Update: In January 2021, we will be releasing Upwork mobile app prompts that you can enable as another way account security measure. See updated information and screenshots below.
In 2017, we introduced two-step verification to all freelancers and clients at login as an additional account security measure. Two-step verification helps prevent unauthorized access to accounts by adding an extra layer of security when you need it most.. In 2017 the only two-step verification option we offered was entering a unique code sent by text message after entering your password at login. Since then, we heard your feedback around two main themes, you wanted more control over when you are prompted for extra verification, and you wanted more options for how you can verify.
In response to your feedback, we gave you the option to be prompted to “verify it’s you” at every login earlier this year, along with our verifying whenever we saw risky or abnormal activity. Because we know that receiving a verification code by text message is not always convenient or reliable, we’ve introduced more verification options.
What has changed:
In the first half of this year, we gave you more control around when you’d be challenged to verify, and we added a new way for you to verify (using an authentication app). Starting in January 2021, we’ll have yet another way for you to secure your account when we introduce mobile app prompts for verification.
In your Password & Security Settings, you will be able to choose from any of the following verification options: text message verification, using an authentication app, or via new mobile app prompts. You can still set your preferences to be prompted to verify at every login, or leave the default setting, which is to be prompted whenever we see risky activity.
Note: You must first have a security question enabled before enabling the other security settings
How it works:
Two-step verification means verifying “it’s you” in two steps. The first step is always to enter your password, the second step is to complete an additional action like answering a security question, entering a code sent to your phone or generated by your authenticator app, or confirming a prompt from your Upwork mobile app (NEW).
When prompted, you simply follow the instructions to answer a question, enter a code, or open a prompt to “confirm it’s you”.
Open a prompt to your phone and confirm it’s you in the Upwork mobile app
Note: You must stay signed into the mobile app to use mobile app prompts for verification. If you sign out of the Upwork app we’ll use an alternative method for verifying that “it’s you” at your next login.
For those of you unfamiliar with authenticator apps, they are a type of application that is usually installed on a smartphone that generates a 6-8 digit passcode every 30 seconds. This is a standardized method for generating a regularly changing code that is shared between Upwork and your phone; no one else. You can choose from many different (and mostly free) authenticator apps for your mobile device. Google Authenticator is a popular app that is available in both the Apple and Google Play stores.
If you would like to use our new mobile app prompts for verification, you must first download the Upwork app from either the Apple and Google Play stores. You can find more information on all the Upwork mobile apps here.
Lena E wrote:
These updates to two-step verification will be released in the coming week. Let us know if you have any questions.
Probably best to get the in-product messaging fixed before then We'd not want users bellowing at boxes...
Thanks for flagging, Petra! We'll communicate with our team to check the pop-up notification in question and ensure our communication and guidelines are error-free.
The use of an authentication application (Google authenticator for instance) is a very good idea, but only when you give the user a set of recovery codes in the case something happens to their device that runs the authenticator app.
Without these recovery codes, if you end up not having your smartphone for any reason, you're locked out from your Upwork account.
Since Upwork doesn't give any recovery codes, I would strongly advise anyone to not use this security method.
That’s not correct, there's no scenario in which users have no way to get back into their account.
Our new flow gives users two strong authentication choices; (1) the authenticator token - which is strongest, and (2) the text message one time password, which is our second strongest option. We will DEFAULT to the strongest option a user enables, OR to the option a user tells us they prefer by setting preferences.
If a user is locked out of their smartphone or is unable to access either of these two options, we automatically challenge them with other options or give them a DIRECT PATH to contact CS. For security reasons we can not share the full details of this flow, but have confidence knowing that we will not lock users out of their Upwork account and will always provide an accessible option of recovery.
Thanks Lena, got your e-mail and I'll speak with Karrie soon. Still, recovery codes are really a must while using authenticator apps and I think you guys should really consider using them. Also, it saves your CS lots of time and trouble since with these codes people don't need to contact you.
Also not having them contacting you shields them from social engineering exploits.
Anyways, I'll share some thoughts with your team.
But I love authenticator apps for 2FA because they add a good security layer and I've been advocating for this for years, so I should express some appreciation to you guys to implementing it!
Lena E wrote:
If a user is locked out of their smartphone or is unable to access either of these two options, we automatically challenge them with other options
Just for my information, does this mean the old security question?
(There's a caveat that, if the security question is still asked sometimes outside of the phone-unavailable case, the answer can be sniffed or stolen by malware together with the password—as opposed to recovery codes that are only used one time, and until then can be stored in a safe offline. However, if the one-time authentication-app codes fully replace the security question before the recovery then the answer is mostly safe.)
Well, loss of a phone is a pretty routine occurrence, and I'd like to have a plan for it. With recovery codes or fallback to the security question, I can make sure that they will work for me. With calls to the support, not so much: for the support, it's a balance of decision between legitimate calls and social engineering—while adding this workload will make them more prone to mistakes and misjudgement. And who knows if I get good connectivity and conditions for a call when I need them. So I'll have to treat the recovery procedure as a game of chance, even if fairly certain—unless I set up extra backup devices for OTP.