Reply
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

Re: Two-Step Verification Updates

Highlighted
Community Manager
Lena E Community Manager Member Since: Apr 7, 2015
1 of 10

In 2017, we introduced two-step verification to all freelancers and clients at login as an additional account security measure. Two-step verification helps prevent unauthorized access to accounts by requiring you to enter your password along with a unique code.  Since enabling Two-step verification, we have heard your feedback around two main themes, you want to have more control over when you are prompted for the verification, and how you receive the unique code. 

We enabled Two-step verification to be triggered whenever we saw risky or abnormal activity, which prompts the extra layer of security that helps protect your account at login to make sure no one is trying to access your account.  Yet many of you requested to have more control over when this security is triggered. We’ve seen frequent requests to be prompted for a verification code at every login, giving you the added assurance that your account is always secure. 

The verification code is sent through SMS. However, we know that receiving a text messenger verification code is not always convenient or reliable.  In your comments and feedback, several of you have mentioned not receiving the text code and requested an alternate method like an authenticator app.

 

What has changed:

Well, we have incorporated both of these requests into our updates for two-step verification. Providing the extra layer of security customized to the experience you would like to see.

In your Verification Settings, you will soon be able to choose how you want to verify your account- through text message verification or an authentication app; and you can choose when you want to prompt the verification step- at high-risk logins as it defaults to today or every time you log in to your account. 

 

 

verification settings_-_all_enabled.png

 

To enable authenticator verification or text message verification you would go to Settings Password & Security and choose Enable next to verification method you prefer.

Note: You must first have a security question enabled before enabling the other security settings

 

two-step_card_-_none_enabled.png

 

How it works:

Two-step verification is two steps. The first step is always to enter your password, the second step is to complete an additional authentication step like answering a security question or entering a code sent to your phone or generate a code using an authenticator app (NEW). 

 

When prompted, you simply type the code into the input box and press confirm to login:

 

 

verification settings.png

 

For those of you unfamiliar with an authenticator app, it is an application that is usually installed on a smartphone and generates a 6-8 digit passcode every 30 seconds. This is a standardized method for generating a regularly changing code that is shared between Upwork and your phone; no one else. You can choose from many different (and mostly free) authenticator apps for your mobile device. Google Authenticator is a popular app that is available in both the App and Google Play stores.

 

These updates to two-step verification will be released in the coming week. Let us know if you have any questions.

Untitled
Highlighted
Community Guru
Petra R Member Since: Aug 3, 2011
2 of 10

Lena E wrote:

 

These updates to two-step verification will be released in the coming week. Let us know if you have any questions.


Probably best to get the in-product messaging fixed before then Smiley Wink We'd not want users bellowing at boxes...

 

bellow.png

Highlighted
Moderator
Vladimir G Moderator Member Since: Oct 31, 2014
3 of 10

Thanks for flagging, Petra! We'll communicate with our team to check the pop-up notification in question and ensure our communication and guidelines are error-free.

Highlighted
Community Guru
Rene K Member Since: Jul 10, 2014
4 of 10

Dear Upwork,

 

The use of an authentication application (Google authenticator for instance) is a very good idea, but only when you give the user a set of recovery codes in the case something happens to their device that runs the authenticator app.

 

Without these recovery codes, if you end up not having your smartphone for any reason, you're locked out from your Upwork account.

 

Since Upwork doesn't give any recovery codes, I would strongly advise anyone to not use this security method.

 

 

-----------
"Where darkness shines like dazzling light"   —William Ashbless
Highlighted
Community Manager
Lena E Community Manager Member Since: Apr 7, 2015
5 of 10

Hi Rene, 

 

That’s not correct, there's no scenario in which users have no way to get back into their account. 

 

Our new flow gives users two strong authentication choices; (1) the authenticator token - which is strongest, and (2) the text message one time password, which is our second strongest option. We will DEFAULT to the strongest option a user enables, OR to the option a user tells us they prefer by setting preferences. 

 

If a user is locked out of their smartphone or is unable to access either of these two options, we automatically challenge them with other options or give them a DIRECT PATH to contact CS. For security reasons we can not share the full details of this flow, but have confidence knowing that we will not lock users out of their Upwork account and will always provide an accessible option of recovery.

Untitled
Highlighted
Community Guru
Rene K Member Since: Jul 10, 2014
6 of 10

Thanks Lena, got your e-mail and I'll speak with Karrie soon. Still, recovery codes are really a must while using authenticator apps and I think you guys should really consider using them. Also, it saves your CS lots of time and trouble since with these codes people don't need to contact you.

 

Also not having them contacting you shields them from social engineering exploits.

 

Anyways, I'll share some thoughts with your team.

 

But I love authenticator apps for 2FA because they add a good security layer and I've been advocating for this for years, so I should express some appreciation to you guys to implementing it!

 

Cheers.

 

 

 

 

-----------
"Where darkness shines like dazzling light"   —William Ashbless
Highlighted
Community Guru
Wendy C Member Since: Aug 24, 2015
7 of 10

+ 1 @ Rene

Highlighted
Active Member
Roman D Member Since: Nov 23, 2017
8 of 10

Hi Lena.

 

Lena E wrote:

 

If a user is locked out of their smartphone or is unable to access either of these two options, we automatically challenge them with other options


Just for my information, does this mean the old security question?

 

(There's a caveat that, if the security question is still asked sometimes outside of the phone-unavailable case, the answer can be sniffed or stolen by malware together with the password—as opposed to recovery codes that are only used one time, and until then can be stored in a safe offline. However, if the one-time authentication-app codes fully replace the security question before the recovery then the answer is mostly safe.)

Highlighted
Community Manager
Lena E Community Manager Member Since: Apr 7, 2015
9 of 10
While we can't share all the details about the flow, rest assured, the user will be presented with secure options to access their account if they can't access their smartphone.
Untitled
Highlighted
Active Member
Roman D Member Since: Nov 23, 2017
10 of 10

Well, loss of a phone is a pretty routine occurrence, and I'd like to have a plan for it. With recovery codes or fallback to the security question, I can make sure that they will work for me. With calls to the support, not so much: for the support, it's a balance of decision between legitimate calls and social engineering—while adding this workload will make them more prone to mistakes and misjudgement. And who knows if I get good connectivity and conditions for a call when I need them. So I'll have to treat the recovery procedure as a game of chance, even if fairly certain—unless I set up extra backup devices for OTP.

TOP KUDOED MEMBERS