There are quite a few ways to set up two-factor authentication in ePCT. Last week there was a problem with the SMS-type 2FA in ePCT, and users who had failed to set up a second type of 2FA found themselves unable to log in. This offers a reminder that you should always have at least two types of 2FA set up with your WIPO user ID. I am delighted to report that I have successfully gotten it set up so that I can use my EPO smart card as a form of 2FA in ePCT.
It was interesting to see how easy it turned out to be, getting the EPO smart card. I filled out a form and sent it to the EPO. Later I received a box with this snazzy smart card reader, free of charge. Next thing you know, the smart card itself showed up. Finally, in a separate mailing, a PIN number arrived for unlocking the smart card. All free of charge. EPO does not even charge for shipping.
Getting the smart card set up for use as a form of 2FA in ePCT is a bit of a challenge. It turns out that if you already have a browser certificate set up for 2FA, you have to “unlink” the browser certificate. Then you click around a bit to link the EPO smart card as a form of 2FA. Only when this is done can you link up your browser certificate again to ePCT. In my case, however, I sort of got lucky, because my existing browser certificate happened to have expired at just the moment that I was planning to link the EPO smart card. So I did not need to do anything about “unlinking” the old browser certificate.
Most power users of ePCT use a browser certificate as their main way to do 2FA. It is by far the fastest and most convenient way to log in at ePCT.
Note: the alert reader will recall that on February 6, 2022 I announced (blog article) that Real Soon Now I would be offering fifteen webinars about ePCT. I keep sort of hoping that I would get these webinars scheduled. I hope to get them scheduled Real Soon Now.
4 Replies to “With ePCT, always have at least two kinds of 2FA”
Did the EPO in any way verify your identity?
Thank you for commenting. This is an interesting question. Keep in mind that for the limited purpose of setting up 2FA in ePCT, it absolutely does not matter whether the EPO does or does not verify somebody’s identity when sending out a smart card. From WIPO’s point of view, the EPO smart card is nothing more than a convenient package for storing a public crypto key and a private crypto key, and that is all that WIPO needs it for. The process within ePCT for adding some additional form of 2FA in addition to whatever kind you have already set up assumes that WIPO has already confirmed your identity to its own satisfaction. From WIPO’s point of view they neither know nor care whether EPO confirmed somebody’s identity. Indeed I believe that the ePCT system does not even check to see if the “name” that is tucked away inside the EPO smart card public crypto certificate matches the “name” by which the user is known to ePCT. I think you could use anybody’s EPO smart card for your 2FA in ePCT.
But yes in EPO’s own workflow, they do a bit of identity verification as part of the smart card process. In my case I had to send a snapshot of my passport photo page. You can read about the process here.
Thanks! That webpage has a distinct 90’s vibe and sending snapshots of passport photo pages also seems outdated though not very surprising that the EPO still handles it that way.