OnePass is an authentication system which allows you to log in to multiple Thomson Reuters solutions with a single username and password.
What is OnePass?
A OnePass profile is the online record of the username and password you personally select to access Thomson Reuters websites and applications. Selecting your own username and password gives you more security, more control and more convenience. You can use your OnePass profile across multiple applications, such as Practical Law, My Account, Firm Central and Legal Tracker.
Do I have to create a OnePass profile?
Yes – by creating your own username and password, rather than using Thomson Reuters - assigned credentials, you are more likely to remember the details and ensures a higher level of security.
Can I use the same OnePass profile for multiple solutions?
Yes, your OnePass username and password will allow you to access multiple Thomson Reuters products that use OnePass for authentication.
What other websites and applications use OnePass?
Thomson Reuters products and applications currently using OnePass include:
- Drafting Assistant
- Firm Central
- International Materials on Westlaw
- Legal Tracker
- Practical Law
Update profile information
How can I change my username, email address, password or security question?
- Go to onepass.thomsonreuters.com or click Update an existing OnePass profile from the sign-on page of any product that uses OnePass for authentication
- Enter your username and password into the corresponding boxes, then click Sign In to display the OnePass General Settings page
- Either answer a security question or have a code emailed to you to verify your identity
- Make desired changes and click Save.
Username and Password
You can use the same OnePass username and password for any Thomson Reuters product that uses OnePass as the login. To register your OnePass account for a second (or third) service, simply sign into your OnePass account from that product and you will be prompted to enter the new product’s registration key which would be sent to you when your subscription is set up.
Activate product registration key
For each OnePass authenticated product to which you hold a subscription, you will be sent a unique, individual ‘Registration Key’ (set of numbers and letters). This key is what is used to link your active subscription to the product and grant you access.
Once you have received your registration key via email, you can either click the Activate Now link from the email OR follow these steps to add the application to your OnePass profile:
- Click Create a new OnePass profile on the application Sign In page to display the Register a new profile page
- Type / Paste in your registration key and your email address in the appropriate text boxes.
- Assign a ‘friendly name’ to the registration key. This can be any word and is used for admin purposes.
- Click Continue.
Working with multiple registration keys
In the event that your login credentials, such as your username and password, are suspected or known to be compromised e.g. a third party has discovered your password, our priority is to work with you to re-secure your account and protect your data.
What should I do?
First, contact your IT department or a trusted technology professional. They may have their own standards and practices to further protect you and your data. But we recommend you take the following immediate steps:
- SCAN ALL COMPUTERS – As noted above, speak with your IT professional, but we strongly recommend that you scan your computer for malware or other malicious programs that may compromise your data. This should be done before changing your credentials to avoid having new passwords compromised by the same malware.
- UPDATE YOUR ONEPASS PASSWORD – Even if you were recently asked to change your OnePass password (a forced password reset), or if you have upgraded your system’s security, you should still update your password.
- UPDATE YOUR MULTI-FACTOR AUTHENTICATION (MFA) – MFA is a more secure method of accessing and protecting your data, but it too can be compromised, so regularly updating this information is recommended. To update your MFA, you will need to change the password associated with your account, change your security questions and answers, or update the authenticator.
What does "my credentials have been compromised" mean?
When your credentials have been compromised, it means someone other than you may be in possession of your account information, such as your username and/or password. This can come to our attention in a number of ways. You might identify activity on your account that was not initiated by one of your authorised end users or our security monitoring might pick up activity on your account from an unusual Internet protocol (IP) address. We also partner with trusted third parties that monitor the Web and report to us when customer credentials have been found available on information sharing websites. Many of these sites are not typically accessible to the public, but rather may be part of the “Dark Web” that is frequented by hackers and bad actors looking to buy/sell stolen information.
How might my credentials get compromised?
While there is no way for Thomson Reuters to know exactly how customer credentials are compromised in any situation, most information is stolen through malware installed on a computer used to log in to Thomson Reuters solutions.
Is there anything else I can do to protect my credentials and data in the future?
While your IT department or trusted technology professional may have their own guidance, please consider the following:
- Install updated antivirus software on your computers and update your software when prompted to do so.
- Set your antivirus program to scan your computer immediately upon start-up and to run at all times, including a scan of all incoming emails.
- Don’t open unsolicited business emails or attachments that come from unfamiliar sources.
- Look closely at the URL address of a website. Malicious websites may look identical to a legitimate site, but the URL of the malicious site may use a slight variation in spelling or spacing to trick you.
- Manually type the URL address of a website rather than clicking a link. Typing in the accurate URL is a simple way to negate a host of attacks.