Here is why you suddenly cannot log in at the USPTO since Saturday.
Two people at the USPTO screwed up. One of the people who screwed up did it yesterday, Saturday, March 6, 2021. The other person who screwed up did it a couple of years ago, and that screwup only came into prominent view yesterday. The screwups relate to what USPTO calls “authenticator app” two-factor authentication. The screwups affect most trademark practitioners who practice before the USPTO, and they affect most patent practitioners who practice before the USPTO, and they affect most paralegals and administrative assistants who work with those patent practitioners. Briefly, you need to delete your old “authenticator app” setup and you need to create a new “authenticator app” setup. Here are the details.
USPTO requires nearly all of its users to use two-factor authentication (“2FA”). USPTO offers three options for 2FA:
- SMS (text message) sending of a second factor to the user
- email sending of a second factor to the user, and
- what USPTO calls “authenticator app” 2FA.
Most high-volume filers at the USPTO use the third option — “authenticator app” two-factor authentication. It is much faster and more efficient then the SMS approach or the email approach. (For the SMS to work, you have to be in range of a cell tower, meaning it is no good if you are in the basement of a building and no good if you are in an airplane, and it is no good if your cell phone’s battery ran down. For the email approach to work, you have to wait and wait until the email message eventually works its way through USPTO’s outbound email server and then works its way through your inbound email server.)
The “authenticator app” approach uses what is called a Time-based One-Time Password (Wikipedia article). For this to work, the user (client) and the server set up a “shared secret” which in this context is a Secret Code Number. This Secret Code Number gets stored in a database at the USPTO and gets stored at the user’s end as well. For each USPTO customer who might log in to a USPTO system, the database has a place where the USPTO stores the Secret Code Number for that USPTO customer.
When the time comes for a user to log in at the USPTO, the user’s authenticator app calculates a one-time password by using a cleverly designed math function. The function receives two inputs:
- the user’s Secret Code Number and
- what time it is right now.
These two things get fed into the cleverly designed math function and what pops out is a six-digit numerical one-time password.
At that same time, the USPTO server pays attention to who exactly is trying to log in, and the USPTO server looks up in its database to see what the Secret Code Number is for that particular user that is trying to log in. The USPTO system uses the same cleverly designed math function, and it feeds two inputs into that function:
- the user’s Secret Code Number (which the server just now retrieved from its database of Secret Code Numbers) and
- what time it is right now.
And what pops out is the exact same six-digit numerical one-time password.
The user enters the six-digit number that popped out from the user’s authenticator app into the USPTO system. The USPTO system then looks to see whether that six-digit number from the user matches the six-digit number that the USPTO system obtained from its own math function. Of course generally speaking the two numbers will match, at which point the USPTO system thenceforth considers that user to be logged in fully with 2FA.
Yesterday morning, USPTO did scheduled maintenance on its servers. When the scheduled maintenance finished, what USPTO’s users found is that they were no longer able to log in on any USPTO system. The “authenticator app” approach for 2FA had stopped working. Users were told, falsely, that “the verification code you entered is incorrect or expired.”
When this happened yesterday, USPTO users started comparing notes in the PAIR listserv and in the EFS-Web listserv. For some users there was a fallback position, namely that for some users what the user could do is make use of one of the inferior types of 2FA such as SMS or email. Or, for example, the user could simply forgo any login and file the paper by faxing it to the Central Fax Number at the USPTO.
The only thing that I was able to think of that might explain why all of a sudden nobody was able to log in at the USPTO using “authenticator app” 2FA was that maybe the USPTO server had gotten mixed up about what time zone it was in, something like that. This would bollix up one of the two inputs to the TOTP math function, making it so that the six-digit one-time password generated at the USPTO would be wrong and would thus fail to match the user’s own (correct) six-digit one-time password.
But no, as it turns out, my imagination was not fertile enough to conceive of what had really gone wrong. Here is USPTO’s announcement of earlier today about this situation:
Sunday Mar 07, 2021
During our system maintenance on Saturday, March 6, we discovered an issue that may affect your 2FA second factor authentication. As such, here are the detailed steps for any user that prefers to use an authenticator app as the primary delivery method.
The steps to reconfigure are as follows. It takes about 2 minutes to execute:
- Log in to MyUSPTO using the account to be reconfigured, entering user id and password when prompted.
- For Two-step authentication, choose to receive code via an option other than “Code generator (Authenticator app)”
- Retrieve and transcribe the second factor into the “authentication code” box
- Expand the user’s display name (upper right-hand corner) and select “Account”
- On the account page, find the section labeled “Code generator (Authenticator app)” and click the “Reconfigure” button
- Enter prompted values, following the prompts, and replace the prior configuration
Posted at 10:33AM Mar 07, 2021 in Current Status
I invite you to read this, maybe more than once if necessary, and see if you can figure out what is unsaid in this posting on the USPTO web site. See if you can figure out what exactly went wrong here.
Yes, the answer is that somebody at the USPTO yesterday morning had an “oops” moment. Somebody deleted the USPTO database of all of the Secret Code Numbers of every user of every USPTO system. Which now means that every USPTO user needs to start all over again with setting up the “authenticator app” two-factor authentication. Which you can only do after you (hopefully) successfully log in at the USPTO using some other kind of two-factor authentication other than the “authenticator app” two-factor authentication.
Oh to have been a fly on the wall to listen to what must have happened at the USPTO during some conference call yesterday. What happened, I am pretty sure, is that yesterday afternoon, after the trouble tickets started piling up at the USPTO, a bunch of IT people at the USPTO were on a conference call and they all suddenly looked at each other and each one pointed to somebody else and said “I thought you were the person who was doing daily backups of the TOTP shared secret database!” And I am not making this up, it must have turned out that nobody was backing up that database. So a second person at the USPTO also screwed up, namely whoever it is whose job it is to make sure that the USPTO makes periodic backups of all of the databases that needs to be periodically backed up.
So really what we have is two people made mistakes at the USPTO.
The first person I mentioned, the person who accidentally deleted the entire database of Secret Code Numbers for all USPTO users, actually should not be scolded very much. In a competently managed system, accidental deletion of any single file or any single database is never a big problem because some other person backed it up some time in the past 24 hours. You just go find the backed-up copy and click “restore”, something like that. The second person I mentioned, the person whose job it is to make sure that the USPTO makes periodic backups of all of the databases that needs to be periodically backed up, that is the person who needs to be scolded quite a lot.
So let’s see what the consequence is? The consequence is that every user of MyUSPTO, every trademark practitioner, every user of Private PAIR, every user of EFS-Web, every use of Patentcenter, must now go though the twenty or so mouse clicks. Each user must do the mouse clicks that bring up the existing secret code number, and the clicks that delete it. Each user must then go through the steps to generate a new secret code number, and get it loaded into the USPTO database, and get it loaded into the user’s own system.
It’s not only patent practitioners. It’s also trademark practitioners. And it is also the paralegals and administrative assistants who work with those patent practitioners. I am guessing maybe fifty thousand people who all of a sudden find that they cannot log in on any USPTO system.
The USPTO implementation of TOTP setup is more burdensome than most implementations for setup. With most implementations, you generate the Secret Code Number and you store it locally and the USPTO stores it at the USPTO, and then you test things by doing one match of one-time passwords. You and the server each generate one six-digit one-time password and you compare them, and if they match, then you count it as good and everybody moves on. This takes ten or fifteen mouse clicks and consumes three or four minutes of your valuable time.
But the USPTO system is more burdensome. With the USPTO system, you start by doing what all servers do which is, you and the server each generate one six-digit one-time password and you compare them, and if they match, great, but then the USPTO system says “we require that you do at all a second time”. The USPTO system then demands that you generate a second six-digit time-based password a few seconds later, and that one also has to match, and only then will the USPTO count it as good and people will be able to move on. This adds an unnecessary couple more minutes and an unnecessary several more mouse clicks to the process of setting up the “authenticator app” 2FA.
Most USPTO users who use the authenticator-app type of 2FA probably only store their Secret Code Number in one place, namely inside their authenticator app. Such a USPTO user is now stuck having to go through the entire TOTP setup process all over again, burning up maybe six minutes of their valuable time. This is maybe twenty mouse clicks.
But if you are a power user of TOTP, you will likely have stored your secret code number in several places. That is the smart thing to do. I carry a fob for example that has all of my TOTP shared secrets in it, in an encrypted memory.
So USPTO’s incompetence does not merely make me do the basic twenty or so mouse clicks to generate a new secret code number to replace the one that the USPTO accidentally deleted and had failed to back up. USPTO’s incompetence also forces me to do something like one hundred extra mouse clicks to get the new secret code number stored into all of the places where it needs to go, including in the secure fob. It will waste well over a quarter of an hour of my time.
The nameless person at the USPTO who crafted that announcement is being disingenuous in the extreme to estimate the time cost at a mere “two minutes”. The time cost to the customer is not only the time cost of cleaning up the mess made by the USPTO. The time cost to the customer previously included the lost ten or fifteen minutes during which the customer tries to log in, gets the error message, tries again, fails a second time, and then checks with co-workers to try to figure out “is it just me?” And only after that ten or fifteen minutes of “is it just me?” leads to the conclusion that it is not just me. And eventually the customer stumbles upon the fix which yes, if you have done it several times recently might only take you two minutes. More likely, since the last time you did it was two years ago, it will take you five or ten minutes.
We are talking about something like fifty thousand USPTO customers who must now spend five or ten unnecessary minutes deleting their “authenticator app” setups and setting up new “authenticator app” setups. I guess the total social cost of this will be something like ten thousand hours of wasted time. Conservatively the blended hourly rate for those USPTO customers might be $100 per hour, so the social cost of the USPTO screwups will be well in excess of one million dollars.
Back to who it is that screwed up at the USPTO. My great disappointment is in the person whose job it was to make sure that every important database in the USPTO systems gets backed up regularly. That person (whose name we customers probably will never learn) screwed up here. The screwup probably happened a couple of years ago, when USPTO just got started using the authenticator-app type of 2FA.
If the problem had been that something had caught fire and then it turned out the fire extinguisher in the room was no help because it had been empty for a couple of months now, you can imagine somebody would suddenly be given the task of going around and looking at all of the other fire extinguishers in the building to see if any of the other fire extinguishers are also empty. Sort of like closing the barn door after the horse has already escaped.
Back to being the fly on the wall. If it has not already happened, I am quite sure it will happen very soon that somebody somewhere at the USPTO will be given the rather thankless task of hunting around to make a list of all of the databases that USPTO ought to be backing up regularly, and then running down the list item by item to see which ones are not in fact getting backed up regularly. And then set it up so that finally now the things will get backed up that should have been being backed up.
Likely as not, it is that person’s direct supervisor, or the direct supervisor of that supervisor, who deserves the scolding for having failed to attend to this a couple of years ago. That person has cost the IP community well in excess of one million dollars.
Did you have to set up your “authenticator app” two-factor authentication all over again because of this? How long did it take you? How many people in your firm or corporation had to do the same thing? Please post a comment below.