Email-based TOTP login method, now generally available!

13567

Answers

  • Hi Muhib - Thanks for your feedback. The launch of TOTP will not affect the existing password-based login fallback option. In the future, as we move towards deprecating password-based login, we plan to transition from a password-based to an email-based TOTP fallback mechanism.

  • Hi Mike - The Smartsheet web login session expires after 19 hours of inactivity. If the user uses Smartsheet before the 19 hours are up, then they will not need to login to Smartsheet for another 19 hours. The switch to email-based TOTP login for Smartsheet enhances security by generating temporary codes, making it tougher for attackers compared to static passwords. It reduces phishing risks and eliminates password fatigue by removing the need for users to remember another password. Additionally, it aids in compliance with stricter security protocols and simplifies account recovery, offering a secure and user-friendly login experience.

  • Hi @HTQIHC, @jbquotient, and @BYoung - We truly appreciate your feedback. Please know that our Product and Engineering teams are taking a thoughtful and gradual approach to enhancing login security. Our foremost concern is ensuring that our customers have a more secure login experience than the traditional password based login, which is why we're initially implementing an email-based TOTP option. Rest assured, we're actively exploring additional MFA options, and we may incorporate them into our roadmap as we move forward. That said, I have shared your feedback with our Product and Engineering teams for their consideration.

  • Hi @Jeroen D and @Grendyl - Thank you for sharing your concerns about the email-based TOTP login feature. We chose this method to enhance security for all users and ensure everyone can easily have access to it without needing extra devices or apps. We understand it might seem less convenient compared to authenticator apps, but we're aiming for a balance between security and user-friendliness. Your feedback is crucial, and we're exploring more login options, including authenticator apps, for future updates to improve the login experience. We appreciate your patience as we work to make Smartsheet even more secure and accessible.

  • Hi @TJohnson - Thank you for taking the time to share your thoughts and concerns with us. We truly value the feedback from our user community, especially as it pertains to significant changes like password deprecation. I want to assure you that we have not yet finalized the exact date for deprecating the password based login. Your input, along with that from others in our community, is crucial as we navigate these changes and consider the best path forward.

    We understand the importance of balancing security enhancements with usability and the impact such changes can have on diverse workflows, particularly in settings like yours where unique email setups are in place. Our goal is not to disrupt but to enhance and secure the way you work with Smartsheet.

    Please know that we are actively exploring additional authentication options, including the use of authenticator apps, to provide a more flexible and user-friendly security approach. Your specific concerns, particularly about the potential impact on your team and the need for adaptable solutions, are being taken into consideration as we plan the next steps.

  • Hi @Steve_Mitchell - We truly appreciate your feedback. Please know that our Product and Engineering teams are taking a thoughtful and gradual approach to enhancing login security. Our foremost concern is ensuring that our customers have a more secure login experience than the traditional password based login, which is why we're initially implementing an email-based TOTP option. Rest assured, we're actively exploring additional MFA options, and we may incorporate them into our roadmap as we move forward. That said, I have shared your feedback with our Product and Engineering teams for their consideration. Also, any existing “Sign in with Google/Azure/Apple” authentication flows will not be changed. Email-based TOTP will be an additional login option when it releases. I want to assure you that we have not yet finalized the exact date for deprecating the password based login. Your input, along with that from others in our community, is crucial as we navigate these changes and consider the best path forward.

  • Hi @DPerry - There is no change to current session validation duration. It will remain as it is today. Smartsheet login session validity does not vary by login method.

  • Hi @Krambo - Can you provide us some more information about how you’re using the Zapier or Zendesk integrations? Are you using API tokens or doing any UI automation?

  • @Michael Chohrach - Thanks for your feedback. The launch of TOTP will not affect the existing password-based login fallback option. In the future, as we move towards deprecating password-based login, we plan to transition from a password-based to an email-based TOTP fallback mechanism.

  • Hi @Michael Chohrach - This change will only impact logins through the user interface (UI) and will not influence API login tokens. After we deprecate password based login in future, any accounts used to generate login tokens will need to use alternative login methods, other than passwords, via the web to create new API tokens.

  • Hi @Dan Britton - We are following up with the Product and Engineering teams about this. In the meantime, if you have any further details you can share, that would be very helpful.

  • @Mike Babinec - Future communications about this will essentially go out to anyone that has a Smartsheet login with a few exceptions. If an Enterprise plan has disabled email and password based login, then email-based TOTP will not be automatically enabled for its users when the feature is released. To avoid confusion, we will exclude such users from receiving further communications about email-based TOTP. SysAdmins of these plans still have the option to enable email TOTP at a later time. In such cases, the SysAdmin will be responsible for alerting end users about the new email TOTP option. We will also exclude users in domains highlighted to us by SysAdmins via the exclusion form.

  • Hi Stefan-

    1. Regarding SysAdmin fallback login: The launch of TOTP will not affect the existing password-based login fallback option. In the future, as we move towards deprecating password-based login, we plan to transition from a password-based to an email-based TOTP fallback mechanism.
    2. Why we're not supporting FIDO/U2F at the moment: Our Product and Engineering teams are taking a thoughtful and gradual approach to enhancing login security. Our foremost concern is ensuring that our customers have a more secure login experience than the traditional password based login, which is why we're initially implementing an email-based TOTP option. Rest assured, we're actively exploring additional MFA options, and we may incorporate them into our roadmap as we move forward.
    3. Regarding accounts used for API connections: This change will only impact logins through the user interface (UI) and will not influence API login tokens. After we deprecate password based login in future, any accounts used to generate login tokens will need to use alternative login methods, other than passwords, via the web to create new API tokens.
  • Stefan
    Stefan ✭✭✭✭✭✭

    Hi @Lekshmi Unnithan,

    thanks for taking the time to answer to all those concerns and questions 🙏

    Very much appreciated.

    Stefan

    Smartsheet Consulting, Solution Building, Training and Support.

    Projects for Processes and for People.

  • Thank you for the response. Even though I do appreciate the option for improved security, most of my team are occasional users and will be very resistant to go through this process a couple of times per week. It is just not user friendly. I echo the comments made by many above. I will likely be asked to find another solution. Very unfortunate.