as to whether the pass-phrase displayed in the pass-phrase page matches the pass-phrase created by the user for the requested web page; par. 0033 if either the decryption is not valid or the identifiers do not match, method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page). The motivation is the same that of claim 6 above. Regarding claim 9: Yedidi in view of Jakobsson, Badenes and Bemmel discloses the system of claim 8. Bemmel further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to:Page 45 of 53Attorney Docket No.: COF0147 (029424.002531) when the first password, the first user device identifier, and the first browser identifier do not respectively match the stored first password, the stored first user device identifier, and the stored first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, block the future access associated with the stored first password, the stored first user device identifier, transmit the password mismatch error to the first user device, transmit the first user device identifier mismatch error to the first user device, transmit the first browser identifier mismatch error to the first user device, transmit the notification via text or email to the user reporting the password mismatch, the browser mismatch, and a first user device identifier mismatch, or transmit a message to law enforcement, or a combination thereof (Bemmel: par. 0051 at step 322, the web server receives the login information from the user device; par. 0052 if the login information is not valid, method 300 proceeds to step 354, at which point the web server blocks the attempt to access the web page). The motivation is the same that of claim 6 above. Regarding claim 11: Yedidi in view of Jakobsson, Badenes and Bemmel discloses the system of claim 9. Bemmel further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first user device identifier matches the stored first user device identifier beyond the predetermined threshold, but the first browser identifier does not match the stored first browser identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, transmit the first browser identifier mismatch error to the first user device, and remotely uninstall the first browser associated with the first browser identifier (Bemmel: par. 0049 if the web server is not valid, method 300 proceeds to step 362 where method 300 ends. In other words, the user device aborts the attempt to access the web page). The motivation is the same that of claim 6 above. Regarding claim 20: Yedidi in view of Jakobsson and Badenes discloses the system of claim 18. Yedidi in view of Jakobsson and Badenes does not explicitly disclose when a second password does not match the first password beyond the predetermined threshold, but a second user device identifier and a second browser identifier respectively match the first user device identifier and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the secured resource for the first user device, transmit a password mismatch error to the first user device, or transmit a notification via text or email to the user reporting a password mismatch, or a combination thereof; when the second password does not match the first password beyond the predetermined threshold, the second browser identifier does not match the first browser identifier beyond the predetermined threshold, but the second user device identifier matches the first user device identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the secured resource for the first user device, block a future access associated with the first password and the first user device identifier, transmit the password mismatch error to the second user device, transmit a first browser identifier mismatch error to the second user device, or transmit the notification via text or email to the user reporting both the password mismatch and a browser mismatch, or a combination thereof; when the second password does not match the first password beyond the predetermined threshold, the second user device identifier does not match the first user device identifier beyond the predetermined threshold, but the second browser identifier matches the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the secured resource for the first user device, block the future access associated with the first password, the first user device identifier, transmit a password mismatch error to the first user device, transmit a first user device identifier mismatch error to the first user device, or transmit the notification via text or email to the user reporting both the password mismatch and a first user device identifier mismatch, or a combination thereof; and when the second password, the second user device identifier, and second first browser identifier do not respectively match the first password, the first user device identifier, and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the secured resource for the first user device, block the future access associated with the first password and the first user device identifier, transmit the password mismatch error to the second user device, transmit the first user device identifier mismatch error to the second user device, transmit the first browser identifier mismatch error to the second user device, transmit the notification via text or email to the user reporting the password mismatch, the browser mismatch, and a first user device identifier mismatch, or transmit a message to law enforcement, or a combination thereof. However, Bemmel discloses when a second password does not match the first password beyond the predetermined threshold, but a second user device identifier and a second browser identifier respectively match the first user device identifier and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the secured resource for the first user device, transmit a password mismatch error to the first user device, or transmit a notification via text or email to the user reporting a password mismatch, or a combination thereof (Bemmel: par. 0035 if the pass-phrase is not valid, method 200 proceeds to step 230. At step 230, the user device transmits an alert to the web server [] method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page);Page 50 of 53Attorney Docket No.: COF0147 (029424.002531) when the second password does not match the first password beyond the predetermined threshold, the second browser identifier does not match the first browser identifier beyond the predetermined threshold, but the second user device identifier matches the first user device identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the secured resource for the first user device, block a future access associated with the first password and the first user device identifier, transmit the password mismatch error to the second user device, transmit a first browser identifier mismatch error to the second user device, or transmit the notification via text or email to the user reporting both the password mismatch and a browser mismatch, or a combination thereof (Bemmel: par. 0033 if [] the identifiers do not match, method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page); when the second password does not match the first password beyond the predetermined threshold, the second user device identifier does not match the first user device identifier beyond the predetermined threshold, but the second browser identifier matches the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the secured resource for the first user device, block the future access associated with the first password, the first user device identifier, transmit a password mismatch error to the first user device, transmit a first user device identifier mismatch error to the first user device, or transmit the notification via text or email to the user reporting both the password mismatch and a first user device identifier mismatch, or a combination thereof (Bemmel: par. 0034 a determination is made as to whether the pass-phrase (of the pass-phrase page) is valid [] the determination as to whether the pass-phrase displayed in the pass-phrase page is valid is a determination as to whether the pass-phrase displayed in the pass-phrase page matches the pass-phrase created by the user for the requested web page; par. 0033 if either the decryption is not valid or the identifiers do not match, method 200 proceeds to step 250, at which point the web server blocks the attempt to access the web page); and when the second password, the second user device identifier, and second first browser identifier do not respectively match the first password, the first user device identifier, and the first browser identifier beyond the predetermined threshold, perform the one or more actions comprising deny the request to access the secured resource for the first user device, block the future access associated with the first password and the first user device identifier, transmit the password mismatch error to the second user device, transmit the first user device identifier mismatch error to the second user device, transmit the first browser identifier mismatch error to the second user device, transmit the notification via text or email to the user reporting the password mismatch, the browser mismatch, and a first user device identifier mismatch, or transmit a message to law enforcement, or a combination thereof (Bemmel: par. 0051 at step 322, the web server receives the login information from the user device; par. 0052 if the login information is not valid, method 300 proceeds to step 354, at which point the web server blocks the attempt to access the web page). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bemmel with the system/method of Yedidi, Jakobsson and Badenes to include the user device to receive deny the request to access the website for the first user device. One would have been motivated for providing a more secure, user-friendly technique by which users may prevent phishing attacks while using the Internet (Bemmel: par. 0015). Claims 10 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Jakobsson (US 2012/0284783), Badenes et al. (“Badenes,” US 2012/0222093), Bemmel (US 2009/0006861) and Goodwin et al. (“Goodwin,” US 8,234,302). Regarding claim 10: Yedidi in view of Jakobsson, Badenes and Bemmel discloses the system of claim 9. Bemmel further discloses transmit the first browser identifier mismatch error to the first user device, remotely uninstall the first browser associated with the first browser identifier after the user closes the first browser, or transmit the notification via text or email to the user reporting the browser mismatch, or a combination thereof (Bemmel: par. 0049 if the web server is not valid, method 300 proceeds to step 362 where method 300 ends. In other words, the user device aborts the attempt to access the web page). The motivation is the same that of claim 6 above. Yedidi in view of Jakobsson, Badenes and Bemmel does not explicitly disclose wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first user device identifier matches the stored first user device identifier beyond the predetermined threshold, but the first browser identifier does not match the stored first browser identifier beyond the predetermined threshold, grant the request to access the one or more resources for the first user device. However, Goodwin discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first user device identifier matches the stored first user device identifier beyond the predetermined threshold, but the first browser identifier does not match the stored first browser identifier beyond the predetermined threshold, grant the request to access the one or more resources for the first user device (Goodwin: col. 5 lines 18-33 if the user account ID/password matches an account ID/password stored in the user information data store, the server executes the matching of the unique device IDs to the ones, if any, stored in the user information data store and associated with that account ID. If a match is not found, the total number of different devices that have been previously used to access that particular content via that account, including the current one, is determined and compared to a predetermined limit or threshold. If the total number of identified devices associated with the account ID plus the current device, which requested access, does not exceed the predetermined limit, the service provider grants access to the content. However, if the total number exceeds the predetermined limit, access will be denied. If a match is found between the received unique device identifier and the device identifiers currently associated with the account, access will be granted). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Goodwin with the system/method of Yedidi, Jakobsson, Badenes and Bemmel to include the first user device identifier matches the stored first user device identifier beyond the predetermined threshold grant the request to access the one or more resources for the first user device. One would have been motivated for controlling access to electronic content stored on a content provider’s server (Goodwin: col. 1 lines 52-53). Regarding claim 12: Yedidi in view of Jakobsson, Badenes, Bemmel and Goodwin discloses the system of claim 10. Goodwin further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first browser identifier matches the stored first browser identifier beyond the predetermined threshold, but the first user device identifier does not match the stored first user device identifier beyond the predetermined threshold, grant the request to access the one or more resources for the first user device and perform the one or more actions comprising: transmit a user device mismatch error to the first user device or transmit the notification via text or email to the user reporting a user device mismatch, or both (Goodwin: col. 4 lines 2-5 a browser identifier ("ID") is a type of unique device identifier due to the fact that it may contain HTTP information, such as a cookie, which may be used to uniquely identify a particular device; col. 5 lines 18-31 if the user account ID/password matches an account ID/password stored in the user information data store, the server executes the matching of the unique device IDs to the ones, if any, stored in the user information data store and associated with that account ID. If a match is not found [] access will be denied). The motivation is the same that of claim 10 above. Regarding claim 13: Yedidi in view of Jakobsson, Badenes and Bemmel discloses the system of claim 11. Yedidi in view of Jakobsson, Badenes and Bemmel does not explicitly disclose wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first browser identifier matches the stored first browser identifier beyond the predetermined threshold, but the first user device identifier does not match the stored first user device identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, block the future access associated with the stored first password, transmit a user device mismatch error to the first user device, transmit the notification via text or email to the user reporting a user device mismatch. However, Goodwin discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the system to: when the first password matches the stored first password beyond the predetermined threshold, the first browser identifier matches the stored first browser identifier beyond the predetermined threshold, but the first user device identifier does not match the stored first user device identifier beyond the predetermined threshold, perform the one or more actions comprising: deny the request to access the one or more resources for the first user device, block the future access associated with the stored first password, transmit a user device mismatch error to the first user device, transmit the notification via text or email to the user reporting a user device mismatch (Goodwin: col. 5 lines 18-31 if the user account ID/password matches an account ID/password stored in the user information data store, the server executes the matching of the unique device IDs to the ones, if any, stored in the user information data store and associated with that account ID. If a match is not found [] access will be denied). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Goodwin with the system/method of Yedidi, Jakobsson, Badenes and Bemmel to include deny the request to access the one or more resources for the first user device. One would have been motivated for controlling access to electronic content stored on a content provider’s server (Goodwin: col. 1 lines 52-53). Claims 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Johnson (US 9755834) and Badenes et al. (“Badenes,” US 2012/0222093). Regarding claim 14: Yedidi discloses a user device, comprising: one or more processors (Yedidi: fig. 5 item 510); and a memory in communication with the one or more processors and storing instructions (Yedidi: fig. 5) that, when executed by the one or more processors, are configured to cause the user device to: receive a first password inputted by a user (Yedidi: par. 0039 the user can provide input to user device 220 to provide the account identifier and password for the user's user account on content management system 106); retrieve, from the user device, a user device identifier associated with the user device; and a first browser identifier (Yedidi: par. 0044 login context database 300 can include [] device configuration settings [] device performance statistics, and/or other device-specific information); retrieve, from a first browser, a first browser identifier associated with the first browser (Yedidi: par. 0044 login context database 300 can include browser configuration settings [] client application configuration settings); Yedidi does not explicitly disclose generate a first salt by appending the user device identifier to the first browser identifier to the user device identifier, apply the first salt to the first password by appending the first salt to an end of the first password to generate a first salted credential and transmit the first salted credential to an authentication system. However, Johnson discloses generate a first salt by appending the user device identifier to the first browser identifier to the user device identifier (Johnson: col. 9 lines 3-12 at operation 312, the edge server 120 generates a cookie that includes a hash of [] one or more other values [] the one or more other values may include [] a browser identifier, [] a device identifier); apply the first salt to the first password by appending the first salt to an end of the first password to generate a first salted credential (Johnson: col. 9 lines 7-9 the token value may include a hash value that may be generated by hashing the secret key); and transmit the first salted credential to an authentication system (Johnson: col. 9 lines 31-36 the client computing device 110, causes the client computing device 110 to transmit the token value (equal to the value of the "CSRF Cookie" 316) as part of the request. This token value may be submitted automatically as an HTTP request header, or as part of HTML form data by 35 adding a hidden field to all HTML forms on the resource). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Johnson with the system/method of Yedidi to include generate a first salt based on the user device identifier and the first browser identifier transmit the first salted password to an authentication system. One would have been motivated for using a hash value to verify requests to prevent unauthorized data accessing (Johnson: col. 1 lines 8-10). Yedidi in view of Johnson does not explicitly disclose gain full access to a secure resource when the first password, the user device identifier, and the first browser identifier of the first salted credential each respectively match a stored password, a stored first browser identifier, and a stored user device identifier and gain partial access to a secure resource when two of the first password, the user device, and the first browser identifier of the first salted credential respectively match a stored password, a stored first browser identifier, and a stored user device identifier, the partial access a subset of the full access. However, Badenes discloses gain full access to a secure resource when the first password, the user device identifier, and the first browser identifier of the first salted credential each respectively match a stored password, a stored first browser identifier, and a stored user device identifier (Badenes: par. 0031 the user authentication interface 503 may include a password field 510 in which a user 501 may enter a user password or a password segment to be authenticated by a server authentication application 506; par. 0032 when the user 501 provides a user password in the password field 510, the user may enter a full password [] if the user 501 initially enters the full password, then the server authentication application 506 may authorize the user 501 to access all of the information in database 509 that the user 501 is entitled to, e.g., all of the user's own emails); and gain partial access to a secure resource when two of the first password, the user device, and the first browser identifier of the first salted credential respectively match a stored password, a stored first browser identifier, and a stored user device identifier, the partial access a subset of the full access (Badenes: par. 0032 when the user 501 provides a user password in the password field 510, the user may enter [] a partial password [] if the user enters a partial password [] then the server authentication application 506 may authorize the user 501 to access only a limited portion of the data, such as the number of new or unread emails but not the email contents; par. 0023 divide a user's password into multiple parts and allow the user to access subsets of information based on successful authentications of the individual password parts). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Goodwin with the system/method of Yedidi and Johnson to include gain full/partial access to the website when the first password, the first browser identifier, and the user device identifier of the first salted password matches a stored password, a stored first browser identifier, and a stored user device identifier. One would have been motivated for enabling a partial authentication to allow a user to access an initial portion of the information, and continue with subsequent partial authentications to access remaining information increments as desired (Badenes: par. 0022). Regarding claim 15: Yedidi in view of Johnson and Badenes discloses the user device of claim 14. Badenes further discloses the subset of the full access comprises limited access to the secured resource less than the full access (Badenes: par. 0023 divide a user's password into multiple parts and allow the user to access subsets of information based on successful authentications of the individual password parts; par. 0032 the user may enter [] a partial password [] if the user enters a partial password [] then the server authentication application 506 may authorize the user 501 to access only a limited portion of the data), The partial access is customizable based on the secured resource (Badenes: par. 0034 FIG. 6 illustrates an example of a partial authentication for access to incremental data in a database [] the partial authentication may be based on a user password 600 that has been partitioned into multiple segments 600A, 600B, ... , and 600Z. The values of (a), (b ), ... , and (z) may be established in advance by the user 501 and communicated to the server authentication application 506), and the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the user device to receive an access denial message from the authentication system when the first password, the first browser identifier, and the user device identifier of the first salted credential do not match the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold (Badenes: par. 0049 if the user's password does not match the expected password value, then the authenticating server may deny the user access to data, per step 806; par. 0053 on the other hand, if the full password does not match, then the server authentication application may deny user access to the entire user information). The motivation is the same that of claim 14 above. Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Johnson (US 9755834), Badenes et al. (“Badenes,” US 2012/0222093), Bemmel (US 2009/0006861) and Maxilom et al. (“Maxilom,” US 2020/0007607). Regarding claim 16: Yedidi in view of Johnson, Badenes and Bemmel discloses the user device of claim 15. Yedidi in view of Johnson, Badenes and Bemmel does not explicitly disclose wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the user device to receive a first prompt to enter a first code, via the first browser, that is randomly generated when the first password, the first browser identifier, and the user device identifier of the first salted password do not match the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold. However, Maxilom discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the user device to receive a first prompt to enter a first code, via the first browser, that is randomly generated when the first password, the first browser identifier, and the user device identifier of the first salted credential do not match the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold (Maxilom: par. 0023 the user/operator of the mobile device 130 then enters the code received through the out-of-band text message into a code enter screen rendered within the support manager 131). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Maxilom with the system/method of Yedidi, Johnson, Badenes and Bemmel to include the user device to receive a first prompt to enter a first code, via the first browser, that is randomly generated. One would have been motivated for establishing a secure session with the portal (Maxilom: par. 0002). Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Johnson (US 9755834), Badenes et al. (“Badenes,” US 2012/0222093), Bemmel (US 2009/0006861), Maxilom et al. (“Maxilom,” US 2020/0007607) and Goodwin et al. (“Goodwin,” US 8,234,302). Regarding claim 17: Yedidi in view of Johnson, Badenes, Bemmel and Maxilom discloses the user device of claim 16. Johnson further discloses generate a second salt based on the user device identifier and the first browser identifier (Johnson: col. 9 lines 3-12 at operation 312, the edge server 120 generates a cookie that includes a hash of [] one or more other values [] the one or more other values may include [] a browser identifier, [] a device identifier); apply the second salt to the second code to generate a salted code without displaying an indication to the user device that the second salt was applied to the second code (Johnson: col. 9 lines 7-9 the token value may include a hash value that may be generated by hashing the secret key); transmit the salted code to the authentication system (Johnson: col. 9 lines 31-36 the client computing device 110, causes the client computing device 110 to transmit the token value (equal to the value of the "CSRF Cookie" 316) as part of the request. This token value may be submitted automatically as an HTTP request header, or as part of HTML form data by 35 adding a hidden field to all HTML forms on the resource); generate a third salt based on the user device identifier and the first browser identifier (Johnson: col. 9 lines 3-12 at operation 312, the edge server 120 generates a cookie that includes a hash of [] one or more other values [] the one or more other values may include [] a browser identifier, [] a device identifier); apply the third salt to the second password to generate a second salted credential without displaying an indication to the user device that the first salt was applied to the second password (Johnson: col. 9 lines 7-9 the token value may include a hash value that may be generated by hashing the secret key); and transmit the second salted credential to the authentication system (Johnson: col. 9 lines 31-36 the client computing device 110, causes the client computing device 110 to transmit the token value (equal to the value of the "CSRF Cookie" 316) as part of the request. This token value may be submitted automatically as an HTTP request header). The motivation is the same that of claim 14 above. Bemmel further discloses receive a second prompt to enter a second password when the salted code matches the first code, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold (Bemmel: par. 0053 the pass-phrase creation page may include a statement requesting that the user enter a pass-phrase in a corresponding pass-phrase entry field. The pass-phrase creation page may include one or more suggested pass-phrases, thereby enabling the user to select one of the suggested pass-phrases); and receive the second password inputted by the user of the user device via the first browser at the secured resource (Bemmel: par. 0055 At step 336, the web server receives the pass-phrase). The motivation is the same that of claim 15 above. Maxilom further discloses wherein the memory stores further instructions that, when executed by the one or more processors, are further configured to cause the user device to: receive a second code inputted by the user (Maxilom: par. 0023 the user/operator of the mobile device 130 then enters the code received through the out-of-band text message into a code enter screen rendered within the support manager 131). The motivation is the same that of claim 16 above. Yedidi in view of Johnson, Badenes, Bemmel and Maxilom does not explicitly disclose gain access to the secured resource when the second salted credential matches the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold. However, Goodwin discloses gain access to the secured resource when the second salted credential matches the stored password, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold (Goodwin: col. 5 lines 26-29 if the total number of identified devices associated with the account ID plus the current device, which requested access, does not exceed the predetermined limit, the service provider grants access to the content). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Goodwin with the system/method of Yedidi, Jakobsson, Badenes, Bemmel and Maxilom to include gain access to the secured resource when the second salted password matches the stored credential, the stored first browser identifier, and the stored user device identifier beyond the predetermined threshold. One would have been motivated for controlling access to electronic content stored on a content provider’s server (Goodwin: col. 1 lines 52-53). Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Yedidi et al. (“Yedidi,” US 2017/0346821) in view of Jakobsson (US 2012/0284783), Badenes et al. (“Badenes,” US 2012/0222093), Bemmel (US 2009/0006861), Goodwin et al. (“Goodwin,” US 8,234,302) and Johnson (US 9755834). Regarding claim 21: Yedidi in view of Jakobsson, Badenes and Bemmel discloses the system of claim 20. Bemmel further discloses Page 51 of 53Attorney Docket No.: COF0147 (029424.002531)when the second password matches the first password and the second user device identifier matches the first user device identifier beyond the predetermined threshold, but the second browser identifier does not match the first browser identifier beyond the predetermined threshold, grant the request to access the secured resource for the first user device and perform the one or more actions comprising transmit the first browser identifier mismatch error to the second user device, or transmit the notification via text or email to the user reporting the browser mismatch, or a combination thereof (Bemmel: par. 0049 if the web server is not valid, method 300 proceeds to step 362 where method 300 ends. In other words, the user device aborts the attempt to access the web page). The motivation is the same that of claim 20 above. Yedidi in view of Jakobsson, Badenes and Bemmel does not explicitly disclose when the second password matches the first password and the second browser identifier matches the first browser identifier beyond the predetermined threshold, but the second user device identifier does not match the first user device identifier beyond the predetermined threshold, grant the request to access the secured resource for the second user device. However, Goodwin discloses when the second password matches the first password and the second browser identifier matches the first browser identifier beyond the predetermined threshold, but the second user device identifier does not match the first user device identifier beyond the predetermined threshold, grant the request to access the secured resource for the second user device (Goodwin: col. 5 lines 18-33 if the user account ID/password matches an account ID/password stored in the user information data store, the server executes the matching of the unique device IDs to the ones, if any, stored in the user information data store and associated with that account ID. If a match is not found, the total number of different devices that have been previously used to access that particular content via that account, including the current one, is determined and compared to a predetermined limit or threshold. If the total number of identified devices associated with the account ID plus the current device, which requested access, does not exceed the predetermined limit, the service provider grants access to the content. However, if the total number exceeds the predetermined limit, access will be denied. If a match is found between the received unique device identifier and the device identifiers currently associated with the account, access will be granted). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Goodwin with the system/method of Yedidi, Jakobsson, Badenes and Bemmel to include grant the request to access the secured resource for the second user device. One would have been motivated for controlling access to electronic content stored on a content provider’s server (Goodwin: col. 1 lines 52-53). Yedidi in view of Jakobsson, Badenes, Bemmel and Goodwin does not explicitly disclose perform the one or more actions comprising transmit a user device mismatch error to the second user device, or transmit the notification via text or email to the user reporting a user device mismatch, or a combination thereof. However, Johnson discloses perform the one or more actions comprising transmit a user device mismatch error to the second user device, or transmit the notification via text or email to the user reporting a user device mismatch, or a combination thereof (Johnson: col. 8 lines 18-23 at operation 245, the edge server 120 compares the first token value and the third token value to determine whether the first token value and the second token value both match the third token value. When the first token value and the second token value do not match the third token value, the flow continues to operation 255; lines 25-29 at operation 255, when the first token value and/or the second token value do not match the third token value [] the edge server 120 may return an error indication and does not process the request received from the client computing device 110). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Johnson with the system/method of Yedidi, Jackobson, Badenes, Bemmel and Goodwin to include transmit a user device mismatch error to the second user device. One would have been motivated for using a hash value to verify requests to prevent unauthorized data accessing (Johnson: col. 1 lines 8-10). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439 /LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439
Read full office action

Prosecution Timeline

Show 17 earlier events
Jan 28, 2026
Interview Requested
Feb 05, 2026
Applicant Interview (Telephonic)
Feb 05, 2026
Examiner Interview Summary
Feb 09, 2026
Response after Non-Final Action
Apr 13, 2026
Request for Continued Examination
Apr 23, 2026
Response after Non-Final Action
May 21, 2026
Examiner Interview (Telephonic)
Jun 11, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665896
ELECTRICITY METER AND SYSTEM HARDENED AGAINST ATTACK VECTORS
2y 8m to grant Granted Jun 23, 2026
Patent 12604186
Methods and Systems for Network Authentication Using a Unique Authentication Identifier
2y 12m to grant Granted Apr 14, 2026
Patent 12598078
NETWORK ACCESS USING HARDWARE-BASED SECURITY
3y 1m to grant Granted Apr 07, 2026
Patent 12598174
FLEET MANAGEMENT SYSTEM AND METHOD
1y 9m to grant Granted Apr 07, 2026
Patent 12568073
SECURE EXCHANGE OF CERTIFICATE AUTHORITY CERTIFICATE INLINE AS PART OF FILE TRANSFER PROTOCOL
3y 7m to grant Granted Mar 03, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
76%
Grant Probability
99%
With Interview (+52.2%)
3y 1m (~5m remaining)
Median Time to Grant
High
PTA Risk
Based on 296 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month