View All Resources

Two-Step Information for LSPs


End user self-help resources

Penn's Two-Step Verification service is self-supporting. Users are encouraged to consult the Two-Step Verification FAQ, and also the Two-Step Verification: detailed instructions which provides step-by-step visual instructions. Users have multiple means of recovery if they lose or otherwise do not have access to their device:

  • Use pre-generated single-use passcode
  • Use the “Phone-A-Friend” feature to call a previously authorized and identified friend to retrieve a Two-Step code
  • Contact or visit a local Two-Step Administrative station (see list)
  • Contact central Two-Step Administrative station

If a user is unable to log in, questions to ask include:

Has the user trusted a browser?
If the user has logged in during the past 30 days from a browser they opted to trust, the first thing they should try is to log in from that browser. Otherwise, their options depend on what they set up at the time they enrolled (see below).

Did the user print out pregenerated codes?
Backup codes are a list of 6-digit numbers, hopefully stored in a secure place like a wallet or locked file drawer, that were generated either at the time the user enrolled, or later, using the Two-Step Verification settings page. The user may use these just as they would the codes provided by an authenticator application. Each backup code can be used once and the codes must be used in sequence.

Did the user designate a friend to unenroll them?
If so, they can go to the Two-Step Verification settings page, select "I am having trouble logging in" and ask the friend(s) to unenrollthem. Next they should contact the friend by phone to ask them to go to the same interface and unenroll them. The friend should verify the requester's identity by voice, not email, since email can be forged easily. The friend can go to “Manage Settings” and then click "Help a friend" to unenroll the requester.

Did the user designate a backup phone?
If so, they can have a one-time code sent to it via text or voicemail (however they designated at enrollment) by going to the Two-Step Verification settings page and selecting "I am having trouble logging in." They can then use this code to simply log in and access whatever they were trying to access, or log into the Two-Step Vrification settings page and unenroll themselves.


Technical issues

If users require support beyond the self-support mechanisms, such support follows the standard LSP model. Local Support Providers provide first-tier support to users, giving assistance with enrollment and use as necessary as well as troubleshooting prior to escalation. If issues persist, LSPs can escalate to ISC Client Care. Client Care staff can troubleshoot further, escalating to the Two-Step developers and WebLogin team as necessary for fixes or change requests.

Common issues include:

  • New phone
    • Refer end user to the Two-Step Manage Settings page to register new device
  • Authenticator code not being accepted
    • App: ensure device is using Network time server
    • Fob: A token can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. In some cases, this can happen by accident if the token is stored next to other objects in a pocket, backpack, etc. Generate three passcodes in a row to attempt to resynchronize the token.


LSPs should be aware of other possible issues, such as:

  • Users believing they're finished after installing an authenticator app and not actually opting in to the system.
  • Users not knowing how to scan QR codes.
  • Users not understanding the concept of entering a second factor.
  • Users not knowing how to install apps on their mobile device.
  • Users not having their iTunes/Google Play password to install apps.


Escalating an issue

In case of an issue that an LSP cannot resolve, the LSP should contact ISC Client Care at help@isc.upenn.edu or (215) 898-1000. To help ensure the issue is resolved as quickly as possible, please include the user's PennName and troubleshooting steps already performed.

Prior to contacting Client Care, it is the LSP's responsibility to positively verify the user's identity using one of the following mechanisms, or by voice (and/or video) if the LSP knows the user:

  • local Two-Step admin has verified the user's identity using the Two-Step Remote ID tool
  • user shows PennCard to LSP in person
  • user contacts LSP, who in turn sends email with an arbitrary, random secret to the user's email address of record and follows up with the user over the phone (not necessarily his/her number of record, and potentially using Skype or equivalent) and verify that they have the random secret (in addition to recognizing the user's voice)