Improved Login Approvals

We just released a significant improvement to login approvals in Populi. Now, instead of using a passcode sent via text message to your smartphone, you can use an authenticator app on your smartphone to generate a temporary, one-time-use passcode to log in to Populi when a login approval is required. Here's how it works:

Install an authenticator app on your smartphone

Authenticator is one of those scary, five-syllable words nerds use to talk about something fairly simple: it helps you verify that you are, in fact, you when some cheeky computer asks about your identity. All an authenticator app does is generate a six-digit code that helps you do that.

Here are three apps we use around here and recommend to our users:

Set up your Populi login to use the app

Once the app is installed on your smartphone, it's time to get your login working with the new version of login approvals. There are a couple ways to get this ball rolling:

Login approvals in My Settings, Security
  • Click your picture in the upper right of the screen (in the black bar) and select Settings. Go to My Settings > Security and click the button under the Login Approvals heading—depending on your current setup, it might say Enable... or Upgrade.
  • If your school has newly required you to start using login approvals, you'll go through this setup process the next time you log in.

Setup itself is simple:

Setting up login approvals in Populi
  1. Populi will display a QR code on the screen.
  2. Open your authenticator app and use the add account function. Hold your smartphone camera up so it can see the QR code on your computer screen. Follow the prompts in your app to finish adding the account.
  3. Enter your Populi password.
  4. The app generates a six-digit verification code—enter it below the password.
  5. Click Next.
  6. Populi will generate a recovery code for you. This code lets you log in to Populi one time in case you lose access to your smartphone (and can't use a code from the authenticator app). Copy the recovery code and store it in a safe place.
  7. Click Done when you're finished.

Now, whenever you log in to Populi on a new device, just open the app and use the one-time passcode to complete your login. These apps generate a new passcode every 30 seconds or so, and your login will only use the current passcode.

Why'd we do this?

Populi's login approvals are a form of "two-factor authentication", which is probably the most significant improvement to user security in recent memory. It requires a second code (or factor)—usually a passcode sent via text message to a device that's located on your person somewhere (usually your smartphone) in order to log in to a website. So, while your password for a given site can be stolen in, say, a data breach, it's a lot harder to steal both a password AND your phone at the same time.

We used to rely on texting a passcode to your smartphone. The new method, as mentioned, requires a code generated by an authenticator app.

Why are we moving in this direction? The primary reason is that authenticator apps provide better security. The National Institute of Standards and Technology issued a guideline which discourages the use of SMS/text messages as a second factor. Companies like Google are transitioning away from SMS-based authentication, as well. In part, this is because hackers are sometimes able to convince phone companies to route SMS messages to their own phones.

Security is the main concern. But our users are equally on our minds. We've seen widespread carrier outages that affect thousands of our users—a few months ago, for one example, a carrier-who-will-remain-nameless flagged all of our SMS login approval codes as spam and didn’t deliver them. Many of our users were unable to log into Populi, leaving them out in the cold until the carrier resolved the issue on their end.

That kind of nonsense is totally unacceptable to us. We don't want our users' access to Populi to get blocked by an error at a phone company.

But since authenticator apps remain functional even when your phone carrier is having a bad day, they’re much more resilient. The only thing they depend on is whether your phone knows what time it is.

For now, text/SMS-based login approvals will still work for users who've already set them up. But that method will be sunsetted in July, 2021, at which time all users will need to use the authenticator app method. Anyone who's new to login approvals will only get the new, improved method.

Populi is committed to doing our best to help keep your data secure, and keeping up with shifting industry best practices is one way we do that. Sometimes these improvements require a bit of a learning curve, but we’re certain the new login approval process will make it easier for you to keep your information safe.