After re-reading the topics on the forum, and every-day news talking about account-hackings (even on upwork), I can't understand the reason why upwork is not secured portal (and indeed, is the least secured portal), compared to other sites...
it's 2018 and there isn't yet 2-factor authentication (like Google Authenticator) . even all crappy sites have that option.
QR-Codes are nice way to do that, instead of sending sms. (as we use QR-code password generator apps not only on phone, but in windows too, so SMS is not a good way). it's so simple to implement QR_code based 2-fa. Why we dont have that?
Another issue is that the "security measures" that exist on upwork, is even poor - for exampe, even if you turn those existing "2-factor" , in other channels apart from website, one can again login with simple username and password (like UpWork desktop app).
i am not really satisfied with security. I don't know why they are not implemented till date.
@Bojan S wrote:
We appreciate your feedback. Currently, we offer 2-step verification via password and security question or text message.
That is not "Two Factor Authorisation" which has been "on the roadmap" for quite some time but still not implemented.
The two step verification is not working fine as on upwork one you turn on the verification for the first time it give you the code to activate it but once it is activated it will not provie you a text message on every time you log out and login again .
I have even tried it from a different machine , i logged in from a different computer but it never prompted or ask for a phone verification code where else in gmail if you login from another machine it will definately ask you for the text code.
So this is an interesting question and also very important. From what I see Upwork is supposed to support 2-factor authentication. That is your password (one factor) and either an email or an SMS code (second factor). The site does offer that. However, in practice the site does not appear very judicious about actually requiring both factors. As noted, you can logout and back in, even from two different browsers, and the second factor is never asked. The help document says the following (I added bold to a key statement):
"Your security question is generally used to access specific parts of your account and phone verification is generally used at login, but either could be required when our security systems detect a login attempt or other operation that appears high-risk. "
It would seem that for the second factor to kick-in, the login must appear to be high risk to whatever algo UW uses. Perhaps this is from a known range of suspect IP addresses or maybe even an IP address that is different from the range you normally use to access your account. It may be interesting to take a laptop to an outside wifi and see if that is enough to trigger the ask of a second factor.
Net, I see the site is creating a second factor but how it's ever used is a mystery for now. If someone tries it in two totally different environments, please post results. For now either the process is totally broken or the algo doesn't think these different logins are "high-risk" enough.
Bojan, almost one year is gone.
I've tried to login from other pc, and it didn't ask me 2-step code.
Can you tell me, i surely say (not 99%, but 100%) that there existed no reasons during all these years, why UW doesnt have a good 2-fa, like all other sites have it.