How to set up two-step verification for login

What is it?

Two step verification is an extra layer of security on top of a username and password combination. It works on the basis that the system requires 'something you know' (such as a password) AND 'something you have' (such as a PIN). 

So, simply finding out a password and username will no longer be enough to access an account. 

In Pupil Asset, using Two Step Verification works in the following way: 

  • A user will sign-in as normal - by visiting 
  • They will then be asked to enter their username and password. 
  • A six digit code will be sent by SMS text message to the mobile phone number held in that member of staff's record. 
  • The staff member will be prompted to enter the code before gaining access to the system. 
  • That code will expire at midnight of the day it was requested. 

Steps to remember before switching on

Firstly, you may need to consider your school's policy on mobile phones for teachers. Without their mobile phone available, the code will be rendered useless and the user unable to sign-in. 

Secondly, if there is no mobile phone number saved in that member of staff's record, they will not be able to receive the code and consequently be unable to sign-in. 

Lastly, you may have staff members whose mobile phone reception is poor. This could also prevent them from receiving the code. 

How do I switch on two-step verification? 

Simply navigate to Admin > School Options > Security and switch Two Step Verification on


Why can't you email the codes? If the user is signed-in to their email, which is highly likely, a hack would be as simple as reading the code from the email inbox. 

Why do you have to text mobiles? We need something that the user is always going to have to hand. 

We don't allow mobiles on site. Then unfortunately this option isn't for you. Dropbox, Google and other large companies do their second step authentication in this way; it is common practice. 

Can we have a dongle instead? Unfortunately, this is not supported. 

Why only send one text per day? This is to deliver additional security, whilst limiting inconvenience and cost. 

Will this protect us from everything? No. You still need to be vigilant and sensible, but it will reduce the likelihood of hackers gaining access to your data. Remember, treat your sign-in credentials as you would your toothbrush and don’t share!

Further Reading

Explore this section

Sign up for our newsletter

For latest updates, new features and much more, subscribe to our fortnightly newsletter. You can opt-out at any time.