[E-trademarks] User verification suddenly required despite being securely logged into MyUSPTO

Kevin Grierson kgrierson at cm.law
Fri Apr 19 09:11:21 EDT 2024 

I don’t know about LastPass, but I think most modern password managers are set up so that even the company hosting the data has no access to it because only the user has the private decryption key.  Even LastPass does not know end-user master passwords, so in theory the passwords themselves were not breached (though LastPass did warn its users to change both their master password and the passwords in their “vaults.”  Is it completely foolproof?  No, but it’s a much better solution than reusing passwords so you can actually remember them.

Kevin Grierson​​​​
[cid:image001.png at 01DA9238.1CE36760]
[Mobile:]
  757-726-7799<tel:757-726-7799>
[Fax:]
  866-521-5663<fax:866-521-5663>
[Email:]
  kgrierson at cm.law<mailto:kgrierson at cm.law>

From: E-trademarks <e-trademarks-bounces at oppedahl-lists.com> On Behalf Of Richard Schafer via E-trademarks
Sent: Thursday, April 18, 2024 8:50 PM
To: Dale Quisenberry <dale at quisenberrylaw.com>; For trademark practitioners. This is not for laypersons to seek legal advice. <e-trademarks at oppedahl-lists.com>
Cc: Richard Schafer <richard at schafer-ip.com>
Subject: Re: [E-trademarks] User verification suddenly required despite being securely logged into MyUSPTO

EXTERNAL EMAIL
No, “Tell me your password for X or I’ll shoot you” is always a risk, regardless of whether you keep your passwords in a software-controlled vault or on a piece of paper.

The concern is about the security of the password manager. Lastpass had more than one security breach that exposed user data. The best password managers run security audits to try to prevent such occurrences, but the risk is there.

But consider the alternative: how else do you manage your passwords, and how secure is that technique? For many people who don’t use software assistance, password management involves reusing the same password over and over again, writing the passwords down on a piece of paper, and choosing relatively weak passwords. Where their employer requires changing a password from time to time, they often keep the same base password and suffix it with a sequence number or an increasing number of the same special character. All of that is markedly less safe than using a good password manager software.

Carl’s right that keeping your TOTP 2FA code generation in the same password manager as your passwords is an extra risk that can be avoided by not using the feature offered by more and more password managers of keeping 2FA code generation in the same password vault. But I’ll admit that I’ve accepted that risk for the convenience. Let’s be honest, convenience is going to drive a lot of our decisions on what level of security (and accompanying inconveniences) we’re willing to accept.

Finally, there is constant research into better ways to provide secure authentication than passwords. The FIDO Alliance develops open standards for authentication and device attestation. More and more major sites are using some sort of FIDO authentication standards. You may have seen places that use “passkeys” instead of passwords. Those are often using FIDO standards. There are FIDO security keys that combine hardware-based authentication with biometrics to avoid using passwords, for example, that are supported by Windows and Mac logins, Gmail, Dropbox, Facebook, Salesforce, and others.

Best regards,
Richard A. Schafer | Schafer IP Law
P.O. Box 230081 | Houston, TX 77223
M: 832.283.6564 | richard at schafer-ip.com<mailto:richard at schafer-ip.com>

From: Dale Quisenberry <dale at quisenberrylaw.com<mailto:dale at quisenberrylaw.com>>
Sent: Thursday, April 18, 2024 5:25 PM
To: For trademark practitioners. This is not for laypersons to seek legal advice. <e-trademarks at oppedahl-lists.com<mailto:e-trademarks at oppedahl-lists.com>>
Cc: Richard Schafer <richard at schafer-ip.com<mailto:richard at schafer-ip.com>>
Subject: Re: [E-trademarks] User verification suddenly required despite being securely logged into MyUSPTO

Is it a concern of those who use these password managers that someone could put a gun in your face and demand your phone and hold it to your face to open it and access your passwords and thus everything protected by those passwords presumably including access to financial accounts?  Or is that not a risk?

Best regards,

Dale

C. Dale Quisenberry
Quisenberry Law PLLC
832.680.1000

Sent from my iPhone

On Apr 18, 2024, at 5:22 PM, Richard Schafer via E-trademarks <e-trademarks at oppedahl-lists.com<mailto:e-trademarks at oppedahl-lists.com>> wrote:

There are lots of password managers out there; I’ve used Roboform for years.

But at my previous law firm, the chief security officer had (and I think still has) a firm rule prohibiting the use of password manager software as unsafe because of the risk that someone might be able to break the password vault maintained by the software. I vigorously disagreed, citing NIST and others, but was unable to convince him. I don’t know how widespread that opinion is.

Best regards,
Richard A. Schafer | Schafer IP Law
P.O. Box 230081 | Houston, TX 77223
M: 832.283.6564 | richard at schafer-ip.com<mailto:richard at schafer-ip.com>

From: E-trademarks <e-trademarks-bounces at oppedahl-lists.com<mailto:e-trademarks-bounces at oppedahl-lists.com>> On Behalf Of Thilo C. Agthe via E-trademarks
Sent: Thursday, April 18, 2024 4:06 PM
To: For trademark practitioners. This is not for laypersons to seek legal advice. <e-trademarks at oppedahl-lists.com<mailto:e-trademarks at oppedahl-lists.com>>
Cc: Thilo C. Agthe <thilo.agthe at wg-law.com<mailto:thilo.agthe at wg-law.com>>
Subject: Re: [E-trademarks] User verification suddenly required despite being securely logged into MyUSPTO

I second 1Password.  I use the same.

Best regards,

Thilo


WUERSCH & GERING
Thilo C. Agthe, Partner
Wuersch & Gering LLP | 100 Wall Street, 10th Fl. | New York, NY 10005
212-509-4714 (direct) | 212-509-5050 (firm)
thilo.agthe at wg-law.com<mailto:thilo.agthe at wg-law.com> | www.wg-law.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.wg-law.com%2f&c=E,1,AGS4xwNWkyQ1oXzviIj3Mxnqux9x9b10O_tE4Yzp4sQh50DkOTcHHVbReazE5JmnuVAEhBhsC7YX_TgqyN_gyyOR2tgOGC8dOVEnbsTOBPDfIswLGzRPKO-k&typo=1>

This message and any attachments hereto contain confidential information and information which may be subject to the attorney-client privilege. It is intended for the individual or entity named above.  If you are not the intended recipient, please do not read, copy, use or disclose this communication to others; also please notify the sender by replying to this message, and then delete it from your system.  Thank you.

Diese Nachricht und etwaige Anhänge enthalten vertrauliche Informationen und Daten, die Gegenstand des Anwaltsgeheimnisses sein können. Sie ist nur für die oben genannte natürliche oder juristische Person gedacht. Sollten Sie nicht der beabsichtigte Empfänger sein, bitten wir Sie die Nachricht nicht zu lesen, zu kopieren, oder an andere weiterzugeben.  Bitte informieren Sie den Absender durch Beantwortung dieser Nachricht, und löschen Sie die Nachricht aus Ihrem System. Danke.

P Please consider the environment before printing this e-mail!

From: E-trademarks <e-trademarks-bounces at oppedahl-lists.com<mailto:e-trademarks-bounces at oppedahl-lists.com>> On Behalf Of mrichter richtertrademarks.com via E-trademarks
Sent: Thursday, April 18, 2024 1:26 PM
To: For trademark practitioners. This is not for laypersons to seek legal advice. <e-trademarks at oppedahl-lists.com<mailto:e-trademarks at oppedahl-lists.com>>
Cc: mrichter richtertrademarks.com <mrichter at richtertrademarks.com<mailto:mrichter at richtertrademarks.com>>
Subject: Re: [E-trademarks] User verification suddenly required despite being securely logged into MyUSPTO


[CAUTION: EXTERNAL EMAIL]
Laura,

I can recommend that you use a password keeper. I use 1Password and it has a function to show you previously used passwords – it is unbelievable how often I need it!

Best,
Miriam

Miriam Richter, Attorney at Law, P.L.
Make Your Mark! ®
Trademark, Copyright, and other Intellectual Property Matters
2312 Wilton Drive, Suite 9
Wilton Manors, Florida 33305

954-977-4711 office
954-240-8819 cell
954-977-4717 facsimile

NOTICE: This e-mail message and any attachment to this e-mail message contains confidential information that may be legally privileged. If you are not the intended recipient, you must not review, retransmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it. If you have received this e-mail in error, please notify us immediately by return e-mail or by telephone at 954-977-4711 and delete this message. Please note that if this e-mail message contains a forwarded message or is a reply to a prior message, some or all of the contents of this message or any attachments may not have been produced by the sender.


From: E-trademarks <e-trademarks-bounces at oppedahl-lists.com<mailto:e-trademarks-bounces at oppedahl-lists.com>> On Behalf Of Sam Castree via E-trademarks
Sent: Wednesday, April 17, 2024 7:01 PM
To: For trademark practitioners. This is not for laypersons to seek legal advice. <e-trademarks at oppedahl-lists.com<mailto:e-trademarks at oppedahl-lists.com>>
Cc: Sam Castree <sam at castreelaw.com<mailto:sam at castreelaw.com>>
Subject: Re: [E-trademarks] User verification suddenly required despite being securely logged into MyUSPTO

Ugh, I've been trying on and off for the past year and a half to get my MyUSPTO account updated to my current e-mail at my current firm.  At least I can use the old e-mail to log in, so it hasn't stopped me from working, but it is ridiculous.

Cheers,

Sam Castree, III

Sam Castree Law, LLC
3421 W. Elm St.
McHenry, IL 60050
(815) 344-6300

On Wed, Apr 17, 2024 at 4:00 PM Laura Geyer via E-trademarks <e-trademarks at oppedahl-lists.com<mailto:e-trademarks at oppedahl-lists.com>> wrote:
ZOMG Gerry, I was caught in an endless verification loop where it made me do that I think 4 times  with the drivers’ license/face capture before I finally cracked and contacted ID.me.

But here’s the thing: if you’re in the Infinite Verification Loop with any agency, the hangup is often ID.me and then you can’t get into your account to log into Id.me to access their “faster” response team. In my case, they had decided that my account was connected with my prior work email, to which I have no access, obviously. No worries though, says the “help” page, just type in your old inaccessible email address with your old password. The chances that I’m going to remember a prior password, from a year ago, is .000002%.No worries, says the help page, just put in a few guesses – sorry, guys, the fact that we’re all forced to register 8FUN€beach§woohoo34# means that unless you write them all down you’re screwed. So there is no way to get in at ALL.

So you go to ID.me and fill out the “help”email, because you can only report that way, and they say “high volume but will get back to you within a week”. But … we have an 8&15 and the client finally surfaced and it’s due tomorrow!! So a friend suggested that I call the TM Assistance Center, and ask to talk w true TEAS "technical problems people" and plead for help. They have some kind of Big Red Phone to get in touch with ID.me and get you a response much sooner. Once I did that, I heard from ID.me a few hours later and the problem was solved by the next day. Not lickety-split, but much faster than the week a lot of people have to wait for ID.me.

Good luck!

Laura Talley Geyer (she/her)
Of Counsel
ND Galli Law LLC
1200 G Street, N.W., Ste 800
Washington, DC 20005
Tel: (202) 599-9019 (direct)
https://ndgallilaw.com/laura-geyer/


From: E-trademarks <e-trademarks-bounces at oppedahl-lists.com<mailto:e-trademarks-bounces at oppedahl-lists.com>> On Behalf Of Gerry J. Elman via E-trademarks
Sent: Tuesday, April 16, 2024 11:51 PM
To: For trademark practitioners. This is not for laypersons to seek legal advice. <e-trademarks at oppedahl-lists.com<mailto:e-trademarks at oppedahl-lists.com>>
Cc: Gerry J. Elman <gerry at elman.com<mailto:gerry at elman.com>>; Kartik Kumar <Office at elman.com<mailto:Office at elman.com>>
Subject: [E-trademarks] User verification suddenly required despite being securely logged into MyUSPTO

EXTERNAL EMAIL
I have "sponsored" a remote paralegal to log into MyUSPTO for both trademark and patent matters.  Up to now that was working ok. But yesterday, after logging into MyUSPTO, he was stymied from accessing the page for a Section 8 trademark filing for a client I had asked him to start for me.

Instead he was presented with a screen demanding that he provide an additional form of "verification" via the ID.me<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fID.me&c=E,1,OaD2j1z59sUNAdOfdGsU2-fUozGx4Nw1einR6N3ou5cql64oOvktGThgdKamlQoiQVTWy4e_5cpjH6eLeeRu51_Zost0e5fy98y337mIDDeq&typo=1&ancr_add=1> platform, even though he was already securely logged into MyUSPTO with its own identity factor.  Several months ago I had successfully "sponsored" him as a paralegal working for me. See attached screenshot.

And I find that the ID.me<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fID.me&c=E,1,q230Rx-T3V4Xo_RLOkbGCi1lRaS1X94Car77y7dIDHE6pRlFZkpspg--rROVFoaNtdG7_Akk2n05Plf9U9sBwprQuZ_iIQXAShtDp3dy&typo=1&ancr_add=1> platform is skewed towards people located in the United States.  He is working for me from outside the border.

Has anyone else encountered this sudden impediment to ongoing trademark work?  I had no notice that this additional barrier was going to be erected.  Did I miss a notice from USPTO?  Has this requirement been vetted under the Paperwork Reduction Act?

Any advice as to whom to contact at USPTO?  The Trademark Help Desk wasn't able to provide help here.

-Gerry          gerry at elman.com<mailto:gerry at elman.com>
Gerry J. Elman, Elman IP
6117 St James Pl, Denton, TX 76210
office ph. 610-892-9942    mobile 610-909-2468



-------- Original message --------
From: Gerry Elman <gjelman at live.com<mailto:gjelman at live.com>>
Date: 4/16/24 5:08 PM (GMT-06:00)
To: "Gerry J. Elman" <gerry at elman.com<mailto:gerry at elman.com>>
Subject: TM verification required


--
E-trademarks mailing list
E-trademarks at oppedahl-lists.com<mailto:E-trademarks at oppedahl-lists.com>
http://oppedahl-lists.com/mailman/listinfo/e-trademarks_oppedahl-lists.com
--
E-trademarks mailing list
E-trademarks at oppedahl-lists.com<mailto:E-trademarks at oppedahl-lists.com>
http://oppedahl-lists.com/mailman/listinfo/e-trademarks_oppedahl-lists.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240419/b09bcd38/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3100 bytes
Desc: image001.png
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240419/b09bcd38/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 285 bytes
Desc: image002.png
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240419/b09bcd38/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 452 bytes
Desc: image003.png
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240419/b09bcd38/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 394 bytes
Desc: image004.png
URL: <http://oppedahl-lists.com/pipermail/e-trademarks_oppedahl-lists.com/attachments/20240419/b09bcd38/attachment-0003.png>

More information about the E-trademarks mailing list