Email-based TOTP login method, now generally available!
Update as of July 1, 2024: The email-based TOTP (time-based one-time passcode) login method is now generally available. Please read the community post below for more details.
Hi Community,
Studies have consistently highlighted the vulnerabilities of password-based systems, including susceptibility to brute force attacks, phishing, and password theft. Such risks not only jeopardize data integrity but can lead to severe repercussions.
As part of our ongoing commitment to enhance the security of our platform, we decided to introduce a more secure email-based TOTP (time-based one-time passcode) login method. This dynamic, passcode-based login method will significantly reduce the risk of unauthorized access, ensuring a safer experience for our customers.
Our rollout plan involves two key phases:
- Introduction of email-based TOTP: In July 2024, we will launch the email TOTP login method (now generally available).
- Deprecation of traditional password-based login: Following thorough testing and user feedback, we aim to retire the traditional password-based login method later this year. We'll provide ample advanced notice when we finalize the timeframe for the deprecation.
Benefits of email-based TOTP:
- Dynamic authentication: Email TOTP introduces time-sensitive login codes, mitigating the risks associated with static passwords.
- Enhanced security: It ensures that former employees can't retain access to organizational assets post-departure.
- Compliance support: This is ideal for organizations with stringent password policies and multi-factor authentication (MFA) requirements.
Guidance for System Administrators:
- Availability: Email TOTP will be available to all users on all plan types in the web application in phase 1 and in the mobile app by phase 2. However, its activation status will be subject to your configured login policies in the Admin Center.
- Administrative control: You have the autonomy to enable or disable this method within the Admin Center.
- Email configuration: Collaborate with your IT teams or email service provider to always allow the system@system.smartsheet.com domain to prevent TOTP emails from being blocked or marked as spam.
Check out our help articles to learn more about the email-based TOTP login method, or review some helpful troubleshooting tips.
You can also stay informed by subscribing to receive product release updates for curated news of recently released product capabilities and enhancements for the platform of your choosing, delivered to your inbox. As new releases occur, you will receive a weekly email with news of what's released every Tuesday.
Cheers,
The Smartsheet Product team
Best Answer
-
Update [June 6, 2024]:
Hello Smartsheet Community,
We were preparing to release the email TOTP feature this afternoon, however, we discovered a bug that impacted users logging into Smartsheet via their personal account and corporate credentials on the same browser. Therefore, we have decided to delay the launch of the email TOTP login method until we can resolve this issue. We thank you for your continued patience as we strive to deliver this new login experience.
Best regards,
The Smartsheet Product Team
Answers
-
This won't change single sign on logins, correct?
Otherwise love the new capability.
-
No, email TOTP will not change SSO logins, this will just be an additional login option.
-
Why not offer 2FA in addition to password-based authentication? I wouldn't really consider TOTP by itself to be two-factor per se, since the only factor is your email (open to being corrected here).
For users who utilize strong password hygiene by way of a password-manager, this is kind of a step backwards unless you have SSO, yes?
-
If Smartsheet truly cared about security they would have made their SAML-based SSO available on all plan instead of just on their Enterprise plan. Security shouldn't be a tax.
-
Will all my users now need to go through a long-winded login process every time they open the app or web site?
-
It would be nice to be able to use a Yubikey or other FIDO/U2F device instead of having to use email for authentication.
-
Will the communication emails also go to SSO users? If so this will be very confusing, Please confirm either way. Thanks
Simon
-
Hi,
when reading this i wonder why you would choose this more complex way of login? Sending an e-mail for someting we use allot for collaboration and having to login with a code via e-mail is far from userfriendly. Please reconsider this as it will hurt our usage of this tool when most of the teammembers want to avoid any extra step to login, it is simply not userfriendly and takes more time. a 2FA app on a phone is faster with a popup then e-mail.
-
From a user experience perspective, email has to be the worst 2FA method available. If you want to offer 2FA options, so do, but authentication apps or text messaging would both be better options than routing an email through corporate channels where they will be delayed, quarantined, or rejected outright. The additional step of removing password authentication as an option simply shows a disregard for your customers; make improvements available, don't mandate your customers workflow.
-
I echo my peer's statements above. This new approach is far from user friendly, and I am not looking forward to the mutiny I will have on my hands in the coming months if this goes into effect. I would agree with others that a 2FA using authenticator app would be quicker and a bit easier to enforce on my users. I also agree with @Hopper, "security shouldn't be a tax."
I couldn't have phrased it better than @Grendyl , "The additional step of removing password authentication as an option simply shows a disregard for your customers; make improvements available, don't mandate your customers workflow."
We are a mid-size manufacturing company who utilize alias emails as opposed to full MS licenses for our shop floor users that need to interact with and utilize Smartsheet. As a business plan member who seemingly will not be able to toggle this option, I am not really sure what the next step for my organization is and I beg you to go back to the drawing board and come up with more adaptable solutions that serve all of you customers best interests @Lekshmi Unnithan.
-
@Simon Cowx there was a form to opt out of the email communication.
-
I also agree 1000% with my peers above and would have said pretty much what @TJohnson did including the mentions from others. This would be disastrous in our organization possibly to the point I would be asked to find another solution.
This seems like a penalty for all to enforce security for others that have perhaps poor password maintenance. I do understand also that some customers may have very sensitive information in Smartsheet but others in a breach theft of the content in Smartsheet may not be a big deal.
Being a M365 shop we are using the account linking option (Sign in with Microsoft button) so users only have their one password to remember. The linked Smartsheet password was a strong password they made but never use.
The email we received indicated only Enterprise users could disable this. If this goes through it would only be fair to allow all to disable it and allow the current functionality. You could even have a disclaimer shielding yourself in case of a breach and a company opted out of 2FA.
And in the case you implement this as is, email only authentication is the worst thing you can do. I don't know any other company that does 2FA that restricts to emails. Almost everyone I've seen gives you a choice between email and SMS. Too many issues with email and speed of delivery that will kill productivity of your customers. Allowing all 3 methods of 2FA (app, text, email) would be the best way to implemented this if it is required.
Please think this through further.
-
How will this affect interaction with apps such as Zapier or Zendesk?
I don't see the issue with this being an option but I think taking away password login completely is a mistake. The client should decide how to verify the login process imo.
We also have several users who share logins for various tasks and this would create a massive headache.
-
I agree with some of the previous comments - please consider any kind of phone app/text authentication process vs. email verification. This is going to be very clumsy and hurt workflow, which is contrary to the whole purpose of SmartSheet. Email authentication is just an undesirable option.
-
We use "Sign in with Google", which allows all of our users to take advantage of all of the security features we have enabled with Google, including two-factor authentication via mobile #, an authenticator app, a Yubikey or other FIDO/U2F device, etc.
Will this option be removed?
