« previous post | next post »

The University of Pennsylvania is instituting a Two-Step Verification for PennKey WebLogins. Up till now, our PennKey for login consisted of a Username and Password. After much effort and practice, I finally mastered that. Now, however, for the sake of greater security, after using our PennKey to log in, we will in addition be asked to go through a second step that requires us to enter a randomly generated number that will be sent to us via cell phone.

That really freaked me out, since I don't have a cell phone.

Good lord, I thought. It was hard enough for me to master the PennKey — Username and Password, and the Password has to be at least a certain length, plus it has to include upper and lower case letters, a special symbol (!), and at least one numeral — but now I have to deal with this second step that will be sent to me through my non-existent cell phone regularly when I want to log in.

When the enormity of my situation dawned on me, I went out to the department office and started to bemoan my horrible fate. The office staff were commiserating with me, when who should step off the elevator and walk in than Phil Miraglia, our wonder tech guy who has rescued me from endless predicaments since way back in the 80s, and that includes before the days of computers when he worked in the language lab and I had my students go over and listen to tapes for 3rd and 4th year Mandarin.

So Phil, who is both humored by me and sympathetic to my many techno-plights, calmly walks into the middle of this scene of Victor visibly distraught over the prospect of being locked off the Penn Web — which essentially means being locked out of University life! — and says, "Don't worry, Victor. You don't have to own a cell phone," (after years of everybody unsuccessfully coaxing me to buy a cell phone, he knows full well that will never happen) "we'll give you a fub, and you can use that to get your second step security number."


What's a fub?

I looked totally adrift, and everybody in the office and out in the hallways — about eight people — said, "fob! Phil's gonna give you a fob."

"Right," Phil said, "I'm gonna give you a fub for you to get your numbers".

I was thoroughly confused. I had no idea how you could use a fub / fob to get a computer generated number.

Linda Greene pulled out her car keys and showed me what a fob / fub is, whereupon half a dozen people explained to me that the fub / fob Phil was going to give me was a special kind that could receive those magical numbers that would enable me to go through the second step of the Two-Step Verification for PennKey logins.

Still incredulous about all of this techie stuff that was falling down on my poor head, I promised Phil that I would come down to his office on the 4th floor and pick up my fub / fob one of these days when I screwed up enough courage to face the challenge of letting it receive magic numbers out of the ether whenever I want to do something on the Penn Net.

One thing I should explain is that Phil is from South Philly. He is more Philly than anybody else in the department. There are few people in Williams Hall who are more Philly than Phil.


  1. Jim Breen said,

    June 5, 2018 @ 7:39 pm

    Don't let them fob you off with a fub.

  2. Garrett Wollman said,

    June 5, 2018 @ 8:33 pm

    At MIT, most administrative services outsource multi-factor authentication to a company called Duo, which (in addition to the usual text message based verification) also implements an interactive voice response system. (Plus, of course, the usual panoply of hardware tokens — I usually use my Yubikey Neo rather than the smartphone app or SMS.)

  3. S Frankel said,

    June 5, 2018 @ 8:34 pm

    Don't know about other Americans, but the vowel in "fob" is drastically longer than that in "fub" for me. Do they also have chiz stecks in Philly?

  4. Watts said,

    June 5, 2018 @ 8:35 pm

    As I'm sure many people will soon point out, the fob/fub will not actually receive the numbers out of the ether. The number is the result of a time-based computation that both the f*b and the server can carry out so that they agree.

  5. Jim Breen said,

    June 5, 2018 @ 8:40 pm

    To me (AusE) the vowels in fob and fub seem the same length, i.e. short. "chiz stecks"
    sounds vaguely New Zealand-ish to me.

  6. Bathrobe said,

    June 5, 2018 @ 8:52 pm

    Fub/fobs are nothing new in China. You might be given one for logging onto your online bank account.

    However, I was told it wouldn't work if I wasn't in China — not sure why.

  7. Martin Schwartz said,

    June 5, 2018 @ 10:20 pm

    Victor, my sympathies.
    UC Berkeley people had to go thru the same 2-step process recently, which caused me much anxiety. I somehow managed to get by the impenetrable technobabble of the instructions, with the help of our
    office manager, and finally can log in. I do have an old mobile dumb phone given to me by my wife so I could keep in contact with her, tho she now tends to shut of her smart mobile because of too many nuisance commercial calls (i've been getting them too, mainly "I see
    you applied to find a job…" or the like). Anyway, I can't access my e-mails away from my computer unless I have aforementioned dumb phone with me.
    Martin Schwartz

  8. Chris C. said,

    June 5, 2018 @ 10:39 pm

    By a strange coincidence, in another comment section today I encountered someone who was under the impression that "fob" was an acronym of some kind and insisted on writing it in all-caps.

    But yeah, it's only a "fub" in South Philly.

  9. lemon said,

    June 5, 2018 @ 10:48 pm

    @Chris C. FOB can be an acronym–among some Asian American groups (and maybe other groups too?), FOB stands for "fresh off the boat" and is a term for a recent immigrant from an Asian country. The term is slightly to mostly derogatory, though sometimes affectionately so.

  10. tangent said,

    June 6, 2018 @ 12:11 am

    Or the commercial initialism FOB designating the terminus of the shipper's responsibility, "FOB port" meaning it's your problem to get it home from there.

  11. tangent said,

    June 6, 2018 @ 12:16 am

    The word "fob" is nifty. It originally referred to a small pocket, then to the "fob chain" linked to your fob watch, then to a small object you put onto the fob (chain). And now a small object that may not be on any chain.

  12. Luke said,

    June 6, 2018 @ 12:24 am

    A few years ago the IT group at my job introduced them as "dongles." This was changed in short order, for obvious reasons.

  13. Laura Morland said,

    June 6, 2018 @ 1:07 am

    @Martin, when Cal instituted the dreaded two-step verification process, they *also* provided — they were automatically generated, as I recall — a list of 10 9-digit numbers, with the accompanying explanation:

    "If you lose access to your 2-Step Verification device, you can use one of these backup passcodes to log into your account. You can only use a passcode once. If you ask for new passcodes, the old codes will no longer be active. Make a copy of these passcodes and store it in a safe place."

    I've done so, and John has used it once, when neither cell phone was available (you can provide more than one cell number for the verification process, FYI).

    This 'passcode system' is very useful, and after you've run through all ten numbers, you can easily request more.

    Penn should be providing the same option!

  14. Ethan said,

    June 6, 2018 @ 1:12 am

    @Luke: So far as I know a dongle is not the same as a fob. A dongle is a small gadget that plugs into a standard socket (e.g. a USB port or headphone socket). It only works when it is plugged in. A fob does not require being plugged in to something else.

  15. Martin Schwartz said,

    June 6, 2018 @ 1:47 am

    Hi, Laura. Thanks. Good for you and John. In the mephitic miasma of the demon dance called 2-Step, I did not manage to write down the numbers, and doubt that I can now retrieve them. Well, I'll just remember to go out with my meuble (it's just another piece of furniture to lug around).
    Oh, momma, can this really be the end,
    to be stuck without my mobile…
    (iIll spare you my rhymes, e.g.lest memphite phtha offend).
    So, Victor, save those numbers, and bon courage meanwhile.

  16. Robot Therapist said,

    June 6, 2018 @ 3:04 am

    At least you'll now be able to lug in, and won't lose your jub.

  17. Philip Taylor said,

    June 6, 2018 @ 3:37 am

    Luke : the " obvious reasons" that led to your dongles being renamed are not at all obvious to me; I have, and use, dongles on a regular basis, and have never felt that they should be renamed for any reason.

  18. Eleanor said,

    June 6, 2018 @ 3:37 am

    @Robot Therapist: "At least you'll now be able to lug in, and won't lose your jub."

    Heaven fub-id.

  19. Adam F said,

    June 6, 2018 @ 5:18 am

    Can we fight over "fob off" vs "foist off" too, while we're here?

  20. Mike Anderson said,

    June 6, 2018 @ 5:24 am

    Ah, here's the dreaded Two-Factor Authentication, necessitated by the near-universal practice of most institutions implementing single "Hobbit Key" userid/password access to everything in their domain. If it's good for Texas, it must be OK for Pennsylvania, no? Don't just close the barn door after the horse runs off, build a fence around the barn.

    And it's lovely to behold a blogging linguist acquainted with statistical analysis and signal processing decry the advancing ubiquity of smartphones, temporarily held at bay by the humble fob.

    "Do I contradict myself? Very well then, I contradict myself. I am large, I contain multitudes."

  21. Ralph Hickok said,

    June 6, 2018 @ 6:15 am

    I have long suspected that "dongle" is related to "dangle," perhaps even as a deliberate mispronunciation.

  22. Ralph Hickok said,

    June 6, 2018 @ 6:17 am

    @Mike Anderson:
    If you edited articles about information security, as I do, you might not be quite so dismissive of two-factor authentication.

  23. Jim Breen said,

    June 6, 2018 @ 6:25 am

    A 2009 LL article (http://languagelog.ldc.upenn.edu/nll/?p=1475) traces the word "dongle" back to the Dark Ages of 1982.

  24. J.W. Brewer said,

    June 6, 2018 @ 7:33 am

    I am now imagining a series of Great South Philadelphians of the past (Mayor Rizzo, Rocky Balboa, etc etc) being earnestly informed that they can no longer get through their daily routines without mastering this sort of two-step verification process. I'm thinking that dialect variation in vowel phonology would be the least serious part of the difficulty in explaining the new regime and why they needed to comply with it.

  25. Victor Mair said,

    June 6, 2018 @ 8:23 am

    From Michael Witzel:

    Harvard did the same some 2 years ago. But they offered us also a landline number. Complain!!

  26. Anna said,

    June 6, 2018 @ 9:27 am

    So that's what the little thingie on my keychain is called, fob or fub. In Icelandic it's "auðkennislykill" and for some years now I've used it to log onto my online banking account. But now they've decided that fobs/fubs aren't secure enough so they're phasing them out. I had to show up at my bank with a state-issued ID to have a banking-app installed in my smart phone. I don't know about people who don't have a smart phone, I suppose they'll just have to drive to the the bank to do their day-to-day banking.

  27. Chris Button said,

    June 6, 2018 @ 9:53 am

    Don't know about other Americans, but the vowel in "fob" is drastically longer than that in "fub" for me.

    To me (AusE) the vowels in fob and fub seem the same length, i.e. short.

    In General American English the vowel in "fob" /fɑːb/ is distinctively long, but not so in other varieties of English that also have an unrounded /ɑ/ in such an environment (AusE should normally be short and rounded). I wonder if Phil is saying something more like /fɑb/ without the length which, due to its shortness, is then encroaching on the space of what could sound to an American ear (tuned to pick up on the length distinction) more like /fʌb/ "fub" with its short unrounded vowel? That, or Phil is simply saying the word "fub" rather than "fob".

  28. Robert Coren said,

    June 6, 2018 @ 10:02 am

    @tangent: Hence the closing lines of Gilbert & Sullivan's Trial by Jury, where the usage puzzled me on first encounter:

    Though Defendant is a snob,
    I'll reward him from my fob,
    So we've finished with the job,
    And a good job too!

    Presumably the Judge means that he's going to give the Defendant some pocket change.

  29. Peter B. Golden said,

    June 6, 2018 @ 10:33 am

    The security measures will bring us all back to pen and paper. I have an ancient cell phone (turned on only when traveling), a flip-top. I am not smart enough for a smart phone. Philly accent: in an early foray into Philadelphia, many decades ago, I was looking for a street that would get me back onto I-95. A local truck driver directed me to "Rice Street" – it turned out to be Race Street. The Philly accent belongs to the Atlantic coastal grouping/dialect. It is heard in New Jersey and as far south as Maryland.

  30. bobbie said,

    June 6, 2018 @ 10:59 am

    Am I the only one who thinks these song lyrics from the 70s were
    a warning?

    Rikki don't lose that number
    You don't wanna call nobody else
    Send it off in a letter to yourself
    Rikki don't lose that number
    It's the only one you own
    You might use it if you feel better
    When you get home

    Read more: Steely Dan – Rikki Don't Lose That Number Lyrics | MetroLyrics

  31. Luke said,

    June 6, 2018 @ 11:31 am

    @Ethan: I suppose having misnamed the device in the first place could lead a scramble to rename.

    @Philip Taylor: at least here in the northeastern US, most people heard as far as "dong" and began to chuckle as it's slang for penis in these parts. I assumed that was universal but that may not have been fair.

  32. DWalker07 said,

    June 6, 2018 @ 1:52 pm

    Of course Phil from Philly is named Phil.

    Like you, I resisted getting a cell phone … until just recently. Having 5 computers ought to be enough; I didn't want a cell phone. But I finally succumbed to that, although I rarely carry it with me.

    I also have a key-fob for logging in to one site… I have had that for many years.

  33. SamC said,

    June 6, 2018 @ 2:46 pm

    @S Frankel
    One of my favorite parts of the philly accent is "ale->ell" – so "tail" & "tale" sound a lot like "tell." "Bagel" also sounds like "beggle." However, no one I know around here eats chiz.

  34. TIC said,

    June 6, 2018 @ 3:30 pm

    Peter B. Golden: I can hear that truck driver's voice almost as clearly as if I were there… And I'd bet my bottom dollar that he actually pronounced it something along the lines of "Ri-Shtreet"…

  35. Jeremy Fry said,

    June 6, 2018 @ 4:38 pm

    I encountered the acronym FOB as Faecal Occult Blood. This led to me having a colonoscopy.

  36. Chris C. said,

    June 6, 2018 @ 7:15 pm

    @lemon — Yes it can, but the object under discussion was the electronic device we often now use to unlock our cars.

  37. richardelguru said,

    June 7, 2018 @ 6:01 am

    When I saw the titular 'Fub' I thought it must be a flub.

  38. Anthony said,

    June 7, 2018 @ 8:45 am

    If people have a problem with "dongle" is "donkey" also avoided?

  39. mg said,

    June 7, 2018 @ 1:17 pm

    That's crazy! Every two-factor authorization system I use offers at least one non-fob alternative to using a cell phone. Like MIT, my university uses Duo, which means I can have it call my phone (and can choose whether to have it call my work or home number!) whereupon I just answer and press 1. Work and my bank also allow me to get a security number by email as well as text. There's no excuse for making text the only possible way to use it.

  40. Viseguy said,

    June 7, 2018 @ 7:39 pm

    I used to have to append a random 8-digit number emitted by a f(o|u)b to my regular password in order to log in remotely to work. The number changed every 30 seconds, so the least distraction while typing meant you had to start all-the-fuck over again. We've since moved to a different second step: Once you enter your normal password, the system rings your cellphone and asks you to enter a 4-digit PIN (you choose the PIN and it doesn't change). That's a lot more convenient. I see no reason why such a system wouldn't work with any touch-tone phone, including a landline, but a landline would kinda sorta limit the remoteness of the remote login. Surely UPenn could come up with something more user-friendly than a fuck! I mean … fub!

  41. stephen said,

    June 7, 2018 @ 8:12 pm

    They are doing everything they can to make sure communications are secure and everybody is behaving…they want to make sure there's no hanky-PennKey.

  42. Ralph Hickok said,

    June 7, 2018 @ 9:40 pm

    Unfortunately, security and "user-friendly" aren't good partners because the more user-friendly access to a system is, the easier it is for hackers to break in, and what seems to be a very minor breach can very quickly become an enormous opening.

    For example, the famous hacking incident that cost Target $18.5 million began with the hackers entering through the air-conditioning equipment. Target actually did a pretty good job of securing the system, but the company that provides its HVAC services.

  43. Alexi said,

    June 8, 2018 @ 2:53 pm

    @Anthony No, but only because the alternative is "ass."

  44. Chris C. said,

    June 8, 2018 @ 4:32 pm

    Just wanted to add that these fobs are nothing new. The online game World of Warcraft has been using them for years. They call them "authenticators", and it's probably a good indication of the extent of the hacking problem suffered by some online games that they implemented 2-factor authentication at least a decade before it started to become common in corporate America and academia.

  45. D.O. said,

    June 8, 2018 @ 10:32 pm

    …I don't have a cell phone

    You are my hero. Let's make it to internet age: YAMH.

  46. Idran said,

    June 9, 2018 @ 10:34 am

    For people wondering why it's cellphone-only: if they're offering a fob as a replacement, it sounds like this isn't the "verification number" security schema, but an alternate schema that doesn't require _transmitting_ a number at all.

    The way it works is you have a secure pseudorandom-number generation algorithm with a specific key, that key being unique to each individual account. On the user-end, your individual key is in some way combined with the current time (as subdivided into around 15-second intervals or so) to generate a unique value without any communication with the server. When you send the number after putting in your username and password, the system calculates a number in exactly the same way using your unique key and the time at which you sent the login request.

    This way, you have a unique secure value that was never sent to you in the first place, reducing the possibility of it being intercepted. A hacker literally can't know what number you'll be sending back to the server, because it was never sent to you in the first place but rather generated algorithmically; they would have to know the unique key assigned to your account, which they can't know without infiltrating the server in the first place anyway.

  47. Zerokey said,

    June 10, 2018 @ 8:52 am

    The algorithm Idran describes is called TOTP, Time-based One-time Password algorithm. Its implementation is formally specified in RFC 6238: https://tools.ietf.org/html/rfc6238.

  48. James Wimberley said,

    June 10, 2018 @ 1:25 pm

    In his very first published SF story, Philip K. Dick invented a Martian creature called a "wub", "an enormous pig-like creature" (Wikipedia) that turns out to be both comestible and alarmingly intelligent. Wub authentication would solve a lot of problems.

RSS feed for comments on this post