This page contains information about the updated MyAccount service.
We will be adding information here over the next few weeks, so please visit again for more information.
- How and why has MyAccount changed?
At the end of October 2016, ISD launched a new version of the MyAccount service, the place where you can manage your UCL password.
Why did we make the change?
Here are some of the reasons why the service had to change:
- The old service was running on an old platform that was difficult to maintain because of its age. Given the importance of having a reliable password changing service, we needed to make sure the service is up-to-date and secure.
- Switching to a new service allows you to set longer passwords. Having a fixed password length was a major weakness for UCL as potential attackers would have fewer options to guess.
- We've tried to make choosing a new password easier by offering a strength metre before you submit the password. This is better than the frustrations of the old system, which didn't tell you that your password was unacceptable before you submitted it.
- We've adopted a feature common to other password management systems that requires you to register your mobile phone as an insurance against losing or forgetting your password. If you need a reset, you'll no longer need to contact the Service Desk or Computer Rep, just request a reset code. To find out more about this feature, read more below.
- What is changing in the new MyAccount service?
The main features of the new service are:
- Registration of your mobile phone to allow you to reset your password without having to contact the Service Desk should you forget it. This is more secure than the current process of issuing tokens as a password reset code is sent directly to your own phone.
- You can now set a longer password (up to 30 characters) and the stronger your password, the longer you can keep it for.
- A password strength meter will now show you if your password is acceptable before you submit it.
- Better auditing and administration tools for the Service Desk to assist with any problems you may have.
The use of mobile phones to help users recover passwords is common practice for the likes of Google, Yahoo and Microsoft so many users will be familiar with this approach.
- How do I register for the new service?
When you first log into the new service, you will be asked to register your mobile phone number. This is a one-off exercise, though of course you can change your phone number if you need to.
By registering your phone number, you can easily reset you password if you forget it by requesting a password reset code that will be sent to you.
- Why do I need to register my phone number?
If you forget your password, you can request that a password reset code is sent to your registered phone.
You'll be asked to register a phone number the first time you use the new service.
This is a more secure process than the current one which requires manual creation of a password token. Unlike the tokens, the new text message reset codes are only visible to you.
- Who will I receive text messages from?
MyAccount uses a text messaging service, so messages will not appear to come from a UCL phone number.
If you have a UK phone number (international dialling code 44), you will receive texts from "UCLISD".
If you register a non-UK number, the SMS message will come from a UK number ending 55439.
Note: the full number is not published here, to prevent it being misused. If you wish to verify the number, contact the ISD Service Desk.
MyAccount only sends text messages for registering your phone and for sending password reset codes and you will not receive other messages from this ID/number. Details stored in MyAccount are not used for any other purpose and are not made available to other UCL systems.
- Why can't I set an 8-character password anymore?
It's now harder to set an eight-character password because the new version of MyAccount calculates a strength before allowing a password to be submitted.
Even if an eight-character password follows the the previous rules regarding mixture of characters, numerals and symbols, it is still considered weaker than a longer password.
It is still possible to set a password that only has eight characters, though these will only have short expiry times (typically only 100 days, which is the minimum) and will probably be less memorable than previous passwords of this length as they will need to have all of the complexity rules used in only a small number of characters.
Before trying to set an eight character password, consider that the new system allows for longer passwords. If you have a scheme for setting 8-character passwords, you could add some extra characters to the end, or alternatively try a different method to choose your future passwords (see below).
- How do I set a strong password?
The new MyAccount service allows you to set longer, stronger passwords. One of the advantages this gives us is to also potentially make passwords more memorable.
Whereas the previous 8-character limit forced you to include upper/lower case characters, numbers and symbols in only a small space, you can now make your password up to 30 characters.
One simple trick to pick a new password is to take 3 words and join them together with a number and a symbol (from the acceptable characters list). Although this will be more characters to type each time, using linked words should be both easier to remember and quicker to type.
- How will my phone number be used?
If you're worried about registering your mobile phone, hopefully we can reassure you.
When you register your number it is encrypted and stored in the MyAccount database.
Your phone number is not visible to any staff, not even the system administrators, and cannot be accessed by any other system. Phone details are stored separately from other account information and your registered number is not displayed in full within the application. Even if someone has your password and can access your account, they will not be able to retrieve your phone number from MyAccount.
Your number will not be used for any purpose other than sending you phone registration or password reset codes. You will certainly not receive unsolicited calls from ISD staff to your mobile number once you've registered with the system.
We have specifically chosen not to import mobile phone details that may be stored elsewhere at UCL (for example in the Student Records or HR systems) in order to allow you to register your current number, not one that's possibly out of date.
Remember: ISD staff will never ask you to tell them your password and you should never tell your password to anyone else.
- What has changed for Computer Reps?
The main change for Computer Reps and IT Managers will be removal of the ability to issue password reset tokens for your staff, students and visitors.
The expectation for the new system will be that individuals will have responsibility for managing their own passwords. By registering their phone numbers they can always have a means of setting a new password if they forget their current ones, without having to call on you, or the ISD Service Desk, for help.
Although you can no longer issue reset tokens for your users, you can submit mobile phone details on behalf of your users by using this form on the Service Desk portal.
The Service Desk may also need your help verifying your users.
If you have any comments or questions about how the new service will affect your role as a Computer Rep, contact the ISD Service Desk.
Note: we are aware that the new service has caused some problems for Computer Reps as they can't be as helpful to their users in resolving password issues for their users. We hope to make some additional features available to Reps to help with this in future (though Reps will not be able to reset user passwords themselves).
- Problem: Why haven't I received a phone code yet?
We are aware that some international carriers do not accept SMS (Text) messages from the new MyAccount service. This seems particularly to affect some US telephone providers. If, after 30 minutes, you have not received your registration or reset code, contact the Service Desk for advice.
Update 21 Dec 2016: We now have a workaround for this problem which was caused by some international providers blocking the SMS message where it comes from a name (UCLISD) rather than a phone number.
Non-UK numbers will now receive the SMS (Text) message from a UK telephone number ending 55439 (We have not published the full number here as it will not receive calls - contact the Service Desk if you wish to verify the number).
- Problem: Why can't I pick a phone country code?
This problem occurs on some browsers and seems particularly to affect Safari on the iPhone/iPad and older versions of Internet Explorer. If you see this problem, refresh the page and try again.
If the problem persists, try a different web browser (e.g. Chrome or Firefox).
If in doubt, contact the Service Desk (see below).
Update 21 Dec 2016: This problem has been resolved as the control used to pick country codes and validate phone numbers has been updated.
- How do I get help?
If you require any assistance with the new service, or have any comments or suggestions, contact the ISD Service Desk.
Please make clear that your comment or issue is with the new MyAccount service so that we can provide an appropriate answer.