Email-based TOTP login method, now generally available!

Update as of July 1, 2024: The email-based TOTP (time-based one-time passcode) login method is now generally available. Please read the community post below for more details.

Hi Community,

Studies have consistently highlighted the vulnerabilities of password-based systems, including susceptibility to brute force attacks, phishing, and password theft. Such risks not only jeopardize data integrity but can lead to severe repercussions.

As part of our ongoing commitment to enhance the security of our platform, we decided to introduce a more secure email-based TOTP (time-based one-time passcode) login method. This dynamic, passcode-based login method will significantly reduce the risk of unauthorized access, ensuring a safer experience for our customers.

Our rollout plan involves two key phases:

Introduction of email-based TOTP: In July 2024, we will launch the email TOTP login method (now generally available).
Deprecation of traditional password-based login: Following thorough testing and user feedback, we aim to retire the traditional password-based login method later this year. We'll provide ample advanced notice when we finalize the timeframe for the deprecation.

Benefits of email-based TOTP:

Dynamic authentication: Email TOTP introduces time-sensitive login codes, mitigating the risks associated with static passwords.
Enhanced security: It ensures that former employees can't retain access to organizational assets post-departure.
Compliance support: This is ideal for organizations with stringent password policies and multi-factor authentication (MFA) requirements.

Guidance for System Administrators:

Availability: Email TOTP will be available to all users on all plan types in the web application in phase 1 and in the mobile app by phase 2. However, its activation status will be subject to your configured login policies in the Admin Center.
Administrative control: You have the autonomy to enable or disable this method within the Admin Center.
Email configuration: Collaborate with your IT teams or email service provider to always allow the system@system.smartsheet.com domain to prevent TOTP emails from being blocked or marked as spam.

Check out our help articles to learn more about the email-based TOTP login method, or review some helpful troubleshooting tips.

You can also stay informed by subscribing to receive product release updates for curated news of recently released product capabilities and enhancements for the platform of your choosing, delivered to your inbox. As new releases occur, you will receive a weekly email with news of what's released every Tuesday.

Cheers,

The Smartsheet Product team

Find more posts tagged with

Accepted answers

Lekshmi Unnithan

Update [June 6, 2024]:

Hello Smartsheet Community,

We were preparing to release the email TOTP feature this afternoon, however, we discovered a bug that impacted users logging into Smartsheet via their personal account and corporate credentials on the same browser. Therefore, we have decided to delay the launch of the email TOTP login method until we can resolve this issue. We thank you for your continued patience as we strive to deliver this new login experience.

Best regards,

The Smartsheet Product Team

All comments

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/424871#Comment_424871

Hi Muhib - Thanks for your feedback. The launch of TOTP will not affect the existing password-based login fallback option. In the future, as we move towards deprecating password-based login, we plan to transition from a password-based to an email-based TOTP fallback mechanism.

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/424585#Comment_424585

Hi Mike - The Smartsheet web login session expires after 19 hours of inactivity. If the user uses Smartsheet before the 19 hours are up, then they will not need to login to Smartsheet for another 19 hours. The switch to email-based TOTP login for Smartsheet enhances security by generating temporary codes, making it tougher for attackers compared to static passwords. It reduces phishing risks and eliminates password fatigue by removing the need for users to remember another password. Additionally, it aids in compliance with stricter security protocols and simplifies account recovery, offering a secure and user-friendly login experience.

Lekshmi Unnithan

Hi @HTQIHC, @jbquotient, and @BYoung - We truly appreciate your feedback. Please know that our Product and Engineering teams are taking a thoughtful and gradual approach to enhancing login security. Our foremost concern is ensuring that our customers have a more secure login experience than the traditional password based login, which is why we're initially implementing an email-based TOTP option. Rest assured, we're actively exploring additional MFA options, and we may incorporate them into our roadmap as we move forward. That said, I have shared your feedback with our Product and Engineering teams for their consideration.

Lekshmi Unnithan

Hi @Jeroen D and @Grendyl - Thank you for sharing your concerns about the email-based TOTP login feature. We chose this method to enhance security for all users and ensure everyone can easily have access to it without needing extra devices or apps. We understand it might seem less convenient compared to authenticator apps, but we're aiming for a balance between security and user-friendliness. Your feedback is crucial, and we're exploring more login options, including authenticator apps, for future updates to improve the login experience. We appreciate your patience as we work to make Smartsheet even more secure and accessible.

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/424704#Comment_424704

Hi @TJohnson - Thank you for taking the time to share your thoughts and concerns with us. We truly value the feedback from our user community, especially as it pertains to significant changes like password deprecation. I want to assure you that we have not yet finalized the exact date for deprecating the password based login. Your input, along with that from others in our community, is crucial as we navigate these changes and consider the best path forward.

We understand the importance of balancing security enhancements with usability and the impact such changes can have on diverse workflows, particularly in settings like yours where unique email setups are in place. Our goal is not to disrupt but to enhance and secure the way you work with Smartsheet.

Please know that we are actively exploring additional authentication options, including the use of authenticator apps, to provide a more flexible and user-friendly security approach. Your specific concerns, particularly about the potential impact on your team and the need for adaptable solutions, are being taken into consideration as we plan the next steps.

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/424725#Comment_424725

Hi @Steve_Mitchell - We truly appreciate your feedback. Please know that our Product and Engineering teams are taking a thoughtful and gradual approach to enhancing login security. Our foremost concern is ensuring that our customers have a more secure login experience than the traditional password based login, which is why we're initially implementing an email-based TOTP option. Rest assured, we're actively exploring additional MFA options, and we may incorporate them into our roadmap as we move forward. That said, I have shared your feedback with our Product and Engineering teams for their consideration. Also, any existing “Sign in with Google/Azure/Apple” authentication flows will not be changed. Email-based TOTP will be an additional login option when it releases. I want to assure you that we have not yet finalized the exact date for deprecating the password based login. Your input, along with that from others in our community, is crucial as we navigate these changes and consider the best path forward.

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/425076#Comment_425076

Hi @DPerry - There is no change to current session validation duration. It will remain as it is today. Smartsheet login session validity does not vary by login method.

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/424732#Comment_424732

Hi @Krambo - Can you provide us some more information about how you’re using the Zapier or Zendesk integrations? Are you using API tokens or doing any UI automation?

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/424751#Comment_424751

@Michael Chohrach - Thanks for your feedback. The launch of TOTP will not affect the existing password-based login fallback option. In the future, as we move towards deprecating password-based login, we plan to transition from a password-based to an email-based TOTP fallback mechanism.

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/424873#Comment_424873

Hi @Michael Chohrach - This change will only impact logins through the user interface (UI) and will not influence API login tokens. After we deprecate password based login in future, any accounts used to generate login tokens will need to use alternative login methods, other than passwords, via the web to create new API tokens.

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/424981#Comment_424981

Hi @Dan Britton - We are following up with the Product and Engineering teams about this. In the meantime, if you have any further details you can share, that would be very helpful.

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/425164#Comment_425164

@Mike Babinec - Future communications about this will essentially go out to anyone that has a Smartsheet login with a few exceptions. If an Enterprise plan has disabled email and password based login, then email-based TOTP will not be automatically enabled for its users when the feature is released. To avoid confusion, we will exclude such users from receiving further communications about email-based TOTP. SysAdmins of these plans still have the option to enable email TOTP at a later time. In such cases, the SysAdmin will be responsible for alerting end users about the new email TOTP option. We will also exclude users in domains highlighted to us by SysAdmins via the exclusion form.

Lekshmi Unnithan

https://community.smartsheet.com/discussion/comment/425280#Comment_425280

Hi Stefan-

Regarding SysAdmin fallback login: The launch of TOTP will not affect the existing password-based login fallback option. In the future, as we move towards deprecating password-based login, we plan to transition from a password-based to an email-based TOTP fallback mechanism.
Why we're not supporting FIDO/U2F at the moment: Our Product and Engineering teams are taking a thoughtful and gradual approach to enhancing login security. Our foremost concern is ensuring that our customers have a more secure login experience than the traditional password based login, which is why we're initially implementing an email-based TOTP option. Rest assured, we're actively exploring additional MFA options, and we may incorporate them into our roadmap as we move forward.
Regarding accounts used for API connections: This change will only impact logins through the user interface (UI) and will not influence API login tokens. After we deprecate password based login in future, any accounts used to generate login tokens will need to use alternative login methods, other than passwords, via the web to create new API tokens.

Stefan

https://community.smartsheet.com/discussion/comment/426021#Comment_426021

Hi @Lekshmi Unnithan,

thanks for taking the time to answer to all those concerns and questions 🙏

Very much appreciated.

Stefan

Mike1234

Thank you for the response. Even though I do appreciate the option for improved security, most of my team are occasional users and will be very resistant to go through this process a couple of times per week. It is just not user friendly. I echo the comments made by many above. I will likely be asked to find another solution. Very unfortunate.

Sign in to join the conversation!

Quick Links

Component react.discussion.discussions had an error.

ref must be one of: categoryID, siteSectionID, category, category/categoryID, category/name, category/description, category/url, category/allowedDiscussionTypes, locale, siteSection, siteSection/basePath, siteSection/contentLocale, siteSection/sectionGroup, siteSection/sectionID, siteSection/name, siteSection/description, siteSection/apps, siteSection/attributes, layoutViewType, discussionID, commentID, page, sort, discussion, discussion/name, tags, breadcrumbs, discussionApiParams, serverDraftID, serverDraft.