Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Main Service Page

Penn WebLogin two-step verification: Information for LSPs

Two-step verification support model

In general, Penn's two-step verification process is self-supporting. Users have multiple means of recovery if they lose or otherwise do not have access to their device:

  1. printed one-time-use codes meant to be kept in the wallet
  2. one-time-use codes sent to backup phone numbers by text and/or voicemail
  3. opt-out via the phone-a-friend process.

If users require support beyond the self-support mechanisms, such support follows the standard LSP model. Local Support Providers provide first-tier support to users, giving assistance with enrollment and use as necessary, and troubleshooting prior to escalation. If issues persist, LSPs can escalate to the ISC Provider Desk. Provider Desk staff can troubleshoot further and opt users out of two-step verification as necessary, escalating to the two step developers and Weblogin team as necessary for fixes or change requests.

Troubleshooting information for LSPs

If a user is unable to log in, the following self-service methods are available:

Has the user trusted a browser?
If the user has logged in during the past 30 days from a browser they opted to trust, the first thing they should try is to log in from that browser. Otherwise, their options depend on what they set up at the time they opted in (see below).

Did the user print out backup codes?
Backup codes are a list of 6-digit numbers, hopefully stored in a secure place like a wallet or locked file drawer, that were generated either at the time the user opted in, or later, using the Two-step verification settings page. The user may use these just as they would the codes provided by an authenticator application. Each backup code can be used once and the codes must be used in sequence.

Did the user designate a backup phone?
If so, they can have a one-time code sent to it via text or voicemail (however they designated it at opt-in) by going to the Two-step verification settings page and selecting "I am having trouble logging in." They can then use this code to simply log in and access whatever they were trying to access, or log into the Two-step verification settings page and opt themselves out.

Did the user designate a friend to opt them out?
If so, they can go to the Two-step verification settings page, select "I am having trouble logging in" and ask the friend(s) to opt them out. Next they should contact the friend by phone to ask them to go to the same interface and opt them out. The friend should verify the requester's identity by voice, not email, since email can be forged easily. The friend can click "Help a friend" to opt the requester out.

In addition to authenticating while a device is unavailable, LSPs should be aware of other possible issues, such as:

  • Users believing they're finished after installing an authenticator app and not actually opting in to the system.
  • Users not knowing how to scan QR codes.
  • Users not understanding the concept of entering a second factor.
  • Users not knowing how to install apps on their mobile device.
  • Users not having their iTunes/Google Play password to install apps.

Escalating an issue

In case of an issue that an LSP cannot resolve, the LSP should:

  1. It is the LSP's responsibility, prior to contacting the Provider Desk, to positively verify the user's identity using one of the following mechanisms, or by voice (and/or video) if the LSP knows the user:
    1. user either shows PennCard to LSP in person; or
    2. if user can't go to LSP in person, LSP may contact user at their phone number of record and verify the user's voice; or
    3. user contacts LSP, who in turn sends email with an arbitrary, random secret to the user's email address of record and follows up with the user over the phone (not necessarily his/her number of record, and potentially using Skype or equivalent) and verify that they have the random secret (in addition to recognizing the user's voice).
  2. Submit a Remedy ticket to Provider Desk to request opt-out of the user. This request must be submitted via the Provider Desk's Remedy webform to ensure the LSP's identity.

The Provider Desk staff will do additional troubleshooting as necessary and work to resolve the issue (by opting out the user, escalating the issue to the development team, etc.).

Service Alerts


Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania