WIPO provides another option for two-factor authentication in ePCT

If you want to do any of the good things in ePCT, you have to be logged in using two-factor authentication (“2FA”).  (WIPO chooses to call this “strong authentication”.)  One of the nice things is that WIPO offers several distinct kinds of 2FA that a user can choose from.  Now WIPO has added yet another option for a type of 2FA that users can use.  The newly added option is something they call “push notification”.   It uses something called the ForgeRock Authenticator app.  I think that many ePCT users will find this new “push notification” type of 2FA to be extremely quick and convenient and will end up choosing to use this kind of 2FA to the exclusion of all of the other kinds of 2FA.  In this blog article:

  • I will briefly describe this new “push notification” approach,
  • I will explain how to install it and set it up,
  • I will briefly remind the reader of the three other types of 2FA that WIPO offers for use with ePCT, listing a few factors for comparison among the four approaches for 2FA, and then
  • I will talk about what I think are the best and smartest ways to use this new “push notification” approach. 

If you have tried the ForgeRock Authenticator app with ePCT, please post a comment below.

A brief description of this new “push notification” approach.  The executive summary is that this new “push notification” approach uses an app on your smart phone.  When you are logging in on ePCT at your computer, you will enter your user ID and password at the computer as usual.  You then indicate in ePCT (at your computer) that you wish to use “push notification” instead of one of the three other types of 2FA.  A moment later, your smart phone vibrates and you see a notification on the screen of your phone.  The notification on your phone asks if it is okay to finish the login that you started at your computer.  On your phone, you touch the answer that says that it is okay.  Now, on the ePCT computer screen, you see that you are now logged in with two-factor authentication.

How to install it and set it up.  To set this up, if you think about it you will realize that one of the thing that you would need to do is to install yet another app on your smart phone.  The app is called ForgeRock Authenticator.  It is available for Android phones and for iPhones.  

Having installed the app on your smart phone, you next go to ePCT and click around to the place for setting up two-factor authentication.  Of course you have done this at least twice before, because as you well know, it is stupid to only have one kind of two-factor authentication set up for your user ID.  So a long time ago, you had already done this business of setting up two-factor authentication at least twice, right?  Yes of course you did!  Now, if you have decided to give this new “push notification” approach a try, this will be at least your third kind of 2FA for ePCT.  If you are a power user, you have probably already set up all three of the previously available kinds of 2FA, in which case now that you are adding push notification, you will end up with four kinds of 2FA set up for ePCT.

Anyway, so you go to the place for setting up 2FA.  You already know how to do this, but in case you forgot, here is what you do.  You log in at ePCT, you look at the upper right corner of the screen and find your name.  You click on your name, and a drop-down list appears.  The first item in the drop-down list is “MY WIPO ACCOUNT” and that is where you click.   So now you are in MY WIPO ACCOUNT.  You scroll down a bit to find the section entitled AUTHENTICATION METHODS.  You click on “here” in the sentence “Set up and manage my strong authentication methods here.”  So now you are on the page AUTHENTICATION METHODS.    

On the page AUTHENTICATION METHODS there are four kinds of 2FA listed.  This new “push notification” method is listed first among the four kinds, and I am quite certain that this is not an accident that it is listed first.  The method that I have always liked best (the browser digital certificate) is listed last among the four kinds, and I am also quite certain that this is not an accident that it is listed last.

Here are the four kinds of 2FA that WIPO lists for ePCT:

  • push notification
  • Time-based One-Time Password
  • text message (SMS) with one-time password
  • browser digital certificate

Continuing with the setup process for “push notification”, oddly enough what you would do is select “push notification”.  Yes I realize you would never have guessed this, I realize it is rather counter-intuitive, but yes, to set up your “push notification” app, you select “push notification” on your ePCT screen in your notebook or desktop computer.  Stay with me on this and we will get through this difficult process together!

The next screen you see in ePCT is a screen that has only one thing that you can do.  The single thing that it invites you to do is to click “add”.  So it is actually not very difficult to figure out what to do next in the ePCT screen.  You click “add”.  When that happens, a really big QR code will appear on the ePCT screen.  

I think most of you are going to be able to guess what it is that needs to happen next.  Whenever there is a big QR code that just popped up in front of you, and previously there was not a QR code in front of you, in today’s world the general meaning of this is that somebody somewhere has in mind that you probably need to scan the QR code.  How are you going to scan the QR code?   Well, let’s see.  There are exactly two physical things on your desk in front of you.  One of them is your computer, and the other one is your smart phone.  The computer is the thing that is displaying the QR code.  So I think we can all put our thinking caps on and we can work out that we will not be using our computer as the thing that is going to scan the QR code.  So now we look around to see what is the single other physical thing on our desk in front of is, and sure enough it is our smart phone.  The smart phone is also the only thing that we have ever, in our entire life, used for scanning a QR code.  So just keeping our thinking caps on for another moment, we take a stab in the dark guess that probably what we will need to do next is use our smart phone to scan that QR code.

Whew!  Yes that might have been a bit difficult, but what is very reassuring is that right there on the ePCT screen what it says is “use the ForgeRock Authenticator app to scan the QR code”.  So this is completely consistent with what we had worked out for ourselves as the likely next step.

So we look at our smart phone and if we had not already done so, we launch the ForgeRock Authenticator app, and there is mostly a featureless screen and pretty much the only thing we can see anywhere on the screen is a green “plus” sign button that looks like maybe we are invited to “add” something.  Since it is pretty much the only thing to do, we go ahead and touch the green plus sign.  What happens next is, our smart phone scans the QR code.  Note by the way that this the very thing that ePCT was telling you to do.  Maybe this is not so very difficult after all.  

So then we click one or two more things here and there on the app on our smart phone, and we click one or two more things here and there in ePCT, and now we are all done.

So just to summarize, the entire setup process is something like two clicks here and two clicks there.  The entire setup process is something like three steps, maybe only two steps depending on what you count as a “step”.  It is actually about as uncomplicated as you could imagine a setup process could be.  Click one place, scan a QR code, click one more place, done.

The folks at WIPO actually provide a very nice “help” page (click here to see it) that describes this setup process in great detail, complete with lots of screen shots, just in case a person might somehow get mixed up in the middle of this process.  The usual problem for me, for example, is even if something is simple, I sometimes get part way through, and then out of the corner of my eye I see something shiny, and then I go over to look at the shiny thing, and later I come back to what I was doing and I forget which step I was on.  But you, dear reader, you might manage to focus on all two or three of these steps and get through them in a focused way and get it all to work on the first try.  

I am sort of joking here.  I really do think that most people would have a reaction that setting up this “push notification” approach using this ForgeRock Authenticator app is pretty straightforward and that there are not very many ways to go astray with the setup process.  And I think most people would have a reaction that once they have gotten it set up, it is pretty easy to use and you do not need to think about it very much.

Now let’s step back and review what has been accomplished.  One thing to realize here is that this ForgeRock Authenticator app is clearly designed with the idea that you might possibly use it as a way for doing 2FA for more systems than just ePCT.  If some other company or organization were to choose to set up this particular kind of “push notification” than you might eventually find yourself scanning a somewhat similar QR code on the web site of, say, your bank or the MyUSPTO system or whatever, and this app could provide an approach for 2FA for logging in at your bank or at the USPTO.

So the general idea going forward, just to review briefly, is that you go to ePCT on your notebook or desktop computer, you enter your user ID and password, then ePCT asks you what kind of 2FA you want to use today.  At that point, you click on “push notification”, then your smart phone vibrates, then a screen pops up on your smart phone and then it asks if you want to approve the login.  At that point you tap the screen of your smart phone to say that yes you do approve the login, and then you direct your gaze back to your computer and now you see that you are logged in all the way with 2FA (what WIPO calls “strong authentication”).  Now you can see your ePCT workbench and your pending PCT applications.  I think for most users, what you would find is that the entire login process was quite a bit faster when you compare this with the amount of time that you would have had to spend if you had chosen, say, an SMS text message approach.

As I mentioned above, what I will do now in this blog article is briefly remind the reader of the other types of 2FA that WIPO offers for use with ePCT, and then I will turn to a discussion of what I think are the best and smartest ways to use the ForgeRock Authenticator app for your logins at ePCT.

Here are brief reminders of what I see as some of the potential advantages and disadvantages of the four 2FA approaches.

Push notification.  This approach requires that you have your smart phone with you.  It requires that the battery is not run down on your smart phone.  It requires at least that you be connected with wifi (some kind of internet connectivity) but it does not require that you have cell coverage.

When this “push notification” approach works as intended, it is fast, fast, fast.  The phone vibrates or beeps, you tap the “approve” button, and you are done.  The entire process might only take five or ten seconds. 

Time-based One-Time Password.  This is the approach where you see a six-digit code someplace, and you go to ePCT and you type it in with your fingers, and this is how you do the 2FA login on ePCT.  Maybe you see the six-digit code on your smart phone.  Or maybe you see it in a program such as Winauth that is running on your notebook or desktop computer.  This helps us to realize that this approach might not require you to have your smart phone with you, because if you plan ahead you could use something like Winauth on your notebook or desktop computer.  The point here is that everything you need can be right there on the same computer that you are are already using for logging in on ePCT.  No smart phone needed.  The six-digit code changes every sixty seconds.  The point of the sixty seconds is so that if somebody had peeked over your shoulder and if they had seen the six-digit code, that is not really a problem.  That code will not be of any help to a bad person if they try to log in an hour from now. 

Another thing about using a program that runs on your computer is that you might find that you can copy and paste the six-digit code, in which case you would not need to key in the six-digit code with your fingers.  Not only that, some of the programs that some power users use can auto-fill the six-digit code into the appropriate field on the computer screen.  Those power users really like the idea that they do not even need to copy and paste the six-digit code, let alone hand-key the six digits.

If you do decide to use your smart phone as the way to generate your Time-based One-Time Passwords, the phone may be able to do its job of providing the six-digit code without the need of being connected to a cell tower and without the need of being connected to wifi.

Text message (SMS) with one-time password.  This is so last-century.  Who still uses SMS?  For some people, text messages cost money.  Also, if you use this approach, it is not instant.  It takes however long it takes for the text message to arrive.  

This approach only works if you are in a location where there is cell coverage.

If you are traveling outside of your normal service area (for example in a foreign country) the text message might be expensive or it might not arrive at all.

But still, some people really like this kind of 2FA.  And it is really just a matter of personal preference.  And what must not be overlooked is the extreme importance of always having at least two kinds of 2FA set up for your user ID, so that if one of them is something that is not SMS, maybe you could use the SMS approach as your second kind of 2FA.

Note that this approach does not require that your phone be a “smart phone”.  Your phone could be a very old cell phone from a very long time ago.  So long as it can receive text messages, that would be good enough.

Browser digital certificate.  Ever since ePCT was new, I have preferred this approach.  This approach does not require that you wait for some text message to arrive on your phone.  This approach is instant, just like the “push notifications” approach.  This approach does not require you to look somewhere to see a six-digit code, followed by using your fingers to type the six-digit code into your ePCT screen.  

But I get it that the browser certificate approach is a big problem for the help desk people at WIPO.  Lots of people who try to use the browser certificate approach turn out to be “high maintenance” from the point of view of the help desk people at WIPO.  Somebody will have their computer’s hard drive crash and they never backed up the hard drive, and they get a new computer, and now they realize they never backed up their WIPO browser certificate, and they now want somebody at the WIPO help desk to spend maybe an hour today to start the process of obtaining a new browser certificate, followed by another hour tomorrow when they need to download the new one to their new computer.  And then this user needs an hour of handholding over the telephone with the people at the WIPO help desk as they go through the process of uploading the public-key portion of this new certificate into the ePCT system.  

The browser certificate has a lifetime of two years, and then the time comes to renew it.  This works seamlessly only in the extremely rare case where the ePCT user followed every detailed instruction and carefully wrote down their “passphrase” and did not misplace it during those two years.  The ePCT user must also carefully use only Internet Explorer.  Or is it that the ePCT user must also carefully remember not to use Internet Explorer?  The renewal process includes doing something on a first day and then doing something on a second day, and these two steps have to be carried out using the exact same computer for both steps, and also the exact same browser on that computer for both steps.  Both times, it has to be Internet Explorer.  Or maybe it is that both times it has to not be Internet Explorer?  You get my point here.  Usually this, too, sucks up maybe three hours of ePCT Help Desk time over the span of two or three days.

So yes I guess I can sort of understand why the folks at WIPO decided to spend however much money they had to spend to add this new “push notifications” approach, in the hopes that more and more ePCT users would gradually migrate over to this new approach and would not find the need to suck up three hours of ePCT Help Desk time trying to get their browser digital certificate problems straightened out

The best and smartest ways to use this new “push notification” approach.  So now let’s turn to my sense as to the best and smartest ways to use this ForgeRock Authenticator app.

The first thing that we see is that WIPO goes on and on about this:

WIPO strongly recommends activating the locking mechanism on your mobile device (e.g., PIN, facial recognition, fingerprint, etc.) if using this feature.

I guess what WIPO is getting at here is that maybe a bad person could peek over your shoulder  when you are logging in at ePCT, and the bad person might catch a glimpse of your WIPO user ID and password.  And then what if the bad person were to swipe your smart phone?  The bad person could then maybe login in at ePCT, and key in your user ID and your password, and then they could click in ePCT to say that they want to use “push notification”, and then the phone would beep, and they could tap the “approve” button on the screen of the phone, and now they get to see your PCT applications.

This same person could have picked up the physical PCT patent file from your desk, right?  This same person could have rifled through that “shred” basket under your desk to pull out the papers that are designated for shredding but have not yet found their way to the shredding service, right?

What I am getting at of course is that for each person, they might arrive at their own personal risk assessment, their own choice about how paranoid to be about bad people, and how many extra steps to impose upon themselves in their login activities.

So what you might choose to do is make your phone so that nobody can do anything with the phone except by keying in a PIN number.  Or you might choose to make your phone so that nobody can do anything with it except by putting your fingerprint into the phone.  Some phones have facial recognition that can be the way that you unlock the phone.

One colleague of mine reports that she proudly showed her facial recognition feature to her seven-year old daughter, pointed out how clever this protective feature is, and then saw her daughter promptly locate a photograph of her mother and hold it up in front of the phone.  It unlocked the phone.

Be careful what you wish for when setting up a fingerprint to protect something important, said one of the commenters to one of my recent blog articles about 2FA and automobiles.  There are movies where the way a scene moves forward is that a bad person who needs to get a bank door to unlock will go back to a bank guard and cut off the bank guard’s finger, and will then bring the severed finger to the fingerprint reader at the doorway, to unlock the door.

But I digress.

The main thing that I want to mention here is that you can click around inside this ForgeRock Authenticator app and you can see that they actually have given quite a lot of thought to the various ways that you might want to set up the app.  You can set it up so that, for example, the app itself asks for a fingerprint, or a facial scan, or a PIN code, at the time of the 2FA login.  The user who wanted to make things extra secure could then set up the phone so that a first required step would be unlocking of the phone, and then once the ForgeRock Authenticator app was opening on the screen, there would be a second required step of doing a facial scan or a fingerprint or a PIN code.  

Yet another approach that some users might prefer is to leave the phone itself unlocked all of the time, and then the only time a fingerprint or facial scan is required is at the time of using the ForgeRock Authenticator app for purposes of the ePCT 2FA login.

My main point here, I think, is that you as a user could make your own choices about all of this.  Or maybe the law firm or corporate patent department might decide to set up a policy about what its people should do about this.  An example of a policy that I imagine many law firms and many corporate patent departments would be comfortable with is:

You must secure the ForgeRock Authenticator app at some point, and you as the user get to pick.  It can either be locking the phone itself, or it can be configuring the ForgeRock Authenticator app so that it requires an unlock at the time of the ePCT 2FA login process.

Have you tried the ForgeRock Authenticator app?  How do you like that kind of 2FA?  Do you think that going forward you will prefer it to the other three kinds that are available for ePCT?  Please post a comment below.

9 Replies to “WIPO provides another option for two-factor authentication in ePCT”

  1. I’ve set up the ForgeRock Authenticator and tried it. It’s easy to set up and use. I’d use it instead of SMS authentication messages, for sure. It’s slightly less easy than the digital certificate, but the digital certificate seems less secure. The certificate would allow anyone with access to my computer (and my id/password credentials) to log in as me, while the push notification would require them to have access to both my computer and my phone.

    1. You could password-protect your computer, right? That would control who has the ability to make use of the browser digital certificate, right? I suppose you are wondering for example what if someone walks up to the computer during a brief instant while you went away to the coffee machine and had not locked down the computer?

      1. That seems best practice anyway, if working in a space where others can walk up to your computer.
        I learned the hard way to lock my keyboard even when working at home. Just stepping away for half a minute to refill a cup in the kitchen, cat accidentally stepped on keyboard and ruined a document I was working on. Better safe than sorry.

  2. Done. It works.
    But I prefer the Digital Certificate. This is by far the most efficient way (at least for me).
    Although my phone is mostly within reach, I find it cumbersome to take my hands away from keyboard/mouse to push a button on my smart phone or, worse, memorize a sms-sent code and enter.
    The only reason I set up the other 2FA options is to have a back-up, in case something happens to the Certificate (even though it’s backed up, one never knows). I now have 4 ways of 2FA.

    You said sms was so last century. One of the firms I work with have only recently installed a 2FA for login on to their server. Guess what, it sends us an sms which we then have to enter, but, as you described, very cumbersome. I have suggested a push notification app long ago (different app I have to use for another firm), but the powers that be decided not to.

    A Big Thanks to the folks at WIPO who are constantly thinking of ways to make life easier and not more complicated!!

    1. If you don’t mind sharing, what is the “different app” that is not ForgeRock Authenticator, that some other firm uses for “push notification”? When I was first learning about ForgeRock Authenticator, I spent a bit of time trying to find out if there existed either

      • successful open-source push notification solutions or
      • successful commercial push notification solutions other than ForgeRock’s solution.

      I did not see any of the former, and saw one or two things that looked like the latter but they were not very clearly described on their respective web sites.

        1. Thank you. I see that this Duo Mobile system is from Cisco. Ten or fewer users, it is free. That is very interesting. The next step up is a simple 2FA system at $3 per user per month. If it really works, that could be a pretty good pretty reasonably priced system for some firms and corporations. I wonder how the cost of that Duo Mobile system compares with the cost of the ForgeRock Authenticator system.

  3. It took me 10 minutes, start to finish, to find, download and install the SourceForge app, add the WIPO push notification account thereto, and test and confirm that account worked with a push notification. Easy peasy.

Leave a Reply

Your email address will not be published. Required fields are marked *