As an additional security measure, all freelancers and clients have a two-step verification process at login and/or if they try to change sensitive info in their account. This helps to prevent unauthorized access to accounts by requiring the customer to enter their password as well as an additional method set up by their choosing (ordered below based on highest level of security to lowest - internal info):

• Authenticator app code
• Mobile app prompt 
• Text message
• Security question (if no options above are selected, this will be the default option)

Customers can find access to enable/disable these within Settings > Password & Security and they may get an option to set them up via the login flow if they hit certain criteria (they will only have the option to enable these other methods if they have a SQA set up first):

In addition to having the ability to enable the above, if they click on the gear icon on the top right (shown in the above SS), they can also set their verification preferences based on what they’ve enabled:

If they don’t select anything at all, Upwork will default to the most secure option first + “when my login or activity seems risky”.

To help best understand how our internal 2SV system works, check out this top-secret INTERNAL ONLY info (not to be shared with users!):

• Emails with a OTP comes into play for users in 3 cases

  • If they’re in a verification flow OR the update password flow and

    • they exhaust all of their options OR

    • they click “try another method” until they run out of options

  • If they are attempting to log in and they only have security questions set up for 2SV and they click on the “forgot my answer” link for SQ then they’ll be sent an email for OTP to reset their security question

• How the hierarchy works (pending if they signed up for multiple "strong" options & if none, then it’ll be security question x 3 > email one time passcode): 

  • (1) 3 tries to make the authenticator app work and if failed…

  • (2) 3 tries to make Mobile app prompt work and if failed…

  • (3) 3 tries to make text message work and if failed…

  • (4) 3 tries to make email work and if failed...

  • (5) finally presented with a "Having Trouble?" screen. In each case the customer doesn't have to do anything special to prompt for more help. They will automatically be shown the next option when/if they exhaust their "3 tries".

  • (6) when selecting “Having Trouble?” screen, if the customer clicks “Proceed”, it will generate a form to fill out > this generates a ticket to CS for help

• Sudo > Settings > Password & Security will help show what customers have enabled in their account for security

• OBO > User Actions will help showcase what kind of obstacles customers are running into and if they successfully managed to log in or not 

• In an attempt to be more secure, this is why customers are not given every possible option at their fingertips when they are challenged for 2SV 

  • e.g. If they’re signed up for “text message” as their 2SV option, after 1 attempt, if they notice their text message code is going to a wrong number, they won't have an "email" option to select. The system will ask them to simply try again.

• They are "forced" into a hierarchy based on the strongest challenge type they enrolled for OR the preference they set

  • Remember that what they enrolled in and their preference was their choice and they can always change this later 

• If customers are NOT enrolled for any of the options in our "strong" solutions hierarchy (Authenticator app code or Mobile app prompt or text message), they’ll be defaulted to 2 "mandatory" security options; (1) security question, and (2) email one-time passcode as the back-up to security question

• As every customer MUST add an email address when they register an account, that mandatory email is the one we use as the security question backup in the "Forgot Security Question Answer" flow, and as the final "back-up" in our “Strong Options” flow, if they have trouble using their "strong" options

These are the mobile app screenshots, so this will vary slightly depending on their device.

Password & Security Flow Setup:

Enabling “Authenticator app code”:

Enabling “Mobile app prompt”:

Enabling “Text message”: 

Login Flow Setup:

Research that can help to understand the customer’s issue better - 

• Sudo > Settings > Password & Security - this will help show what the customer has enabled in their account for security

• OBO > User Actions - this will help showcase what specific obstacle the customer is running into (e.g. trying to access a “sensitive zone” like CC info in their account or just trying to log in to their account) + if they successfully managed to log in / gain access

In most of these cases, if the customer continues to try self-serve methods and they fail, they’ll eventually be prompted with the “Having Trouble?” screen which allows them to send a ticket to CS titled “We see you need help with…”. If working on these tickets, see here under the “We see you need help…” drop-down)

Otherwise, see the proper dropdown below based on the specific situation with your customer.

Customer says: challenged with authenticator app code, but they lost phone OR have a new phone OR the authenticator app was deleted from their phone:

The customer can click “Try another method” which will prompt them for the next security verification they have in line which should help get them into their account:

 

If this doesn’t work and/or they’re still stuck:

 

• If they have a new phone, but still have access to their old phone, they’ll use that to get through, then go to Settings > Password & Security to switch OFF + delete this 2SV from their options. Once deleted, they’ll install Google Authenticator on their new phone and follow those steps to re-enable. The help article has additional instructions under “Set up an authenticator app for (TOTP) verification”, if needed.

 

• If they don’t have access to the phone at all OR the Google Authenticator app was deleted from their current device, their 2SV needs to be reset. Follow the “CS handling process” here under the “We see you need help…” drop-down. 

Customer says: challenged with Mobile App Prompt, but lost phone / have a new phone and not receiving the prompt now:

 When being challenged with the Mobile App Prompt, they’ll see this:

The customer can click “Try another method” which will email them a 6-digit code. They’ll be prompted to check their email. Once logged in, they’ll want to head to Settings > Password & Security to disable and re-enable Mobile App Prompt on their new device, if they still wish to use it.

 

If they have no access to the email on file, follow the “CS handling process” here under the “We see you need help…” drop-down. Be sure to collect the new email address for the customer, as well.

Customer says: challenged with Mobile App Prompt, but is not receiving the notification popup on their mobile device:

When being challenged with the Mobile App Prompt, they’ll see this:

The customer should click “Resend”.

If they are signed in to the Upwork app, but still not receiving the notification even after they click “Resend”, they may have notifications shut off. Recommend they ensure notifications are turned ON for their Upwork app in their device, then try “Resend” again.

If they are signed in to the Upwork app and confirmed notifications are ON, but they’re still not receiving the notification after they click “Resend”, there may be a larger issue. 

• Please reach out to the proper team for support (Tech Army / Tech Support / Freelancer chat pending your team & role)
• While it’s ideal if no changes are made to the account for the investigation, we don’t want to hinder the customer’s experience. If the customer needs to get in immediately, collect as many details of the current experience as possible, then follow the “CS handling process” here under the “We see you need help…” drop-down to help get them access back to their account.

Customer says: challenged with Text Message code, but never received the text message with a code:

The customer can click “Resend” to try again or “Try another method” which will prompt them for the next security verification they have in line which should help get them into their account:

 

If they have a new phone number, but still have access to their old phone number, they’ll use that to get through, then go to Settings > Password & Security to switch OFF + delete this 2SV from their options. Once deleted, they can turn it back on for their new phone and follow those steps to re-enable. The help article has additional instructions under “Enable text message verification”, if needed.

 

If they don’t have access to the number where their 2SV is connected to, their 2SV needs to be reset. Follow the “CS handling process” here under the “We see you need help…” drop-down. 

 

If this is not a new phone number situation, but they’re still not receiving the text message, there may be a larger issue. 

• Please reach out to the proper team for support (Tech Army / Tech Support / Freelancer chat pending your team & role)
• While it’s ideal if no changes are made to the account for the investigation, we don’t want to hinder the customer’s experience. If the customer needs to get in immediately, collect as many details of the current experience as possible, then follow the “CS handling process” here under the “We see you need help…” drop-down to help get them access back to their account.

These are the mobile app screenshots, so this will vary slightly depending on their device.

Please be sure to add this ZD category for anything related to enrollment, even with these cases  - Account information > Two-step verification enrollment 

Password & Security Flow Setup:

Enabling “Authenticator app code”:

Enabling “Mobile app prompt”:

Enabling “Text message”: 

Login Flow Setup:

If they select “Not now”:

Internal Only - for this QT, no suspensions will be taking place. 

If they select “Set preference” to move forward with the setup flow, they’ll choose between “Upwork mobile app notifications” or “Test messages with one-time codes”: 

When choosing mobile app:

When choosing text message:

FAQs:

Do I need to enable two-step verification if I log in via face or fingerprint recognition?

Yes. Currently, face or fingerprint recognition works only for authentication. Using these options you can log in, but you cannot pass a two-step verification challenge. We still encourage you to enable a two-step verification option to keep your account secure.

I can’t access my two-step verification method. What should I do?

If you enable several two-step verification options, when challenged you will be able to choose any of them. Additionally, you can use your security question answer as a backup option. If you exhaust and fail all secure sign-on options (Mobile prompt, SMS, TOTP) and the security question answer, our system sends a code to your email address if you didn't disable this feature manually. If you still can't proceed, you'll need to contact Upwork Support.