I imagine some readers of this blog use an authentication app as part of a two-factor authentication process for various services. For a long time I have been using Google Authenticator (right) with some systems. I’d like to ask readers to please post a comment below if you use an authentication app, mentioning some of the services that you use it with.
My reason for asking readers to share their ways of using an authentication app is that I think I am probably coming nowhere close to getting all of the benefits that I could get from such two-factor authentication. There are probably systems that offer such two-factor authentication that I don’t know about and that I should make use of.
Google recently published a research paper titled “Security Keys: Practical Cryptographic Second Factors for the Modern Web” to quantify the benefits the company found in using two-factor authentication using a protocol called U2F. Google’s paper, which I suggest be read by everyone at the USPTO who has anything to do with EFS-Web or Private PAIR or Financial Manager, reviews the advantages and disadvantages of various ways of forcing users to identify themselves to online systems.
In particular, I am trying out a new approach, namely a dongle made by Yubico. This device, called the Yubikey Neo, which on a quick glance might be mistaken for a USB drive, is intended by its maker to offer more and better options for two-factor authentication. It is intended to provide all of the functions that an authentication app such as Google Authenticator would provide, and in addition to provide easier and more convenient ways for authentication using a protocol called U2F.
I have successfully used this new dongle to authenticate myself to several systems including WIPO’s ePCT system and to the server that hosts this blog. I’d be grateful if readers can comment below to mention systems for which they use an authenticator app. I’ll try out as many of these systems as I can, and I will post an article explaining how a dongle such as this can be used with such systems. I will review Google’s findings about such dongles and I will describe what I see as the pros and cons of such dongles.
Please comment below.
Carl – Thank you! I have no specific comment other than I use Google authenticator. However, I cannot overstate how important and beneficial your contributions have been and continue to be to the community of patent professionals. Rick Neifeld
I have had many Google Authenticator issues when changing timezones or when the ‘real’ time did not match exactly my mobile phone time. Do not allow your mobile phone to update the time or the timezone automatically. Always try set your mobile phone to a ‘standard’ time source, so I google “what is the time”.
I prefer smartcards, even with all their little issues. The USB key seems to be a great idea!
I teach patent law at the University of South Carolina. The University uses something called Self Service Carolina that provides class information, etc, and allows me to enter information. The preferred multifactor authentication is Duo Mobile. It seems to be very efficient.
The principle advantage of a FIDO key (such as the Yubico key you are testing) is that the key can provide effective protection agains phishing attacks. This is achieved by the device itself detecting if the URL being accessed is one that it has shared a key with.
In comparison users can be fooled by spoof sites that resemble the authentic logon screen of the sites they believe they are accessing, and are then fooled into providing authentication details that in turn hand over the security keys to the kingdom to an automated access of their protected account.
There is an alternative to using apps like google authenticator, you can use reprogrammable hardware tokens wherever google authenticator is an acceptable option (e.g. https://deepnetsecurity.com/authenticators/one-time-password/safeid/).
Because they are reprogrammable you just load them up with the seed that is uses by google authenticator and they can act as a direct replacement. This has the advantage that you no longer need a charged mobile phone with you when authenticating, however you will need either a phone with NFC connectivity, or a NFC programming device to put the seed on the token (that said it only needs to be done the once).
I sure wish the web site would say what those things cost. I bet they are very expensive.
The SafeID/Diamond specs say “Battery life: 4-6 Years”. In 5 years when you wake up and your SafeID/Diamond no longer turns on, and you replace the battery, will it remember your seeds?
I bet the thing is glued shut or ultrasonically welded shut, to make it harder for a snoop to get at the secret number. And so when the battery runs out, you just throw it away or run it through a wood chipper or something.
Carl – That would make a great business model; purchase must repurchase every 5 years when battery dies. But then purchaser would have to still have a record of their seeds, which would make this device a very unwise choice.
Seems to me it is smart for the user to keep a record somewhere of all of one’s TOTP secret numbers.