We released a number of new security features last night that give your school's Populi users new ways to keep their accounts protected. Here's a look at what's new:
Login approvals send you a text message with a one-time use passcode whenever you log in to Populi on a new browser or device. In addition to your username and password, you enter the passcode to log in. Populi then recognizes your account as approved for use on that browser or device, and there's no further need for the additional passcode for future logins.
This protects your account by requiring you to have your mobile phone with you when you log in. Typically, the person with your phone is gonna be you—and when you enter the passcode, you're assuring Populi that the person logging in is you, and not someone else. So, even if your login is compromised—someone gets ahold of your password, say—it's useless without the passcode sent to your phone.
Account administrators can now manage all kinds of high-level security settings for your school's Populi account in the new Account > Security view. We've moved some old, familiar settings there (ID photos, who can view SSN's, et. al.), and have added a few new ones. Most important is Login Approvals, where the Account Admin can allow or require various user roles to use login approvals for their Populi user logins. For example, you might allow all users to use them, but you require it of Academic Admin, Financial Admin, and Financial Aid users.
Since login approvals require that the user have a verified text notification number, if any affected users do not have a number, they'll immediately receive an email that lets them set one up. You can also look at individual role pages to see who has a verified number and who doesn't.
User access updates
We moved the user access controls out of the Profile > Info view and stuck it next to the new menu button. Besides making it easier to see at a glance whether someone is a user, it also gives you a few new options related to login approvals. The user dialog now lets you require or disable login approvals for individual users. You can also send the user a link to reset his text number (which works just like the reset-password email).
Every user now has a new Security view in their personal account settings. Security includes reset-password fields, a chunk for setting up a text notification number, and a new Devices section that lets you view and manage your approved devices—browsers and devices on which you've logged in.
You can even set a device to trusted. On trusted devices, once you've logged in, you can stay logged in. To trust a device, you verify that it's password-protected, accessible only to you, etc. Afterwords, you're logged in on that device until you log out or an account admin changes a login approval setting.
Set it up!
The new security features will go a long way towards helping secure your school's data. We strongly encourage your school's account administrators to enable login approvals. Account administrators can read more about the new security features and Populi users can learn about their new personal security settings in the Populi Knowledge Base.