Be aware of upcoming changes to your Smartsheet login options

Hi Community, 

Studies have consistently highlighted the vulnerabilities of password-based systems, including susceptibility to brute force attacks, phishing, and password theft. Such risks not only jeopardize data integrity but can lead to severe repercussions. 

As a part of our ongoing commitment to enhancing the security of our platform, we’ve made the decision to introduce a more secure email-based TOTP (time-based one-time passcode) login method by the end of April 2024. This dynamic, passcode-based login method will significantly reduce the risk of unauthorized access, ensuring a safer experience for our customers.

Our rollout plan involves two key phases:

  1. Introduction of email-based TOTP: In late April 2024, users will have the option to leverage this secure authentication method.
  2. Deprecation of traditional password-based login: Following thorough testing and user feedback, we aim to retire the traditional password-based login method, anytime on or after June 1, 2024.

Benefits of email-based TOTP:

  • Dynamic authentication: Email TOTP introduces time-sensitive login codes, mitigating the risks associated with static passwords.
  • Enhanced security: It ensures that former employees can't retain access to organizational assets post-departure.
  • Compliance support: This is ideal for organizations with stringent password policies and multi-factor authentication (MFA) requirements.

Guidance for System Administrators:

  • Availability: Email TOTP will be available to all users on all plan types in the web application in phase 1 and in the mobile app by phase 2. However, its activation status will be subject to your configured login policies in the Admin Center.
  • Administrative control: You have the autonomy to enable or disable this method within the Admin Center.
  • Email configuration: Collaborate with your IT teams or email service provider to always allow the domain and prevent TOTP emails from being blocked or marked as spam.

For detailed insights into Email TOTP, best practices for email delivery, and our deprecation strategy for password-based login, refer to this help article

We're committed to transparent communication. Starting mid-March, we'll notify all end-users via email and in-app bulletins about these upcoming changes. If you are a System Administrator and wish to exempt your organization's Smartsheet users from our communications, kindly fill out this form, and we'll provide you with sample emails for internal distribution.

You can also stay informed by subscribing to receive product release updates for curated news of recently released product capabilities and enhancements for the platform of your choosing, delivered to your inbox. As new releases occur, you will receive a weekly email with news of what's released every Tuesday. 

Best regards,

The Smartsheet Product Team



  • Samuel Mueller
    Samuel Mueller Overachievers

    This won't change single sign on logins, correct?

    Otherwise love the new capability.

    HTQIHC ✭✭

    Why not offer 2FA in addition to password-based authentication? I wouldn't really consider TOTP by itself to be two-factor per se, since the only factor is your email (open to being corrected here).

    For users who utilize strong password hygiene by way of a password-manager, this is kind of a step backwards unless you have SSO, yes?

  • If Smartsheet truly cared about security they would have made their SAML-based SSO available on all plan instead of just on their Enterprise plan. Security shouldn't be a tax.

  • Will all my users now need to go through a long-winded login process every time they open the app or web site?

  • It would be nice to be able to use a Yubikey or other FIDO/U2F device instead of having to use email for authentication.

  • Simon Cowx
    Simon Cowx ✭✭✭✭✭

    Will the communication emails also go to SSO users? If so this will be very confusing, Please confirm either way. Thanks


  • Grendyl
    Grendyl ✭✭

    From a user experience perspective, email has to be the worst 2FA method available. If you want to offer 2FA options, so do, but authentication apps or text messaging would both be better options than routing an email through corporate channels where they will be delayed, quarantined, or rejected outright. The additional step of removing password authentication as an option simply shows a disregard for your customers; make improvements available, don't mandate your customers workflow.

  • TJohnson
    TJohnson ✭✭✭

    I echo my peer's statements above. This new approach is far from user friendly, and I am not looking forward to the mutiny I will have on my hands in the coming months if this goes into effect. I would agree with others that a 2FA using authenticator app would be quicker and a bit easier to enforce on my users. I also agree with @Hopper, "security shouldn't be a tax."

    I couldn't have phrased it better than @Grendyl , "The additional step of removing password authentication as an option simply shows a disregard for your customers; make improvements available, don't mandate your customers workflow."

    We are a mid-size manufacturing company who utilize alias emails as opposed to full MS licenses for our shop floor users that need to interact with and utilize Smartsheet. As a business plan member who seemingly will not be able to toggle this option, I am not really sure what the next step for my organization is and I beg you to go back to the drawing board and come up with more adaptable solutions that serve all of you customers best interests @Lekshmi Unnithan.

  • Samuel Mueller
    Samuel Mueller Overachievers

    @Simon Cowx there was a form to opt out of the email communication.

  • Steve_Mitchell
    Steve_Mitchell ✭✭✭✭

    I also agree 1000% with my peers above and would have said pretty much what @TJohnson did including the mentions from others. This would be disastrous in our organization possibly to the point I would be asked to find another solution.

    This seems like a penalty for all to enforce security for others that have perhaps poor password maintenance. I do understand also that some customers may have very sensitive information in Smartsheet but others in a breach theft of the content in Smartsheet may not be a big deal.

    Being a M365 shop we are using the account linking option (Sign in with Microsoft button) so users only have their one password to remember. The linked Smartsheet password was a strong password they made but never use.

    The email we received indicated only Enterprise users could disable this. If this goes through it would only be fair to allow all to disable it and allow the current functionality. You could even have a disclaimer shielding yourself in case of a breach and a company opted out of 2FA.

    And in the case you implement this as is, email only authentication is the worst thing you can do. I don't know any other company that does 2FA that restricts to emails. Almost everyone I've seen gives you a choice between email and SMS. Too many issues with email and speed of delivery that will kill productivity of your customers. Allowing all 3 methods of 2FA (app, text, email) would be the best way to implemented this if it is required.

    Please think this through further.

  • Krambo
    Krambo ✭✭
    edited 03/12/24

    How will this affect interaction with apps such as Zapier or Zendesk?

    I don't see the issue with this being an option but I think taking away password login completely is a mistake. The client should decide how to verify the login process imo.

    We also have several users who share logins for various tasks and this would create a massive headache.

  • I agree with some of the previous comments - please consider any kind of phone app/text authentication process vs. email verification. This is going to be very clumsy and hurt workflow, which is contrary to the whole purpose of SmartSheet. Email authentication is just an undesirable option.

  • We use "Sign in with Google", which allows all of our users to take advantage of all of the security features we have enabled with Google, including two-factor authentication via mobile #, an authenticator app, a Yubikey or other FIDO/U2F device, etc.

    Will this option be removed?