Preparing for a Password-Free Future in Smartsheet: Share Your Feedback!
As part of our ongoing commitment to security and authentication best practices, we are preparing to deprecate password-based login for Smartsheet accounts. Our goal is to transition to more secure authentication methods, such as email-based Time-Based One-Time Passwords (TOTP) and eventually full two-factor authentication (2FA) for non-SSO user logins.
We know this is a significant change, and we want to ensure a smooth transition for all our customers. That’s why we’re restarting our customer communication and gathering feedback on various scenarios where password deprecation may introduce challenges.
Here are a few key customer challenges we’re addressing:
- Service Accounts: Many customers currently use service accounts authenticated via email/password for API integrations. As a security best practice for API authentication, we propose that relevant customers authenticate API via user access tokens. In the future, we plan to introduce dedicated service accounts. For help please refer to this community post.
- Business Plan OTP Restrictions: Some customers use shared laptops or share Smartsheet accounts at events. To maintain your access while ensuring ample security protections, we recommend leveraging external collaboration features instead of sharing the same Smartsheet account. When assets are shared with these external users, they will create individual Smartsheet accounts enabling them to access the shared assets as external collaborators.
- Accounts Without Associated Mailboxes: If your organization has Smartsheet accounts registered to emails without mailboxes, our recommendation is to update those emails to active mailbox accounts or use alternative authentication methods.
We understand that every organization has unique workflows, and we want to hear from you! Please share your thoughts, concerns, and any additional scenarios we should consider in the comments below. Your feedback will help us refine our approach and ensure we provide the best possible transition strategy.
Our rough target timeline for password deprecation is early H2 2025. Now is the time to engage, so let us know what you think!
👉 Join the conversation and let us know how this change impacts you!
Comments
-
This sounds good!My only ask is that you iron out the service account solution BEFORE removing standard authentication, as it would potentially break solutions that still require it but cannot use access tokens (for example: Microsoft Power BI integrations).
As well, would love the ability to utilize a separate code-generating application, like Duo or Microsoft Authenticator rather than using Email OTPs across the board.
-
@Pawan Shukla - Can you please describe how this would work for new users signing up for a Smartsheet Account? In that moment, the user is not part of an organization's SSO (yet). Would they only have the option to use TOTP, and never set a password?
-
If an email account is compromised, doesn't this ensure that the Smartsheet account is also compromised? What are your recommendations for this?
For API Keys. Can you implement a process to transfer API Keys when you deactivate a user? User Based API accounts prevents continuity of business processes with turnover. Or can you elaborate on best practices around business process continuity in these situations?
-
If it is anything similar to not being able to sign in with your email and password, then I say no go. Being forced to go to my group email address to find the code is causing delays in my workflow.
-
Hi @eliweitz ,
Thanks for your response! We recommend using OAuth-based connections for external apps instead of password-based connections. Power BI can securely connect to Smartsheet via OAuth. Here’s the guide on how to set that up https://learn.microsoft.com/en-us/power-bi/connect-data/service-connect-to-smartsheet.
Additionally, we’re planning to introduce a second factor of authentication for non-SSO users. We're still exploring options like authenticator apps or push notifications via the Smartsheet app. This second factor will be configurable by system admins for their Smartsheet instance.
Let me know if you have any questions!
-
Once password-based login is deprecated, new users won’t create a password during sign-up
- If domain level SSO is enabled for their email domain, they’ll use that SSO from their first login.
- If not, they’ll log in using email-based OTP to complete their first login. In case of plan-level SSO, they will use plan level SSO once they are added to plan by plan's system admin.
-
Hi @Samuel Mueller ,
We recommend SSO as the preferred login method for maximum security and ease of use. Email-based OTP is intended as a backup option—the least preferred—but necessary for users without SSO access.
That said, if a user’s email is compromised, it presents a much larger risk beyond Smartsheet, potentially exposing access to multiple platforms and sensitive data. Email security is outside Smartsheet’s control and depends on the user and their email provider.
It’s also important to know that many leading SaaS platforms, including Salesforce, use email-based codes for authentication—making it a widely accepted industry standard. Email-based OTP provides a good balance of security and accessibility when other login methods aren’t available.
We’re also continuing to explore stronger authentication options for non-SSO users to further enhance security.
-
Thanks @Katlyn Gossett , you mentioned workflow. Can you pls share the use case you are referring to with workflow?
Categories
- All Categories
- 14 Welcome to the Community
- Customer Resources
- 67.1K Get Help
- 450 Global Discussions
- 155 Industry Talk
- 505 Announcements
- 5.4K Ideas & Feature Requests
- 85 Brandfolder
- 156 Just for fun
- 80 Community Job Board
- 514 Show & Tell
- 34 Member Spotlight
- 2 SmartStories
- 308 Events
- 36 Webinars
- 7.3K Forum Archives
