Does this check box ever actually work?

click to enlarge

USPTO says that if you check this box, the second authentication factor will not be not needed during signin for the next 24 hours.

This is, of course, false.  Or more accurately, it is almost always false.  The check box does occasionally save the USPTO customer from having to carry out two-factor authentication when logging in to a USPTO system.  But usually it does not work.

USPTO’s implementation of this check box is extremely fragile.  It sets a browser cookie that will supposedly save the customer from having to do the two-factor authentication again until after 24 hours has passed.   The most microscopic change of circumstance, however, is enough to break the cookie.  If the computer’s IP address changes (as happens with any notebook computer when it is taken from home to office or vice versa) this breaks the cookie.  But merely closing the browser and reopening it is enough to break the cookie.  Having the screen blank out to save power, followed by touching any key to make the screen light up again, seems to be enough to break the cookie.

This would not be so bad except that the USPTO also got the wrong answer on the duration of the forced logouts from the USPTO systems.  Under the old Entrust Java Applet (EPF) login system, the forced logout was (supposedly) sixty minutes.  Even that was far shorter than what customers actually want.  But when USPTO migrated to the MyUSPTO signin system, USPTO harmed customers by cutting even the too-short sixty-minute forced logout time period in half.  USPTO now forces the customer to log out in a mere thirty minutes.

As I told USPTO back in 2014 (blog article), a short forced logout period is the opposite of what users actually want.  I surveyed users on this.  The vast majority of respondents say that for them, UPTO’s system of forced logouts is a bug, not a feature.  Indeed more than 90% of respondents said that they find the “forced logout” feature neither important nor valuable.  If USPTO were to change the system so that each user could choose for a particular login session to never get logged out automatically, 81% of the respondents would use that feature sometimes or for nearly all of their login sessions.

What would you prefer in the MyUSPTO system in the way of forced logouts?  Please post a comment below.

10 Replies to “Does this check box ever actually work?”

  1. I use VPN, so the IP address will change, and therefor the “trusted computer” will not work for me. I did tested out within a continuous section of VPN, and it does work.

    I prefer forced logout, and a fragile check box, because it increases security for myself and for the USPTO. If you are unfortunately hacked alive, microscopic changes of circumstances logs you out, then it is a good thing.

    1. Yes I understand your preference. Indeed maybe you would prefer the forced-logout time interval to be ten minutes instead of the 30 minutes that USPTO selected.

      My point is the individual user should be given the ability to pick this timeout period for himself or herself. Or should be able to check a box that selects an all-day login or something like that.

  2. I’m surprised that you did not mention that when you are prompted by the browser whether to remain “logged” in to the MyUSPTO system and you answer “Yes”, to remain “logged” in the MyUSPTO system often responds by forcing a logout despite your response.

    1. Yes you are quite right I should have mentioned that. I have noticed this quite often in recent weeks. On the PAIR screen or the EFS-Web screen it will say something like “you have X number of minutes and seconds left before you will be forced to log out, do you want to stay logged in?” and I click to stay logged in, and it logs me out anyway.

  3. Carl – I agree with you that this entire process is needlessly complex and the checkbox often has no effect. Someone from the USPTO told me it was supposed to allow you to log in again without an authorization code for 12 hours. The only redeeming feature is the the authentication emails come very fast. The authenticator option is slow. I want to see some kind of alternative like the PCT uses that does not require manually adding a code at all. But this is just one of several issues with the PAIR and EFS-Web systems.

    1. Yes ePCT permits the SMS and auth-app 2FA method and offers the third approach which is the browser certificate. And most people I know who use ePCT a lot (power users especially) really prefer the browser certificate approach. Yes it is some extra steps to set it up but then for two full years thereafteryou don’t need to pay any attention to it. For two full years it is effortless.

  4. According to the USPTO presenter at the “How to prepare for the new TEAS login requirement” webinar, presented on 10/8/19, the 30-minute forced logout was implemented to comply with the Federal Information Security Management Act.

Leave a Reply

Your email address will not be published. Required fields are marked *