Search Google Appliance

Home >> Services >> Iam >> Additional Verification for SSO

Additional Verification for SSO

1. Welcome to Additional Verification

This page tells you about the Additional Verification service that is used to control access to University resources that require an extra level of security.

If you have arrived here because you have just registered your mobile phone number successfully then congratulations! You are ready to use Additional Verification and can simply access the resource you require as you have been instructed.

If you want to know more about this service or need some help using it then please read on...

2. What is Additional Verification?

Additional Verification allows you to use your Single sign-on account to access resources that require an extra level of security. The system is similar to those used by many banks when you transfer money from your account online. Additional Verification is invoked by an application when it requires extra assurance that you really are you, perhaps because you are doing something that is of high sensitivity or high importance.

When you try to access something that is protected by this service you are taken to a page from where you can request a text (SMS) message containing a single-use code to be sent to your mobile phone. On receipt of it you enter this code into our Single sign-on system in a similar fashion to entering your SSO username and password. You are authenticated with higher assurance because the authentication depends on something only you have (your mobile phone) as well as something only you know (your password).

Each SMS code is valid for login for 15 minutes from issue (not from receipt). This means that if it has not arrived 15 minutes after you requested it, then it won't be valid and you'll need to restart the login process. This should be an extremely rare event.

In the future, alternative methods of Additional Verification may be added that might use something other than a text message to your mobile as the additional step.


3. How to register for Additional Verification

Tto use Additional Verification you must have a mobile phone (preferably with a UK number) and it must be able to receive text messages (sometimes known as SMS messages). We must have on record at least one contact email address for you.

If you are a virtual card holder, please ensure you have registered an email address with us. Unfortunately, if you didn't already have an email address registered with us, you will need to wait until the next day before you are then able to register for Additional Verification.

To register for Additional Verification, visit the registration page to register your mobile phone, where you will be asked for a few personal details to assure the system that you are really you.

Next you are asked for your mobile number and a code is sent to you which you must type into the registration page to prove that you have the mobile phone that receives text messages on the number you provided.  Non-UK phone numbers should be entered with a "00" prefix before the country code.

If that all works then you have succeeded in registering your mobile phone for the Additional Verification service. Well done!

You'll be notified by email every time a mobile number is registered against your Single sign-on account. If you receive such a notification, and you haven't tried to register a new mobile number, please let us know without delay.

4. How to use Additional Verification

Once you have registered your mobile number you don't have to do anything special to use Additional Verification.

There are a couple of checks you should make every time you use this service, which will help ensure that your interactions with services secured by it are secure.

  • The address bar in your browser should start with https://, not http://.
  • You shouldn't ignore any certificate-related warnings from your web browser, instead consult your IT Staff or the IT Services Help Centre before proceeding further.

Checks completed, you simply access the service you require using the URL (web link) of that service and instructions as provided to you by the service owner. If you haven't already done a normal Single sign-on username and password login (perhaps like you would to a conventional weblearn site) you'll be asked to do that. Then you'll be taken to a screen that has a button Request new code that you can use to get a code sent to your phone and you must input that code when you receive it. It's as simple as that!

If you know you are going to be using this service in a place where you can't have a mobile phone switched on, or there is no reception, then you can request a code up to 15 minutes in advance and use it when you are ready (so long as it's within 15 minutes)

5. What if I change my mobile number?

If you change your mobile number, either as a result of loss or for any other reason then you will need to register it the same way as you originally registered. The new number will overwrite the old one. You don't need to de-register the old number first.

There is currently no way to "wipe" a mobile number from your Single sign-on account. This is not a problem as once you know you have lost the phone you can quickly change your Single sign-on password and have your mobile provider disable the lost phone so it can't receive text messages to your number. Remember your phone is useless for Additional Verification in the wrong hands as the new "owner" won't know your username and password.

See the next section for more on what to do if you lose your phone.

6. What if I lose my mobile phone?

There is no need to panic if you lose your mobile phone however there are two steps you should take if this happens:

  • You should change your Single sign-on password just in case it is stored somehow on that phone - this particularly applies to smartphones that you might also be using to access your email.

  • You should get the lost phone blocked by your mobile service provider.

While you are waiting for a replacement phone you will not be able to use resources that need Additional Verification unless you register a different mobile phone to use for that purpose. Alternatively, if your replacement phone keeps your lost phone's number then you can safely restart using Additional Verification once you are happy that you can receive text messages to your original number.

7. Troubleshooting

If you don't receive the SMS text message you requested containing the verification code then please check the following before contacting the IT Services Help Centre or your own IT Support Staff.

  • Is your phone switched on with a healthy battery?
  • Does your phone have reception? If not you can request a code up to 15 minutes before you'll need it.
  • Was the correct mobile phone number displayed on the verification page after you requested a code i.e. was it yours?
  • Does your phone have space available in its inbox for incoming messages? (try deleting some old text messages if not).

It may be that your mobile operator has a backlog of SMS text message traffic, causing delays. In that case we recommend trying again later.


Written by IT Services. Latest revision 6 April 2018