Email-based TOTP login method, now generally available!

Lekshmi Unnithan
Lekshmi Unnithan Employee
edited 07/01/24 in Product Announcements

Update as of July 1, 2024: The email-based TOTP (time-based one-time passcode) login method is now generally available. Please read the community post below for more details. 

Hi Community, 

Studies have consistently highlighted the vulnerabilities of password-based systems, including susceptibility to brute force attacks, phishing, and password theft. Such risks not only jeopardize data integrity but can lead to severe repercussions. 

As part of our ongoing commitment to enhance the security of our platform, we decided to introduce a more secure email-based TOTP (time-based one-time passcode) login method. This dynamic, passcode-based login method will significantly reduce the risk of unauthorized access, ensuring a safer experience for our customers.

Our rollout plan involves two key phases:

  1. Introduction of email-based TOTP: In July 2024, we will launch the email TOTP login method (now generally available).
  2. Deprecation of traditional password-based login: Following thorough testing and user feedback, we aim to retire the traditional password-based login method later this year. We'll provide ample advanced notice when we finalize the timeframe for the deprecation.

Benefits of email-based TOTP:

  • Dynamic authentication: Email TOTP introduces time-sensitive login codes, mitigating the risks associated with static passwords.
  • Enhanced security: It ensures that former employees can't retain access to organizational assets post-departure.
  • Compliance support: This is ideal for organizations with stringent password policies and multi-factor authentication (MFA) requirements.

Guidance for System Administrators:

  • Availability: Email TOTP will be available to all users on all plan types in the web application in phase 1 and in the mobile app by phase 2. However, its activation status will be subject to your configured login policies in the Admin Center.
  • Administrative control: You have the autonomy to enable or disable this method within the Admin Center.
  • Email configuration: Collaborate with your IT teams or email service provider to always allow the domain to prevent TOTP emails from being blocked or marked as spam.

Check out our help articles to learn more about the email-based TOTP login method, or review some helpful troubleshooting tips.

You can also stay informed by subscribing to receive product release updates for curated news of recently released product capabilities and enhancements for the platform of your choosing, delivered to your inbox. As new releases occur, you will receive a weekly email with news of what's released every Tuesday. 


The Smartsheet Product team

Best Answer

  • Lekshmi Unnithan
    Lekshmi Unnithan Employee
    Answer ✓

    Update [June 6, 2024]:

    Hello Smartsheet Community,

    We were preparing to release the email TOTP feature this afternoon, however, we discovered a bug that impacted users logging into Smartsheet via their personal account and corporate credentials on the same browser. Therefore, we have decided to delay the launch of the email TOTP login method until we can resolve this issue. We thank you for your continued patience as we strive to deliver this new login experience.

    Best regards,

    The Smartsheet Product Team



  • Samuel Mueller
    Samuel Mueller Overachievers

    This won't change single sign on logins, correct?

    Otherwise love the new capability.

    HTQIHC ✭✭

    Why not offer 2FA in addition to password-based authentication? I wouldn't really consider TOTP by itself to be two-factor per se, since the only factor is your email (open to being corrected here).

    For users who utilize strong password hygiene by way of a password-manager, this is kind of a step backwards unless you have SSO, yes?

  • jbquotient

    It would be nice to be able to use a Yubikey or other FIDO/U2F device instead of having to use email for authentication.

  • Simon Cowx
    Simon Cowx ✭✭✭✭✭

    Will the communication emails also go to SSO users? If so this will be very confusing, Please confirm either way. Thanks


  • Samuel Mueller
    Samuel Mueller Overachievers

    @Simon Cowx there was a form to opt out of the email communication.

  • Krambo
    Krambo ✭✭
    edited 03/12/24

    How will this affect interaction with apps such as Zapier or Zendesk?

    I don't see the issue with this being an option but I think taking away password login completely is a mistake. The client should decide how to verify the login process imo.

    We also have several users who share logins for various tasks and this would create a massive headache.

  • BYoung

    I agree with some of the previous comments - please consider any kind of phone app/text authentication process vs. email verification. This is going to be very clumsy and hurt workflow, which is contrary to the whole purpose of SmartSheet. Email authentication is just an undesirable option.

  • Chris McLaughlin

    We use "Sign in with Google", which allows all of our users to take advantage of all of the security features we have enabled with Google, including two-factor authentication via mobile #, an authenticator app, a Yubikey or other FIDO/U2F device, etc.

    Will this option be removed?