Wednesday05 October 2022

Kim Dotcom Claims a Patent on Two Factor Authenticaion, Wants Help Paying His Legal Bills for Continued Use

Reading time is around minutes.
Kim Dotcom-600x329

Kim Dotcom is back in the news as he is now claiming ownership of Two Factor Authentication. Although the claim might seem ludicrous to many it seems there is a kernel of truth in them as well. What is interesting is the timing of the claim and how he wants to settle things. Unlike many others that hold patents, Dotcom is not looking to make a bunch of lawyers rich trying to assert his claim. Instead he would like Google, Twitter and others that are using his patented idea to help fund his legal defense in the US.

Most of you will remember the huge lawsuit that the US embarked on to bring Dotcom’s Megaupload. The unprecedented abuse of power, illegal warrants, improper seizure of evidence and even the original charges which enabled the seizure of all of Megauload and dotcom’s assets has become legendary (and not in a good way). We will not go into all of the gory detail, but if you are inclined you can read some of it using the links at the bottom of this article.

Needless to say having all of your money and your business closed down does throw a wrench into any legal defense you might try to offer against a major government. This is exactly why the charges were filed the way they were, they needed the ability to seize everything to that Dotcom would not be able to afford a proper defense. So far the move has backfires, but it cannot last forever. Dotcom knows that he will have to come up with money to keep things rolling. According to some of his tweets this could be as much as $50 Million US dollars before it is all over.

Getting back to the patent on two factor authentication and Dotcom’s ownership of it we have an interesting situation. TFA (Two Factor Authentication) is not new and predates the patent that Dotcom holds by a few years. There have been RSA keys, one-time-passwords and more for a long time. What is different in the Dotcom patent is that he specifically mentions cellphones in the description of the receiver as the second authentication device.

“a) a wireless receiver with a display or a monitor such as for example a mobile or cellular phone, a pager (for example a city-call receiver),
b) a specially constructed receiver card within the data input apparatus, which is accessed wirelessly or through a fixed wiring;
c) a mailbox;
d) a telefax apparatus; or
e) a language output apparatus such as a fixed installed audio speaker or a telephone for the language transmission.”

RSA keys are a different type of TFA and fall outside of this patent even though they appear to be references in item b. However the patent does cover the TFA used by Google, Microsoft, Blizzard, Twitter and many others. What might save them is a subtle difference in application of the authentication method. Instead of transmitting a number via wireless, as stated in the patent, they use an expiring key that is randomly generated based on a specific algorithm. This is setup when you link your account to the service. In many ways this is similar to how RSA keys work. In very basic terms when you attach them to a user account a random number sequence is created and that sequence is attached to that user. Attempting to log in to an account protected by this method causes a challenge phrase or number to be generated. You have to type that into your RSA key and it will give you back the proper response. With the TFA used by Google and others the authentication server and device continually change the challenge and response. The end user never sees the challenge, but they have to enter the response before it expires and moves to the next challenge. For most of these systems the challenge and response expire every 60-90 seconds. It makes copying the passcode useless as it will not work after 60-90 seconds. In this manner you eliminate certain steps in the process outlined in Dotcom’s patent. Nothing is transmitted between the device and the login servers after the initial setup is completed in the TFA used by Google and others. In Dotcom’s patent transmission is required from the login server to the receiver device.

“This transaction authorization number TAN, or a similar password, is transmitted to a receiver by the authorizing computer through another transmission path disposed parallel to the existing connection with the data-input apparatus.”

So while the methodologies are fundamentally similar they differ enough that Dotcom might not be able to apply them in court. This is probably why he chose not to sue (on top of not having the money to do so) and is asking for help. The question now is; will Google, Microsoft, Twitter and others come to the aid of Dotcom? We doubt Microsoft will bother to answer his call since they are one of the people that helped push for Megaupload to be taken down in the first place. Google and Twitter, on the other hand, might decide to help out. They have no love for the MPAA, RIAA or other members of the copyright lobby so there is a small chance there. We doubt that the $50 Million bill we be paid, but Dotcom might find a few extra dollars in his legal defense fund.

Of course there is one other possibility that we have to consider. We are certain that Kim Dotcom is aware of the ludicrous laws that govern US patents and it is possible that he is using this to show just how stupid the system is. The fact that a person who would be arrested the moment he set foot in the US can hold companies accountable for patent violation is sort of silly, but that is the way things are. US Patents are often interpreted in the broadest way to protect the patent holder. Items like obviousness, subtle differences in application and methodology are often overlooked by judges that have little to no technical understanding. Dotcom could be banking on this to get what he wants. Then again… he might just want to see if the threat will work to help pay for his legal bills…

Tell us what you think in our Forum

Megaupload links

Entrapment claims

Reasons for the suit

The bad warrants

Keeping the goods

The Siege of Megaupload

Last modified on Thursday, 23 May 2013 07:57

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.