Share this content
0
1562

2 step verification inconvenience

2 step verification inconvenience

We are coming across this 2 step verification thing more and more whereby a code is sent to a mobile phone before you can log into something.  Not only HMRC services, but increasingly cloud software logins require it.

As there are several of us in the firm, this is becoming increasingly inconvenient.  When one of my staff wants to log into something, a code gets sent to my phone.  That's fine when I am in the office, but not when I am on a beach in Barbados.

The solution to this would appear to be to get a pay-as-you-go office mobile phone that just sits on the side and is set up to automatically forward all texts to the shared office email address, where they can be picked up by the staff member.

So I suppose the question is, does anyone know of a cheap phone that offers this functionality?  Or has anyone found a more elaborate solution to this 2SV problem?

Replies

Please login or register to join the discussion.

03rd Aug 2017 16:03

I thought HMRC (I can't speak to other software) had iced 2SV for agents for the moment?

Thanks (0)
avatar
By BIGWAL
03rd Aug 2017 23:47

Received an email from HMRC today saying 2SV would become mandatory in September. Can find no information provided as to how to register for this process.

Thanks (0)
avatar
04th Aug 2017 10:00

Is the 2sv going to apply to agent logins?

I thought it was only going to be mandatory on the business/personal login not agent logins.

Thanks (0)
04th Aug 2017 10:17

2 step verification will come in on HMRC agent logins. It will however only have to be done once a year or something like that, rather than on every login. I have no idea what the point is.

As for other services, it might be worth complaining to them directly about the issue, failing that there are services whereby you can have a phone number assigned to an email address so the codes will show up in a shared mailbox rather than needing to buy a phone.

If you want the phone though then the obvious solution would be to wait for someone you know to upgrade and take their old phone and stick a pay as you go sim card from their network in it, these are often free.

Thanks (0)
04th Aug 2017 11:31

Try a search for "virtual mobile number".

Most virtualised mobile numbers offer a txt -> e-mail function or a web browser showing all msgs.

Thanks (2)
avatar
to alan.rolfe
04th Aug 2017 15:44

Thank you Alan. At 0.2p per call, that's cheap enough for me!

Thanks (0)
to alan.rolfe
06th Aug 2017 10:43

alan.rolfe wrote:

Try a search for "virtual mobile number".

Most virtualised mobile numbers offer a txt -> e-mail function or a web browser showing all msgs.

Thanks. This looks like it might be the answer.

Thanks (0)
04th Aug 2017 11:42

We non agents don't get any choice - I have avoided it for months but I too have had the e-mail saying it is compulsory from September.

It adds nothing to my level of security, I already have to have the logon details for the one user,me, so it is me who would get the two step logon code.

It would make sense if it was that a different device was being used to log on, as with Google accounts but just to regularly log on from the same desk 2 - 3 times per month is stupid.
We only ever have to pay HMRC so the most damage someone can do, should they get access to the log on details is pay HMRC on our behalf. I am certain that if a dodgy VAT return was presented for refund I'd have the old audit team all over me before a penny was sent back from the coffers of HMRC.

Thanks (0)
By tom123
to Democratus
04th Aug 2017 11:53

Likewise, I have just used my 'personal' mobile to get the texts required for working for my employer.

Can't really see what it adds, to be honest, - as of yet no-one else has needed to log in whilst I am on holiday etc.

Thanks (1)
By DJKL
to tom123
09th Aug 2017 12:53

tom123 wrote:

Likewise, I have just used my 'personal' mobile to get the texts required for working for my employer.

Can't really see what it adds, to be honest, - as of yet no-one else has needed to log in whilst I am on holiday etc.

Having just extracted myself from a long standing treasurer role, where my firm e mail had been used for a fair few login procedures, I am of the view that setting up distinct e mail/tel number that stay with the position, rather than being personal to the current incumbent of the position, is the way to go re these- what happens if incumbent falls under a bus or storms away on less than pleasant terms.

It seems to me that having an in effect "corporate" person, perpetual and immortal, will in the long term be smoother re transitions.

Thanks (0)
to DJKL
09th Aug 2017 15:24

@DJKL

There is no immortal corporate person in smaller SMEs, there is just the likes of me, simple jobbing accountant trying to scratch a living with the little knowledge gained years ago....violins play sad music in the background......

If i use my mobile number, and it's a personal one not a work one, then what happens if i take a rare holiday and someone else (unlikely but possible ) wants to log on, say to check if we are up to date with payments*. If i give out a work mobile than i have no idea who would have the phone, I certainly don't need one just for this nonesense.

I could use the DDL, but again if i am off then someone has to either redirect my line, log in near my line or intercept a call to my line for this to work.

SNAFU at HMRC/ As I said earlier if i were to log in from a different device then checking it's me makes sense, but telling me I am me every time I log on doesn't.

* Some organisations wants us to confirm that we are not in tax arrears and a simple screen dump from the HMRC site works well for this.

Thanks (0)
avatar
04th Aug 2017 12:18

adds nothing....people easily fooled into believing this kind of measure suddenly makes things safe. Just because it is 'easy' for the Revenue to introduce they do it....if only they spent more time on important things that actually make a difference.

Thanks (0)
04th Aug 2017 13:37

While I think it's stupid I also think the people who don't recognise that it's more secure than a single password are stupid.

There's a time and a place though, I have two step verification on a number of things like my online banking and other services through which I can pay money and I'm glad for it. It's unnecessary in most cases but is clearly more secure than simply using an email and password.

Thanks (1)
avatar
06th Aug 2017 13:42

Is that Holetown, Barbados? Actually, anywhere in Barbados is good.

Thanks (0)
07th Aug 2017 09:10

For those of you who haven't seen it here's the HMRC e.mail

Dear customer,
From September 2017, HMRC will make it a requirement for all businesses using their online tax accounts to register for 2 Step Verification (2SV) – if not already using it. The result of this minor change means greater security for customers and a safer experience when using our online services.
Users logging into their tax accounts from September will be asked to register for 2SV – it is quick and easy to setup.
What is 2SV?
2SV is a way of adding a layer of security to customer’s Government Gateway credentials. Instead of relying on something you ‘know’, like a User ID or Password, we add in the extra factor of something you ‘have’, a mobile or landline.
Is 2SV new?
No it isn’t. The use of 2SV is backed by the National Cyber Security Centre and promoted by Cyber Aware and Action Fraud. 2SV is used widely across well-known brands in the tech industry, it’s also commonly used for online banking.
HMRC began introducing 2SV in December 2015 and, since then, more than 11 million individuals and businesses have successfully set up 2SV to protect their online tax accounts.
Why is HMRC requiring 2SV for businesses?
HMRC takes the protection of customer data extremely seriously. We are a well-known brand because of our unique tax collection role. Similar to other large financial organisations, that makes us an obvious target for fraudsters and cyber criminals.
Threats evolve and change, so we are constantly reviewing our security approach to ensure everything is done to keep businesses secure.
If you encounter issues using 2SV with HMRC, please contact our Online Services Helpdesk.

Thanks (3)
to Democratus
09th Aug 2017 12:09

Many thanks Democratus - that was the information I've been trying to get from HMRC.

Thanks (0)
to Democratus
09th Aug 2017 14:11

We run payrolls for about 80 clients and most of them ask us to pay their monthly or quarterly PAYE for them by direct debit on their bank account, so that they do not have to remember to do it themselves. To arrange the DD, we have to login using the "customer’s Government Gateway credentials" (most of which we have actually set up ourselves). Whilst I have been prepared to do this on behalf of the client, it think it will be completely inappropriate to set up one of our own 'phone numbers under 2SV for the clients' online accounts, not least in case the client wishes to arrange payment of other taxes online. This means that we will no longer be able to arrange PAYE payments for our clients after September.

What do other payroll providers, who offer payment of PAYE as part of their service, intend to do?

I assume that there are no plans by HMRC to give agents the authority to arrange payment from clients' bank accounts of taxes, whether PAYE or other taxes.

Thanks (0)
to Euan MacLennan
09th Aug 2017 14:50

I refuse to get involved with the actual money these days, but back in my RSM/Baker Tilly days we either did it via BACS, or in a couple of cases, they had a specific bank account for salaries and PAYE for which we had login details (and for one of them, the card reader, too) and would arrange payment via their online banking.

For clarity, the bank accounts carried no funds other than that required for salaries and PAYE. Pre AE, so may include pension contributions, now, too.

Thanks (0)
avatar
09th Aug 2017 20:53

2SV may be inconvenient but it offers protection from compromised credentials, from remote desktop attacks etc. Steps to circumvent it, reduce the protection 2SV offers. Total pain, but worth it

Thanks (0)
Share this content