skip to content

IT Help and Support

University Information Services

Information for IT staff about the forthcoming user-visible changes to the Raven service following the introduction of the Raven OAuth2 service and a description of the user-visible impact of University-wide enablement of Two-Step Verification (2SV).

History and motivation

There is a long-established Cyber Security, Identity and Access Management programme running within the UIS. As part of this programme we have been investigating methods by which sign-in to email may be protected with 2SV.

For the past year, as part of a pilot, we had been running an alpha test of 2SV for Raven SAML 2.0, a portion of the Raven ecosystem. This alpha test made use of technology offered by Duo Security, a third-party 2SV provider.

The alpha test of Duo has come to an end. We're now commencing an alpha test of Google Cloud Identity’s 2-step verification.

For this alpha test, Google Cloud Identity will be integrated with a new Raven OAuth2 service. As a result, users may encounter some or all of the user-visible changes presented in this document.


User-visible changes

As we enable the use of 2SV using Google Cloud Identity in the Raven ecosystem, various bits of Google-branded UI may start to appear as users sign in to Raven protected sites.

For example, a user who has not previously signed in yet using Google Cloud Identity will be presented with a welcome screen:

Google Cloud Identity welcome screen

This screen is intended to inform the user that what they have may look like an ordinary Google account and quack like an ordinary Google account but that it is managed by UIS under the University Google Cloud Identity inside G Suite@Cambridge.

The first time a user signs into a Raven OAuth2 protected application, Google Cloud Identity will ask for explicit consent to share their name, email address and profile picture with the application:


Google Cloud Identity login screen



This is similar to the existing "attribute release" page which is shown by Raven SAML 2.0 on first sign in to a new site.

Unlike the existing Raven SAML 2.0 service, users can withdraw their consent to share data with Raven OAuth2 applications via the Google account management portal.


Overview of Google Cloud Identity 2SV

Google Cloud Identity 2SV provides support for the following second factors:

  • A FIDO2 compatible hardware security key. Examples include: YubiKey, Titan Security Key and the Adafruit Security Key.
  • A prompt on a compatible mobile Internet-connected device.

  • Time-based one-time password (TOTP) via any app or password manager that supports TOTP QR codes. Examples include: Google Authenticator, FreeOTP, 1Password and Authy.

  • An SMS message (aka a "text"), delivered to a mobile telephone.

  • A voice call to a telephone.

  • A hardware security key built into a compatible Android device.

  • A call to a pre-configured "backup" telephone.

  • A single-use "backup code" generated previously via the Google account management portal. Users unwilling to use any other second factor may maintain a store of backup codes to use when signing in.

We have already enabled Google Cloud Identity 2SV for Raven OAuth2 protected applications. Early adopters have the option to self-enroll in 2SV by signing in to Google with their "" email address and following instructions provided by Google.

Once you have enabled your account for 2SV, you will get an email confirmation similar to the following:

Google 2SV email confrmation

For particularly sensitive users, we have the option of enrolling them in Google’s Advanced Protection Programme which adds additional layers of account protection.


Data protection and privacy

The University’s Information Compliance Office has reviewed and approved various standard Data Protection documents issued by Google which cover the use of 2SV within the University. These include model contract clauses and a Data Protection Amendment on the use of Google as a data processor.

The 2SV integration offered by Google is part of their Google Cloud Identity product which is part of the wider G Suite service. Google details their compliance with Data Protection legislation and associated certifications in a dedicated whitepaper on G Suite security. They also publish a list of third-party sub-processors for G Suite.

Portions of the Raven ecosystem exist in Google Cloud. Google Cloud and Google Cloud Identity are separate products. Compliance information for Google Cloud and an associated Privacy Shield certificate is available. All Google Cloud resources used for Raven are located in UK or EU-based data centres and are subject to UK Data Protection legislation or local legislation implementing the EU GDPR.

Google will be processing data relating to 2SV which includes personally identifying data appropriate to your choice of second factor. For example in order to "remember a trusted device" for 2SV, Google will be recording information sufficient to identify your device. Precisely what data is recorded by Google depends on your choice of second factor but it will at a minimum include your CRSid.

Google Cloud Identity will not be handling Raven passwords when we enable Google Cloud Identity 2SV. Parts of the Raven password-handling infrastructure may be hosted within Google Cloud. UIS can ensure the geographic region of Google Cloud hosted infrastructure and has access to auditing infrastructure which alerts us if a Google employee needs to access any of our data hosted in Google Cloud. For particularly sensitive data we can ensure that Google cannot access data at rest.


Last updated: 24 February 2020

UIS Service Desk

UIS Service Status

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

Latest news

Moodle maintenance Tuesday 3 August 07:00-09:00

28 July 2021

The Moodle service will be subject to interruption on Tuesday 3 August 07:00–09:00 due to essential maintenance. While Moodle is unavailable, users will not be able to log in to the Panopto cloud service. Panopto recordings can still be made offline for later upload. If you have any questions, please contact the Moodle...

Internet Explorer 11 will no longer be supported by Microsoft 365 apps and services from 17 August 2021

23 July 2021

Microsoft has announced that from 17 August 2021, all Microsoft 365 apps and services will no longer support Internet Explorer 11 (IE11). This follows Microsoft’s announcement last November that Microsoft Teams would no longer support IE11. After 17 August 2021, you'll have a degraded experience or will be unable to...

Moodle maintenance Thursday 29 July 07:00-09:00

23 July 2021

We’re updating Moodle on Thursday 29 July between 07:00 and 09:00. The service will be unavailable during this period. Users will also not be able to log in to the Panopto cloud service while Moodle is unavailable, Panopto recordings can be still be made offline for later upload. Following this update, the Checklist (both...