Two step verification is an extra layer of security on top of a username and password combination. It works on the basis that the system requires 'something you know' (such as a password) AND 'something you have' (such as a PIN).
So, simply finding out a password and username will no longer be enough to access an account.
In Pupil Asset, using Two Step Verification works in the following way:
Firstly, you may need to consider your school's policy on mobile phones for teachers. Without their mobile phone available, the code will be rendered useless and the user unable to sign-in.
Secondly, if there is no mobile phone number saved in that member of staff's record, they will not be able to receive the code and consequently be unable to sign-in.
Lastly, you may have staff members whose mobile phone reception is poor. This could also prevent them from receiving the code.
Simply navigate to Admin > School Options > Security and switch Two Step Verification on.
Why can't you email the codes? If the user is signed-in to their email, which is highly likely, a hack would be as simple as reading the code from the email inbox.
Why do you have to text mobiles? We need something that the user is always going to have to hand.
We don't allow mobiles on site. Then unfortunately this option isn't for you. Dropbox, Google and other large companies do their second step authentication in this way; it is common practice.
Can we have a dongle instead? Unfortunately, this is not supported.
Why only send one text per day? This is to deliver additional security, whilst limiting inconvenience and cost.
Will this protect us from everything? No. You still need to be vigilant and sensible, but it will reduce the likelihood of hackers gaining access to your data. Remember, treat your sign-in credentials as you would your toothbrush and don’t share!